/ Law

Our Comments to the Draft Personal Data Protection Bill, 2018 to Meity

License: The following content has been made available by us under CC-BY-SA 4.0.

Table of Contents:

[Back to top]

Executive Summary

While we continue to refer to this as a "data protection" legislation, we must once again emphasize that the purpose is to protect people in an age of data, not to protect data for firms trading in people. The private market's unquenchable thirst for the data representing all human behavior and government's equally insatiable appetite to "attribute" every human action could, taken together, fundamentally alter all social life, obliterating what we have known as "freedom."

This is the explicit goal of the Chinese Communist Party; what we do here in India must stand in opposition to that objective, or the grandchildren of living people worldwide will grow up without liberty. The stakes could not be higher.

The Report suggests that rather than following a simplistic individual-centric account of rights, we should focus on incorporating larger interests of society for the common good of a free and fair digital economy. We strongly believe that individual rights ought to form the core of the data protection law. The goal of the framework should be to identify those rights and to provide means for their protection

We must begin, then, from people's rights, which we must make as inalienable as our wisdom about technology allows. People must:

  • have the right to determine where and how information about themselves and their behavior is collected and stored;
  • have the right to "opt in" to all uses and transactions involving information about themselves and their behavior;
  • have the right to hold "data fiduciaries" accountable for leaks, losses, misuses and violations of their instructions concerning data about themselves and their behavior; and
  • have effective and deterrent remedies against government for the violation of their fundamental right to privacy as recognized by the Supreme Court in Puttaswamy.

From these four basic clusters of rights, which we could call for simplicity "Control, Consent, Accountability and Constitutionalism," the structure of appropriate legislation can be derived.

The principle of control means that legislation should not assume that personal information and behavioral data is located in centralized storage silos, run by government or by industry. Our legislation should take no steps, impose no regulations, that would prevent use of Solid (https://solid.mit.edu/) - like decentralized schemes for the storage of personal data. Where technology would allow our citizens to reinforce and protect their privacy, government may not constitutionally prohibit them from using it.

This is why comprehensive "data localization" rules cannot be consistent with fundamental rights. A citizen's right to control her data includes the right to store it all on a hard-drive in her house, or in a highly-encrypted data lockbox in Iceland, if that's what she prefers. Our goal should be to design legislation that encourages freedom, not to choose local oligopolists and despots over foreign ones.

The Bill is also bereft of some important rights such as the right to restriction of processing, right to object to processing, and right not to be subject to a decision based solely on automated processing, including profiling.

The principle of consent is not about formalities. When people opt in to the use or sale of personal information about them, or information about their behavior, education of two kinds occurs. Consent must be 'informed', so that people can learn over the course of their lives how to adopt rules of secrecy and disclosure which suit their individual needs. Legislation implementing the principle of consent must begin from the perspective of the individual: Is she being told what she needs to know, in a form she can understand, in order to make the choices she is responsible for making?

The principle of accountability means that the word "fiduciary" is not distorted when it is prefaced by the word "data." Real fiduciaries are responsible for informing their principals promptly of what most concerns them, and for protecting them from foreseeable and contingent harms. Data fiduciaries should therefore be held strictly responsible for informing individual data subjects in the event of leaks, misuses, and violations of instructions. They should be required either to bond themselves or to provide insurance for their principals, the data subjects, to protect them against the risks which data fiduciaries, as a class, can better protect against than the subjects themselves.

The keystone of implementation in the protection of people's rights over data is simplicity of process. Complexity of compliance and rigidity of enforcement structures ensure that promises made to the ear will be broken to the hope. Legislation should require of individual data subjects nothing by way of formalities that the man or woman in the street cannot understand and activate. It should require of data fiduciaries nothing that a small business cannot perform as easily as a large one. Otherwise 'data protection' law becomes platform protection law, an anti-competitive burden on upstart enterprises that cannot afford the compliance bureaucracies of the oligopolies.

Last but certainly not least, the principle of constitutionalism requires that state surveillance mechanisms be made fully subject to the rule of law. The current draft's section 98 envisions a range of bases for government 'directions' on policy matters, amounting a right of discretionary restructuring of privacy rights readily convertible into digital despotism, such as that coming into existence in China. Legislation must ensure that all such "directions" are fully justiciable.

[Back to top]

List of our Recommendations

  • The Bill should incorporate a rights based approach, instead of the current harm based regime. Since the Supreme Court in India has declared the right to informational privacy as a fundamental right in KS Puttaswamy vs. Union of India, the Bill should use appropriate language in line with the protection of that right.
  • The definition of harm as per Section 3(21) of the Bill should also include – infringement of the right to privacy.
  • The bill should clearly mention that ownership of data lies with the data principal and not with the data fiduciary.
  • The Bill, currently offers data principals granular control (through the notice and consent regime) only over sensitive personal data and not personal data. We recommend that such control should be provided to data principals for all personal data and not just sensitive personal data.
  • The provision for strict parental consent should be removed and the onus of protecting the personal data of children should be transferred to data fiduciaries by restricting them from activities such as - profiling, tracking, behavioural monitoring, ad targeting and other activities which may cause harm to children and impinge their privacy.
  • The Bill should incorporate certain principles of data protection and privacy, such as - data minimisation and proportionality, while empowering the DPAI to issue guidelines for age verification and any mechanism of age verification should not infringe the rights of free speech and expression of children.
  • To remove ambiguity and to restrict the scope of Sections 13 and 19 (processing of personal and sensitive personal data for functions of state), an explanation may be added to the Bill to clarify the types of entities/ institutions, which are engaged in performing specific public activities, so that the scope of such an exception is restricted to organizations performing specific public functions and not to organizations which may get covered in the expansive definition of Article 12 (State) of the Indian Constitution as interpreted by the Supreme Court in its jurisprudence.
  • The Bill should incorporate the Principle of Proportionality and Legitimacy as established by the Puttaswamy judgment not just for Section 13 and 19 (processing of personal and sensitive personal data for functions of state) but wherever the State has been given exemptions/ exceptions.
  • The performance of a contract should be included in non-consensual grounds of processing in line with the GDPR. India has a robust IT and ITeS industry which will be negatively impacted by the absence of such a provision in our data protection law.
  • Along with protection of data principal rights, the Bill should specifically mention that any 'reasonable purpose' notified by the DPAI as per Section 17 of the Bill (processing of data for reasonable purposes) should not have the effect of infringing on the fundamental right of the data principal to freedom of speech and expression as guaranteed under Article 19(1)(a) of the Indian Constitution.
  • Section 32 should include an obligation on data fiduciaries, in situations where breach of personal data has the possibility of causing substantial harm, to simultaneously report such a breach to the data principal as well as the DPAI in order to protect the informational privacy of data principals. The DPAI may issue standards for the course of action to be adopted by data fiduciaries in such cases, but such a responsibility should be emanating in law.
  • The Right to be Forgotten as per Section 27 of the Bill should include the right to erasure/ deletion of personal data. A provision should be inserted in Section 27 wherein data fiduciaries are made responsible to inform other data fiduciaries or processors who are processing such personal data about the request of deletion made by the data principal.
  • Protection and Independence should be guaranteed to Data Protection Officers under the Bill in line with protection provided to similar officers in the GDPR, like - security against removal of job for performing duties and avoiding conflicts of interest between data protection officers and data fiduciaries.
  • A mandatory requirement of storing a mirror copy of all personal data by each and every data fiduciary on a server or data centre located in India, as per Section 40 of the Bill should be removed.
  • Instead of mandating the localisation of all critical personal data in India, only data pertaining to strategic governmental interest may be localised in India.
  • Consent of the data principals should be obtained before mandating the storage of a mirror copy or hard localisation of their personal data in India.
  • We recommend the setting up of special tribunals for the purpose of reviewing all surveillance or interception orders issued by a competent authority under the Bill. The tribunal has to be satisfied that any infringement of privacy of an individual is necessary, proportionate, is as per law and is being carried out to achieve a legitimate state aim - as laid down in the Puttaswamy judgment of the Supreme Court (the privacy judgment). The time period for which an interception or surveillance order is valid should be prescribed in law.
  • To ensure accountability and transparency and to balance the state's interests with the right to privacy of the data principal, we recommend that notice should be provided to the data principal after completion of the surveillance. The data principal must also have the right to challenge and seek redress against a surveillance order.
  • We recommend that the Central Government should not have the power to issue directions to the DPAI, as this shall violate the independent functioning of the Authority. In this regard, Section 98 of the Bill, should be deleted.
  • In order to remove any bias, we recommend the removal of the limitation placed upon the CJI or his/her nominee to select an expert in consultation with the Cabinet Secretary only from the list of experts that has been created by the Central Government as per Section 50(2) and 50(6). Instead of this, the selection of an expert can be left up to the CJI or his/her nominee in consultation with the Cabinet Secretary without relying on a pre-selected list of experts maintained by the Central Government.
  • In order to promote simplified, easy to understand and multi-lingual privacy policies, we recommend that the DPAI be given the power to create and publish an optional standardised privacy policy creation tool to create simplified standardised privacy policies in multiple languages by asking the data fiduciary or the data processor to fill a form with simple questions.
  • Due to the importance of the independence of the DPAI and the Adjudicating Officer is, it would be worth specifying the criteria for selection of an Adjudicating Officer in the Bill itself instead of leaving this to be modified easily by every Government that comes into power.
  • It is our recommendation that an independent adjudicatory wing should be established, not just at the Central level, but in a multi-tier format in line with the consumer redressal forums in the country, so that access to adjudication is not an impediment for the enforcement of the law and people have speedy recourse to redressal mechanisms.
  • Under Section 80 of the Bill, the conditions for appointment and removal of members of the Appellate Tribunal is in the hands of the Central Government. This gives disproportionate power to the Central Government to influence members of the Appellate Tribunal. The appointment of members of the Appellate Tribunal should be transparent and should not be in the hands of the Central Government. There should be judicial oversight in appointing such members to ensure their independence.
  • Currently, in the the Bill, appeals from the Appellate Tribunal lie to the Supreme Court, circumventing the jurisdiction of various High Courts in the country. This is unconstitutional and the Bill should be amended to include appeals from the Appellate Tribunal to the High Courts as well.
  • We welcome the addition of criminal offences to the Bill as they can be an effective tool to ensure compliance with the law, however, certain aspects of imposing criminal liability require a closer look. A closer look at the offences is required in order to ensure that the provisions in the Bill cannot be misused by complainants or the Executive in order to harass people, or compel actions or inactions by the accused.

[Back to top]

Harm Based Approach

The Personal Data Protection Bill, 2018 (hereinafter referred to as "Bill") establishes a harm based approach in protecting data principals from lapses by data fiduciaries while processing their personal data. Whether in cases of grievance redressal, notification of data breach or adjudication by the Adjudicating Officer, the likelihood of harm plays a key role in determining the course of action.

In cases of grievance redressal, data principals may approach data fiduciaries when harm has been caused or is likely to be caused due to any violation of any provision of the Bill. The definition of 'harm' in the Bill inter alia includes – bodily or mental injury; financial loss; loss of reputation; loss of employment; fear of being observed or surveilled and any observation or surveillance not reasonably expected by the data principal. In effect, the provision of grievance redressal places an onerous responsibility on data principals to prove the likelihood of harm for seeking redress. Harm may not always manifest in quantifiable and measurable factors as evident from its definition which includes elements such as mental injury, loss of reputation and fear of being observed or surveilled. The burden of proving such harm may have the effect of deterring data principals from actually reporting violations. The definition of harm does not contain a clause for violation of privacy and seeks to define the term through an exhaustive list leaving minimal scope for the definition to be dynamic and to incorporate changing technologies.

The definition of harm also includes - 'any observation or surveillance that is not reasonably expected by the data principal' - thereby legitimizing observation or surveillance that is reasonably expected by the data principal. What is reasonable or unreasonable observation or surveillance is not discussed or defined by the Bill, leaving such detail to be determined by data fiduciaries at the first instance of grievance redressal. In effect, if the data principal is aware that there is a possibility of observation or surveillance taking place, then such observation or surveillance would not be considered to have caused any harm under the present Bill, even if that observation or surveillance is otherwise unauthorised by any law in force at the time.

Even in the provision for notification of personal data breach, data fiduciaries are only liable to report to the DPAI when a breach is likely to cause harm to any data principal. The data fiduciary will have to inform the data principals only upon directions from the DPAI in those cases where the harm caused is severe. The Bill leaves it up to the data fiduciaries to determine whether a breach will cause harm by considering factors that cannot be quantified such as mental injury and loss of reputation, thereby leaving a wide and vague discretion in the hands of the data fiduciaries.

The Bill places a responsibility on data fiduciaries to report data breaches only to the DPAI and not to data principals at the first instance. As a result of this, harm can be caused to data principals in India that would not have been caused to them if they were located in Europe. As per the European Union's General Data Protection Regulation (hereinafter referred to as 'GDPR'), data subjects (data principals) have to be informed 'without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions.'

According to Section 74 of the Bill, even when adjudicating officers are determining the imposition of penalty on data fiduciaries, they are required to ascertain the 'level of harm suffered by them' and the 'action taken by data fiduciaries to mitigate the harm suffered by data principals.'

The problem with establishing a harm based data protection regime, wherein harm is defined to include an exhaustive list, instead of a rights based regime is that there may be certain circumstances where the harm caused might not manifest itself as per the definition, causing duress to data principals and leaving them with no redressal mechanisms. For comparison, in contrast to the Bill, the GDPR while imposing restrictions on data principles, or responsibility on data controllers, or security procedures for protection of personal data, or even while notifying data subjects of data breaches – uses the language, 'severity/ risks for the rights and freedoms of natural persons' . In all these circumstances the GDPR places the onus on data controllers to ensure that any processing of personal data shall not negatively affect the overall rights and freedoms of the data subjects.

We recommend that the Bill should incorporate a rights based approach. Since the Supreme Court in India has declared the right to informational privacy as a fundamental right in KS Puttaswamy vs. Union of India the Bill should use appropriate language in line with the protection of that right. Without prejudice to this recommendation, if the Bill continues to use the harm based approach, then the definition of harm should also include infringement of the right to privacy. Section 4 of the Bill discusses 'fair and reasonable processing' and places a responsibility on data fiduciaries to process personal data in a manner which respects the privacy of data principals. To place emphasis, add more clarity, and tie in this clause with provisions of grievance redressal, breach notification and adjudication, this protection of privacy clause should be included in the definition of harm.

[Back to top]

Data Principal and Data Fiduciary

In the Bill, 'Data Principal' has been defined as a natural person whose personal data is in question whereas 'Data Fiduciary' is a person or entity collecting and processing that data. The Bill has not specified who will be the owner of the data. A member of the Committee later clarified that the individual is not the owner of the data as data ownership will open the floodgates for its alienation. We do not agree with this reasoning and firmly believe that ownership of data should lie with the data principal as it is data that concerns that data principal and data that can harm the data principal. The data principal lies at the core of the entire privacy and data protection narrative and it is her privacy concerns which the Bill aims to address. This is in consonance with the Puttaswamy judgment wherein it was held that every individual has the right to informational privacy. The Bill seems to create a false dichotomy between ownership of data and rights over it. Ownership of data and exercising rights over it cannot be separated and have to be understood in conjugation - having legal rights as well as complete control over the data. In fact, TRAI in its report had recommended that ownership of data must rest with the individual.

In this light, we recommend that the bill clearly mention that ownership of data lies with the data principal and not with the data fiduciary.

[Back to top]

'Notice and Consent' regime

The Bill requires that data fiduciaries provide notices in a clear and concise manner that is easily comprehensible. However, it enumerates an exhaustive list of details to be provided in the notice for it to be valid as per law. The Bill empowers the DPAI to subscribe model forms, add details and provide any guidance relating to the requirement of notice. But since an effective notice regime operationalises consent, it is important that the Bill provide guidelines for the DPAI to ensure that notices are clear, concise and easily comprehensible.

To tackle the issue of complex notices and resultant consent fatigue, our recommendation is for notices to be layered i.e. the first layer may contain a condensed form of the actual notice, while the second layer should delineate the full text of the notice. The Working Party 29 explains that the use of a layered privacy statement/ notice will enable a data subject to navigate to the particular section of the privacy statement/ notice which they want to immediately access rather than having to scroll through large amounts of text searching for particular issues.[1]The layered notice should contain: purpose of processing personal information; period for processing and retention of the personal information; rights and obligations of data subjects and how to exercise the rights; and grievance redressal mechanism.

The Bill also establishes separate standards for the processing of personal and sensitive personal data. We recommend that these standards should be uniform and not based on different categories of personal data. This is important given that the sensitivity of data is heavily contextual and modern data aggregation technologies are capable of revealing sensitive information from the processing of seemingly non-sensitive personal data.[2] Even seemingly anonymized data can be used to re-identify people, as shown by researchers from the University of Texas, who used anonymized data set released by Netflix and showed that it is possible to re-identify a Netflix user from the data set.[3]

The Report places substantive obligations on data fiduciaries by ensuring that the notice given to data principals includes information on "requisite granularity thereby allowing data principals to access services without necessarily consenting to all or nothing." Such granularity is incorporated in the Bill for sensitive personal data but does not exist for processing of personal data.

We recommend that granular control should be extended to personal data as well. Data which are essential and necessary for processing to deliver certain end-results (such as collection of location data for a navigation tool) may continue to be mandatory but for non-essential data, users should have control over its collection (such as access to a microphone for a navigation tool). This along with implementing the principle of 'purpose limitation' will restrict data fiduciaries from collecting personal data which are absolutely essential for the purpose of such collection. A notice must also clearly notify individuals how to opt-out of automated collection of personal data.

[Back to top]

Processing of Personal and Sensitive Personal Data of Children

The Report acknowledges that a strict parental consent model may fail as it will encourage the practice of lying, but it envisages a regulatory model for effectively obtaining parental consent through Codes of Practice instituted by the DPAI.[4] Even the white paper discusses that " relying solely on parental consent for all children below the age of majority might have a chilling effect on the child's opportunity to freely use the Internet as a medium of self-expression, growth and education."[5]

The mandatory requirement of parental consent will be prone to circumvention and will take away the seriousness of the choice made by parents. In the unique social fabric of India, often, parents are less informed than children about the digital world. The Report recognizes these lacunae in the parental consent model and states that the proposed regulatory framework is not closed to incorporating improvements in the parental authorisation regime and for also providing flexibility in the development of the law to keep pace with technological advancements.

Milda Macenaite and Eleni Kosta of the Tilburg Institute for Law, Technology and Society (Netherlands) in their paper titled ' Consent for processing children's personal data in the EU: following in US footsteps?'[6]comment that parental consent does not necessarily mean an increased protection of personal data for children. They state that especially in terms of children's use of digital services, consent can hardly be considered freely given when refusal to consent may lead to social exclusion, given that important online services have no real alternatives. The Bill establishes a strict parental consent requirement for processing of personal data of children, Milda Macenaite and Eleni Kosta argue that such a mandatory parental consent requirement will lead to consent fatigue among parents and can make the entire parental consent provision illusionary.

Owing to the issues associated with norms of parental consent for securing children's personal data, the onus of such protection should be transferred from parents to data fiduciaries, by restricting certain types of data processing.[7] All data fiduciaries, who process personal data of children should be barred from engaging in activities such as profiling, tracking, behavioural monitoring, ad targeting and other activities which may cause significant harm to the child. Currently, such a provision only exists for guardian data fiduciaries in the Bill, as per Section 23(5).

Apart from the parental consent regime, the Bill also requires data fiduciaries to incorporate appropriate age verification mechanisms while processing the personal data of children. The Bill does not delve into the details of how data fiduciaries may verify age and empowers the DPAI to issue codes of practice in this context. Looking at various age verification models used in the EU and US and learning from their errors, the Bill should incorporate certain principles for age verification and not delegate all responsibility to the DPAI in this regard.

"In the EU, several national age verification schemes using personal ID numbers have been facing shortcomings in terms of adequate enforcement, disproportionate data collection, and usability. In Germany, an attempt to use an age verification system based on the identity card or passport number coupled with the postal code of the city of its issuance has been declared by the German Federal Supreme Court as an effective barrier to prevent minors from accessing online age-restricted content. In Belgium, the kids-ID card has been used as an online identification and age verification tool, however it has been criticised to be intrusive and disproportionate due to the use of the National Registry identification number embedded in the eID card revealing the date of birth and the gender of the child. In the US, as mentioned above, COPPA relies on users' self-assertion of their age which, as a method, is as easy to use as it is to circumvent. Children may often not be genuine in registering, use personal data that may not belong to them, and circumvent the age gating systems."[8]

Age verification models should be in accordance with principles of data protection and privacy, like data minimisation and proportionality; and should not infringe the rights of free speech and expression of children.

It is our recommendation that the provision for strict parental consent should be removed and the onus of protecting the personal data of children should be transferred to data fiduciaries by restricting them from activities such as profiling, tracking, behavioural monitoring, ad targeting and other activities which may cause harm to children and impinge their privacy. Without prejudice to our preceding recommendation, if parental consent continues to remain as a mode of authorization then a sliding scale model of parental consent (i.e. different degrees of parental consent for different types of data processing) may be adopted as is present in the Bill for determining the appropriateness of an age verification mechanism as per Section 23(3).

Our recommendation for establishing age verification mechanisms is that the Bill should incorporate certain principles of data protection and privacy, such as data minimisation and proportionality, while empowering the DPAI to issue guidelines for age verification and any mechanism of age verification should not infringe the rights of free speech and expression of children.

[Back to top]

Non-Consensual Processing of Personal Data

These exceptions are widely worded and do not incorporate the test of 'Proportionality and Legitimacy' as laid down in the Puttaswamy judgment for the invasion of privacy by the State. Section 13(1) states that - ' Personal data may be processed if such processing is necessary for any function of Parliament or any State Legislature'. The Bill does not define or explain the specific functions of legislatures to which this provision applies, keeping it wide and ambiguous.

Similarly, the Bill does not define 'service or benefit' in Section 13(2) and exempts obtaining of consent from data principals where the State under the law is providing such service or benefit. As Section 13 and 19 authorize the Aadhaar scheme, it is important to note that the Aadhaar Act, 2016 gives power to the Central Govt. to notify additional categories of benefits and services as it deems fit. Reading the Bill and the Aadhaar Act in conjunction, the State may process the personal data of data principals for a wide array of activities without obtaining the consent of such data principals.

Both provisions 13(1) and (2) use the word necessary, [13(2) also restricts its scope to functions of State authorised by law] but it does not provide for safeguards in case of misuse or abuse of such power given to the State.

The KS Puttaswamy v. Union of India judgment[9] (the privacy judgment) laid down the test of 'necessity, legality and proportionality.'' The principles of proportionality, legality and necessity were also recognized by the A.P Shah Committee for exceptions to be valid under the right to privacy. Section 13 or 19 do not incorporate this test in its entirety, The Report makes it clear that " the term 'necessary' would mean that the processing should be targeted and proportionate to the purpose." The Report also states that, " A large part of the functioning of various departments of Government may be indirectly or remotely connected to the promotion of public welfare or regulatory functions. The ground cannot be used to justify the processing of personal data for all such functions. For functions not covered under this ground, the State, like other private actors, must rely on consent as the ground for processing personal data." By stating this key rider, the Report has restricted the applicability of Section 13 to those government bodies which directly perform functions of providing service or benefit to data principals, removing some ambiguity. However Sections 13 and 19 of the Bill neither satisfy this recommendation nor satisfy the conditions laid down in Privacy judgment delivered in the case of K.S. Puttaswamy.

The Bill defines the State to have the same meaning assigned to it as per Article 12 of the Constitution. The Report makes it clear that this also includes 'other authorities' as given under Article 12 of the Constitution.. A reading of the Report provides additional clarity, as it suggests that a variety of entities and institutions might fall under the definition of State as per Article 12 of the Constitution.

It is our recommendation that to remove ambiguity and to restrict the scope of Sections 13 and 19, an explanation may be added to the Bill to clarify the types of entities/ institutions, which are engaged in performing specific public activities.

We also recommend that the Bill incorporate the Principle of Proportionality and Legitimacy as established by the Puttaswamy judgment not just for Section 13 and 19 but wherever the State has been given exemptions/ exceptions.

We recommend that the performance of a contract should be included in non-consensual grounds of processing in line with the GDPR. India has a robust IT and ITeS industry which will be negatively impacted by the absence of such a provision in our data protection law.

[Back to top]

Processing for 'Reasonable Purposes'

The Bill empowers the DPAI to specify additional grounds of processing for certain 'reasonable purposes' for the processing of personal data. This provision gives broad powers to the DPAI to notify categories of activities where the requirement of consent will not apply. The Report argues that, " relying on consent in certain circumstances may hinder the evolution of new technologies relying on data analytics, which may hold significant benefits." It also states that, " Regardless of the scope of processing, the fundamental rights of data principals should be balanced with the interests of the data fiduciary."

This category covers 'processing of publicly available personal data', effectively carving out an exception for personal data published online on social media platforms. The Bill and the Report have left it on the DPAI to lay down appropriate safeguards to ensure the protection of rights of the data principals while specifying reasonable purposes. Neither the Report nor the Bill provide appropriate guidelines for determining what these 'appropriate safeguards' shall be to protect the right of data principals. The right to free speech and the right to privacy should not be undermined by the DPAI while framing these 'reasonable purposes'.

It is our recommendation that along with protection of data principal rights, the Bill specifically mention that any 'reasonable purpose' notified by the DPAI under this provision should not have the effect of infringing on the fundamental right of the data principal to freedom of speech and expression as guaranteed under Article 19(1)(a) of the Indian Constitution.

[Back to top]

Personal Data Breach Notification

Section 32 of the Bill places the responsibility of notifying personal data breaches on data fiduciaries (when such a breach is likely to cause harm to any data principal) to the DPAI. Data fiduciaries are not liable to directly report breaches to data principals and only in circumstances wherein the DPAI ascertains that a particular breach has resulted/ will result in severe harm to the data principal or where the data principals need to take some action to mitigate such harm, will it direct the data fiduciaries to notify the breach to affected data principals. This effectively takes away the right of data principals to be informed about unauthorised access of their personal data and leaves it on the sole discretion of the DPAI to determine notification to data principals. It further causes unnecessary delay in the data principals being informed when the data breach is likely to result in severe harm. The Report mentions that such a clause exists even in the GDPR (Article 33 of the GDPR) and has been incorporated to protect the adverse publicity and the resulting disincentivization to report incidents of breach to individuals. As per Article 34 of the GDPR, (Communication of a personal data breach to the data subject) in cases resulting in high risk to the rights and freedoms of persons, personal data breaches are to be notified to data subjects without undue delay, such a provision does not exist in the Indian Bill.

For example, in cases of breach of financial data, wherein consumers might have an immediate interest in being informed about a compromise of their sensitive personal data, the data fiduciaries should have an obligation to directly inform data principals about the leak of such information. If the credit card information of a data subject is breached, then in the European Union the data controller (data fiduciary) would be required to provide information regarding the breach to the data subject without undue delay. However, in the same situation in India, the data fiduciary would have to inform the DPAI. It is only upon a direction from DPAI that the data fiduciary would have to inform the data principal that such a breach has occured. This would cause undue delay, thereby increasing the likelihood of further harm to the data principal.

It is our recommendation that Section 32 should include an obligation on data fiduciaries, in situations where breach of personal data has the possibility of causing substantial harm, to simultaneously report such a breach to the data principal as well as the DPAI in order to protect the informational privacy of data principals. The DPAI may issue standards for the course of action to be adopted by data fiduciaries in such cases, but such a responsibility should be emanating in law.

[Back to top]

Right to be Forgotten

Certain handicaps have been imposed in the exercise of the right to be forgotten. The Committee is of the view that the right to privacy of data principals needs to be balanced with the rights of data fiduciary and the common good of people. It suggests conducting a 'balancing test' in this situation. In order to exercise this right, the data principal must first file an application in a prescribed manner to the Adjudicating Officer. The power being given to Adjudicating Officer (appointed by Central Government) to carry on the 'balancing test' itself leads to conflict of interest in situations where a restriction is sought by a data principal on the processing and sharing of data by the state.

The Committee gives weight to freedom of press, freedom of speech and the right to information of public at large while conducting the 'balancing test'. It has enlisted a five pronged criteria which could be used in this test - the sensitivity of the personal data; scale of disclosure or degree of accessibility sought to be restricted; role of data principal in public life; relevance of the personal data to the public; and nature of disclosure and the activities of the data fiduciary. We also believe, learning from examples from Europe, that the right to be forgotten should not be an absolute right and the application of it should not violate the fundamental right of free speech and expression and the right to information of the public.

When comparing the right to be forgotten, as proposed in the Bill, with Article 17 of the GDPR, which provides for a Right to Erasure ('right to be forgotten'), it emerges that Section 27 of the Bill does not provide for a right to erasure of data but only a right to restrict or prevent disclosure of personal data and also provides for a process of review of the Adjudicating Officer's order for non-disclosure of personal data. In context to the right to be forgotten, the GDPR also imposes a liability on data controllers to inform other controllers who are processing such personal data (which has been requested to be erased) about the request for erasure of data. Such an obligation on data fiduciaries is missing from the Bill.

The right to informational privacy has been recognized as a facet of the fundamental right to privacy by the Supreme Court of India in its judgment in KS Puttaswamy v. Union of India[10] (the privacy judgment). Justice Chandrachud in judgment in the Puttaswamy judgment also states that - "Privacy also connotes a right to be left alone. Privacy safeguards individual autonomy and recognises the ability of the individual to control vital aspects of his or her life. Personal choices governing a way of life are intrinsic to privacy."[11] Thus, the Puttaswamy judgment legitimizes informational privacy as a fundamental right and also recognizes that privacy includes a right to be left alone. Justice Sanjay Kishan Kaul in his judgment in the Puttaswamy case has expressly recognized the principle of the right to be forgotten and has stated - "Thus, The European Union Regulation of 2016 28 has recognized what has been termed as 'the right to be forgotten'. This does not mean that all aspects of earlier existence are to be obliterated, as some may have a social ramification. If we were to recognize a similar right, it would only mean that an individual who is no longer desirous of his personal data to be processed or stored, should be able to remove it from the system where the personal data/ information is no longer necessary, relevant, or is incorrect and serves no legitimate interest."[12] From the Puttaswamy judgment it is amply clear that data principals have autonomy on their personal data and can exercise control over it - this means that they may request data fiduciaries to have their personal data 'erased' and not just prevent its disclosure (subject to restrictions of free speech and right to information).

Lilian Mitrou and Maria Karyda in their paper - EU's Data Protection Reform and the right to be forgotten - A legal response to a technological challenge?[13]argue that the right to be forgotten reflects a social value and as an umbrella right of informational privacy - constitutes a democratic prerequisite for participation to societal life and public discourse, free from social disgust, disgrace, public or private surveillance. They further state in their paper that - "A right to be forgotten should ensure that the information which relates to an individual disappears after a certain period of time, even if the data subject does not take action or is not even aware the data was ever stored."[14] It is our recommendation that the right to be forgotten in the Bill expressly includes the right to erasure/ deletion of personal data and that data fiduciaries are made responsible to inform other data fiduciaries or processors who are processing such personal data about the request of deletion made by the data principal.

[Back to top]

Data Protection Officer

The Personal Data Protection Bill, 2018 envisages Data Protection Officer (hereinafter 'DPO') as the point person to ensure compliance of the data fiduciary with provisions under this Act[15].

Under section 36, the multifarious responsibilities of DPO include, advising data fiduciary on fulfilling data protection obligations, developing internal mechanisms based on 'Privacy by Design', receiving grievances from data principal and raising them before data fiduciary etc. It entrusts upon the DPO to monitor 'personal data processing activities of the data fiduciary to ensure that such processing does not violate the provisions of this Act'[16].

Thus, independence of DPO is essential considering his/her 'whistle-blowing' role and the fact that he/she would still be an employee under the data fiduciary. However, no such protection has been afforded in the Bill.

In contrast, the EU GDPR provides for an independent position of DPO. It includes imposing following obligations on data controller and data processor:

  1. Involving DPO in all issues relating to protection of personal data;
  2. Supporting DPO in performance of his/her's tasks including providing necessary resources;
  3. DPO cannot be dismissed/penalised for performance of his/her tasks;
  4. DPO shall report to the highest management level of the controller or the processor;
  5. No conflict of interest - DPO while performing his/her tasks shall not receive any instructions from data processor or controller[17].

Similar protection and independence should be afforded to the DPO under the Personal Data Protection Bill, 2018. Considering the large internet subscriber base in India, the DPAI might not be able to respond to all the grievances of data principals. As a result, the role of DPO in strengthening internal data protection mechanisms is even important in India than it is in the European Union. Hence, proper safeguards and authority ought to be given to DPO to fulfil the said responsibilities.

[Back to top]

Data Localisation

Section 40 of the Bill mandates every data fiduciary to store a serving copy of personal data in India. Besides, Central government shall notify categories of critical personal data that shall only be processed in India.

Section 41 imposes conditions for cross-border transfer of personal data which include standard contractual clauses, necessity, consent of data principal and intra-group schemes, among others.

The Srikrishna Committee Report discusses both costs and benefits of localising data within India. Our recommendations are based on critical analysis of arguments taken by the Committee and scrutiny of aforementioned provisions in the Bill.

[Back to top]

Issues Involved:

[Back to top]

Standard Contractual Clauses(SCCs)

There is lack of clarity on the conditions for cross-border transfers of personal data under Section 41. Sec 41(1)(a) allows cross-border data transfer subject to standard contractual clauses or intra-group schemes that have been approved by the DPAI. However, the Justice Srikrishna Committee has itself recognised criticism faced by contractual clauses for not being implementable 'due to difficulty faced by data protection authorities in identifying non-compliance'[18]. Clarity and transparency on acceptable SCS and other data transfer conditions is necessary. Further, terms like 'serving copy' and to whom it should be delivered has not been clarified.

[Back to top]

Violative of Fundamental Principles of the Internet

Internet by its architecture is open, unrestricted, global and restricting the free-flow would violate the basic principles of 'World Wide Web'. Data localisation/mirroring is untenable in present technological reality with rise in outsourcing services, ITES, disruptive utilities like cloud computing, global social media communication exchange etc. Overarching government regulations would stifle innovation in IT sector. Besides there wouldn't be cross jurisdictional checks on surveillance and censorship as companies would be forced to comply with government instructions[19].

[Back to top]

Data Localisation in Other Countries

It is correct that data localisation/mirroring has been implemented in other countries. But, in majority of cases, this has been limited to sectors like health and finance. For example:

  1. Australia: Under Personally Controlled Electronic Health Records (PCEHR) Act, 2012 transfer of health records outside of Australia is prohibited.
  2. Canada: Two Canadian provinces, British Columbia and Nova Scotia, have enacted laws requiring that personal information held by public institutions—schools, universities, hospitals, public agencies—be stored and accessed only in Canada.

But a blanket mirroring of every type of user data, as provided under Sec 40(1) would be excessive considering the costs involved and the restriction on freedom of citizens.

[Back to top]

Law Enforcement and Crime Investigation

User data is sometimes required by Indian law enforcement agencies for investigation, prosecution of crimes, which may include data from foreign companies. This is presently done by issuing summons under S 91 of CrPC. It is reported that nearly 46% of data requests are rejected by companies like Google[20] and localisation is suggested as a solution to this. A similar argument was put forward by the Justice Srikrishna Committee.

However, research[21] shows that data localisation would not be effective in meeting such demands. Also the problem is not data being located abroad, but the procedure being followed i.e. MLAT which is an 18 year old arrangement unsuitable for present data sharing needs. Besides, there are other efficient alternatives to meet data sharing gaps between jurisdictions. With global developments like Budapest Convention and other international efforts to standardise digital privacy and data sharing, the DL requirements would become redundant.

[Back to top]

Problems with Mutual Legal Assistance Treaty (MLAT)

MLATs allow exchange of information and extradition requests between countries on matters related to criminal investigation, prosecution. India has signed MLATs with 39 countries, including USA(2001, operational since 2005).

It is observed that MLAT has outlived its utility as it is unable to timely respond to rising number of requests for exchange of electronic data. It was primarily drafted to assist countries in criminal investigation matters including terrorism, narcotics, money laundering etc and is not well-suited to electronic data sharing requests.

Data Categorisation: Private companies in US can directly accept non-content data requests which is identity information like email address, phone number, name, location. But for content data i.e. the content of emails, personal messages; these companies require a US court order. For this, India must send a formal request under MLAT. Sometimes data-sharing requests are refused by these companies as content data is directly requested from them[22].

Inefficiency and delays: This occurs due to procedural inefficiencies, multiplicity of authorities involved, seeking legal opinion, absence of fixed time limit. Both the MLAT and Letter Rogatory process takes nearly 6-7 months in India itself.

[Back to top]

Data Sovereignty and Surveillance Concerns

After Snowden revelations, governments became concerned about their domestic data being intercepted by foreign governments hosting servers. This gave a major push for data localisation. Similar argument was taken by the Justice Srikrishna Committee Report. However, there are several gaps in this argument[23]:

  1. It might be easy for super-powers like the US to gather data from foreign jurisdictions where data protection regime is weak.
  2. With latest malwares, DOS attacks may occur irrespective of where the data is stored eg. Stuxnet on Iran's nuclear programme.
  3. While governments openly denounce foreign surveillance, they routinely share clandestinely intercepted information with each other. Eg. Snowden revelations showed how GCHQ(UK) and NSA(US) collaborated in sharing data.

[Back to top]

Privacy and Security

Localised data creates a 'keeping all eggs in one basket' situation and makes user data more vulnerable to hacks[24]. Local service providers may have comparatively weaker security services and global digital security services may not be availed due to localisation requirements.

[Back to top]

Roadblocks to Latest, Disruptive Technologies

Justice Srikrishna Committee Report justifies that localisation would promote 'building an AI ecosystem' as 'AI is heavily dependent on harnessing data'[25]. Conversely, disruptive technologies like Artificial Intelligence, Cloud services, Internet of Things are heavily dependent on free flow of data.

  1. Cloud Computing: Cloud services are based on Internet's distributed infrastructure. However, 'Requirements to localize data... make it impossible for cloud service providers to take advantage of the Internet's distributed infrastructure and use sharing and obfuscation on a global scale'[26].
  2. Disrupting Economic Development: Open data flow is central to digital economy. ITES, outsourcing services, digital businesses, e-commerce enterprises, social media are based on free data flow. Data localisation may put restraint on them.
  3. Internet of Things: IoT is based on emulation, deep learning and artificial intelligence. It works by connecting daily use appliances with a central network. It needs to be in sync with core server to receive instructions and send back observational data. Data localisation would deny such services.
  4. Data Driven Innovation (Big Data): Data localisation would limit data collection and data sets thus limiting its potential to conduct large-scale, cross-jurisdictional studies.

[Back to top]

Economic Impact of Data Localisation

A study on economic losses caused by data localisation shows negative impact on GDP in all cases eg. China (-1.1%), Vietnam (-1.7%)[27]. It adds that losses in India would be 0.1% of GDP for sectoral implementation of localisation e.g. financial data under Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. But a blanket localisation would raise the economic losses by eight times[28].

An analysis of data localization laws in Russia shows loss in trade flows, businesses, manufacturing sector and more importantly small IT businesses[29]. Data retention costs would be significant as it'll include initial capital expenditures, maintenance of a required security level, routine hardware replacement, electricity costs etc.[30]. Moreover, unlike France and Australia, there is no reference to subsidisation and tax breaks to compensate for the cost burden of localisation, mirroring.

[Back to top]

Promoting Local Businesses

It is argued that localisation would promote local Indian businesses and create jobs. On the contrary it would impose higher compliance burdens, cost overheads especially on small businesses and startups that rely mostly on foreign servers for processing their data. They'll eventually have to import hardware, servers from abroad. Besides country-wise data structuring would be required. It would fragment data that would reduce accessing speeds.

Studies have shown that in India, loss per worker would be nearly 11% of the average monthly salary if data retention requirements are imposed. Besides, considerable loss in domestic investment of 1.4% to 1.9% is also expected in India[31]. This could reduce competitiveness of Indian IT industry, especially when the government is pushing to promote ease of doing business.

[Back to top]

Environmental Costs

Data centres are highly energy intensive. Specialised cooling systems are required in data centres to keep their temperatures at optimal level. Studies suggest, data centres are presently responsible for 2% of greenhouse gas emissions[32], which is at the same level as the aviation sector. These costs would be even higher in tropical countries like India where mean temperatures are comparatively high. Besides, proper electrical infrastructure needs to be ensured.

[Back to top]

Data Breaches in India

Data protection landscape in India is presently at a developing stage. We are yet to notify a data encryption policy. Data breaches in India increased by 7 times in 2017(53000 cyber crime incidents[33]) compared to 2016. An IBM study found cost of average data breach to be $ 1.7 million for companies in India[34]. In this context, localising more data would mean higher exposure to threat.

[Back to top]

Alternatives for Data access

[Back to top]

Rectifying MLAT Process

  1. Reducing delays: Setting time limits at each step of MLAT process; sending requests via electronic format.
  2. Setting standardised procedures for private companies holding user data, uniform data exchange treaties across countries to allay data localisation concerns; promote comprehensive geographical coverage
  3. Promoting efficient bilateral and multilateral data sharing agreements between countries to supplement MLATs.

[Back to top]

Bilateral Data Sharing Agreements

To plug challenges and inefficiencies posed by MLAT process, India may supplement it with separate data sharing agreements with other countries. In 2016, Framework for the U.S.-India Cyber Relationship, 2016 was signed which aims at realtime information sharing in cybercrime incidents.

[Back to top]

The United States CLOUD(Clarifying Lawful Overseas Use of Data) Act, 2018

It aims to build a responsive, reciprocal scheme for data sharing which balances cross-border data distribution with national security and law enforcement needs. It enables law enforcement agencies(of US and parties having agreement under Cloud Act with US) to retrieve data from US tech. companies, irrespective of data being stored in foreign soil. It would cover both content and non-content data.

India could sign a data sharing agreement under the Cloud Act, 2018 after fulfilling certain eligibility conditions given under the Act which include domestic privacy protection laws, substantive and procedural laws on cybercrime and electronic evidence, accountability and transparency mechanisms.

[Back to top]

Global Best Practices

[Back to top]

EU General Data Protection Regulation

Article 45 of GDPR provides for 'Transfers on Basis of Adequacy Decision'. Transfer of personal data to a third country or international organisation may be allowed if the latter fulfills adequacy factors such as proper laws on data protection, judicial redressal, among other things.

Transfers Subject to Appropriate Safeguards(Art 46): In absence of adequacy decision under Art 45, data controller or processor may transfer data to third country if appropriate safeguards, enforceable data subject rights and effective legal remedies are available.

India may, instead of imposing blanket requirement of data localisation, require adequacy tests and safeguards to assuage data protection concerns in foreign jurisdictions.

[Back to top]

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data[35]

Instead of restricting data flow on premise of data protection, the OECD Guidelines provide for a well-balanced approach. Guideline No. 17 states that 'A Member country should refrain from restricting transborder flows of personal data between itself and another Member country' except in cases of disregard to data protection guidelines or legislation. Restrictions, if imposed, could only apply to specific categories of personal data for which regulations exist under a domestic privacy legislation.

Most importantly, Guideline No. 18 states that 'Member countries should avoid developing laws, policies and practices in the name of the protection of privacy and individual liberties, which would create obstacles to transborder flows of personal data that would exceed requirements for such protection'.

[Back to top]

Recommendations

  1. Data localisation should not be mandated as it affects the rights of citizens and is detrimental for the industry.
  2. Government could explore building bilateral data sharing agreements that are efficient in providing real time information exchange on government requests while ensuring digital rights of users;
  3. Global experience has also shown that no country has strictly implemented localisation of data. To meet privacy concerns, governments have introduced special safeguards, while balancing needs of global, free internet. India should learn from global best practices and refrain from enacting laws and issuing executive orders mandating data localisation.
  4. In the case of data pertaining to strategic government interests Government could take policy decisions to store data locally.

[Back to top]

Surveillance Reform

The Supreme Court in the Puttaswamy judgment admitted that the formulation of a regime for data protection is a complex exercise which needs to be undertaken by the State after a careful balancing of the requirements of privacy coupled with other values which the protection of data sub-serves together with the legitimate concerns of the State. National security, data mining with the object of ensuring that resources are properly deployed to legitimate beneficiaries, and prevention and investigation of crime were considered to be legitimate aims of the State by the nine judge bench.[36]

While the Committee has incorporated the tests laid down in the Puttaswamy judgment in Sections 42 and 43 of the Bill, there is no surveillance reform in the Bill. Even though the Report submitted by the committee acknowledges that it is critical to ensure that the pillars of the data protection framework are not shaken by a vague and nebulous national security exception, the same has not been defined in the Bill.

Any privacy law is inadequate without surveillance reform. The Report accepts that the design of the current legal framework in India is responsible for according a wide remit to intelligence and law enforcement agencies and lacks sufficient legal and procedural safeguards to protect individual civil liberties. It acknowledges that there is little oversight that is outside the executive to prevent the rise of a surveillance society. The report highlights the oversight mechanisms for surveillance used in other democratic countries and mentions that " it is worthwhile to recognise that all the aforementioned jurisdictions provide some form of inter-branch oversight through a statute. Nothing similar exists in India. This is not just a gap that is deleterious in practice but, post the judgment of the Supreme Court in Puttaswamy, potentially unconstitutional." However, the draft bill suggests no amendment to laws that allow for surveillance such as the Indian Telegraph Act, 1885.

There is no judicial oversight prescribed with regard to the requirements under sections 42 and 43 of the Bill that are prone to potential misuse for the purpose of conducting surveillance. Surveillance has been carried out in India solely on the discretion of the executive. The current legal framework as per the Telegraph Act, 1885 or the Information Technology Act, 2000 do not provide for judicial oversight. SFLC.in had filed RTI applications to obtain information on tapping of telephones and monitoring of emails. The Ministry of Home Affairs in its reply dated August 6, 2013 had stated that on an average 7500 to 9000 orders for interception of telephones and 300 to 500 orders for interception of emails are issued by the Central Government every month. The review mechanism by which the tapping orders are examined by a team consisting of the Cabinet Secretary, Secretary in the Ministry of Law Affairs and Secretary of the Department of Telecommunications in the Centre and a similar mechanism in the state has in effect resulted in a system where the powers for issuing orders, execution and review are exclusively with the executive. In countries like the United States and Canada, among others, judicial review of issues touching on intelligence matters has developed into a system of oversight.

We recommend the setting up of special tribunals for the purpose of reviewing all surveillance or interception orders issued by a competent authority under the Bill. The tribunal has to be satisfied that any infringement of privacy of an individual is necessary, proportionate, is as per law and is being carried out to achieve a legitimate state aim - as laid down in the Puttaswamy judgment of the Supreme Court (privacy judgment). In the Aadhaar judgment, the Supreme Court held that disclosure of information in the interest of national security cannot be faulted with. However, for determination of such an eventuality, an officer higher than the rank of a Joint Secretary should be given such a power. Further, in order to avoid any possible misuse, a Judicial Officer (preferably a sitting High Court Judge) should also be consulted. The time period for which an interception or surveillance order is valid should be prescribed in law.

To ensure accountability and transparency and to balance the state's interests with the right to privacy of the data principal, we recommend that notice should be provided to the data principal after completion of the surveillance. The data principal must also have the right to challenge and seek redress against a surveillance order.

[Back to top]

Section 98

It is also worth scrutinizing Section 98 of the bill that talks about the power of the Central Government to issue directions in certain circumstances. The section states that the Central Government may, from time to time, issue directions on questions of policy to DPAI as it may think necessary in the sovereignty and integrity of India, security of the state, friendly relations with foreign states or public order. This section is alarming as it gives wide discretionary powers to the Central Government and therefore has the potential to be misused by the executive, considering there is no interpretation of the phrase " such directions as it may think necessary in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order." The DPAI is also bound by the directions of the Central Government which calls into question the independence of the Authority. In the EU, the requirement for DPAs to be independent is laid down in law: Article 16(2) of the Treaty on the Functioning of the EU (TFEU) and Article 8(3) of the EU Charter of Fundamental Rights. The European Court of Justice has continually emphasized that the need for an independent Data Protection Authority is paramount in an effective data protection framework.

In the case of Commission v. Hungary (C-288/2012), the European Court of Justice held that establishment of an independent supervisory authority is an essential component of the protection of individuals with regard to the processing of personal data. Operational independence of supervisory authorities, in that members are not bound by instructions of any kind in the performance of their duties, is an essential condition that must be met to respect the independence requirement, but this is not sufficient. The mere risk that the state could exercise political influence over decisions of a supervisory authority is enough to hinder independence.

In Schrems v. Data Protection Commissioner (C-362/14), the court held that The guarantee of a DPA's independence is intended to ensure effectiveness and reliability of the monitoring of compliance, and is an essential component of data protection.

We recommend that the Central Government should not have the power to issue directions to the DPAI, as this shall violate the independent functioning of the Authority. In this regard, Section 98 of the Bill, should be deleted.

[Back to top]

Data Protection Authority of India

The Bill and the Report submitted by the Srikrishna Committee suggest the creation of an independent authority. This authority would be called the Data Protection Authority of India ("the Authority"/ "DPAI"). While in theory the Authority is meant to be independent, there are certain clauses in the Bill that indicate that the Authority would not be able to carry out its functions independently.

The DPAI is meant to regulate and adjudicate upon the collection, use, transfer, sale, processing, storage and all other activities related to personal data by private parties as well as all branches of the Government. In order to do its task effectively, the Authority needs complete independence from any external influence. Following the traditional approaches to the formation and governance of an Authority or Board in India, as seen in the present Bill, would not provide this level of oversight and freedom to the Authority. The approach that has been adopted in India so far has been done keeping in mind the need for the Executive to give directions to such bodies in order to enforce the vision of the Executive. However, the primary task of an independent data protection authority is to protect the rights of people, and not to enforce the changing nature of the vision of the Executive. A stable and completely independent DPAI would not just protect the rights of people more effectively, it would also provide a stable and predictable framework for businesses to operate in India, thereby preventing unnecessary roadblocks to the development of the economy that would be caused by a DPAI that has to implement changing objectives per the policy directions of the Executive of the day. In order to create a truly independent DPAI, guidance can be taken from the structure of the Election Commission.

In our comments to the white paper, based on the selection committee for Chairperson and Members of the Competition Commission of India, we had recommended appointment of the Chairperson and other Members of the Authority by a committee consisting of:

  • The Chief Justice of India or a judge of the Supreme Court nominated by the Chief Justice of India;
  • The Secretary of the Ministry of Electronics and Information Technology (Member);
  • The Secretary of the Ministry of Law and Justice (Member); and
  • Two experts of repute who have special knowledge and professional experience.

The suggestion of involving both Ministry of Electronics and Information Technology, and Ministry of Law and Justice was made because areas of expertise of both Ministries would be required by the Members of the Authority. SFLC.in recommended two experts in the selection committee in order to balance out the presence of representatives of two Ministries. The selection committee, as it stands in the present Bill, is biased in favour of the Executive. On the surface it would appear that Section 50(2) of the Bill allows for the selection of the Chairperson and other Members of the Authority by a Committee consisting of the Chief Justice of India (CJI) or his/her nominee, the Cabinet Secretary and one expert of repute to be nominated by the CJI or his/her nominee in consultation with the Cabinet Secretary. However, as per Section 50(6), "The Central Government shall maintain a list of at least five experts". This means that the Executive has the power to curate the list of experts. The power of CJI or his/her nominee to nominate an expert in consultation with the Cabinet Secretary is limited to only those experts that have already been shortlisted by the Executive. Therefore, the Executive holds two out of three positions in the selection committee. In order to remove any bias, we recommend the removal of the limitation placed upon the CJI or his/her nominee to select an expert in consultation with the Cabinet Secretary only from the list of experts that has been created by the Central Government. Instead of this, the selection of an expert can be left up to the CJI or his/her nominee in consultation with the Cabinet Secretary without a pre-selected list of experts.

In order to promote simplified, easy to understand and multi-lingual privacy policies, we recommend that the Authority be given the power to create and publish a standardised privacy policy creation tool as recommended in our comments to the white paper. Per our idea, the Authority could create and host an open source tool for data fiduciaries and data processors to create simplified standardised privacy policies in multiple languages. This could be done by asking the data fiduciary or the data processor to fill a form with simple questions such as "What is the name of your organization?"; "Do you sell any personal data?"; "Name the organizations that you share data with"; and so on. The standardised privacy policies do not need to be made mandatory for data fiduciaries and data processors, but they would allow smaller players to easily create simplified privacy policies in multiple languages without any extra cost.

[Back to top]

Adjudicating Officer

The Bill contains provisions to create a separate Adjudicatory Wing of the Authority. This wing, while technically a part of the Authority, would function independent of the rest of the Authority. We are troubled by the fact that the conditions for and manner of appointment of Adjudicatory Officers would be decided by the Central Government. The Central Government has the power to decide the following regarding Adjudicating Officers: qualification, manner and term of appointment, jurisdiction, procedure for carrying out an adjudication and "such other requirements as the Central Government may deem fit". This gives too much power to the Executive in swaying the decision on the appointment of Adjudicating Officers. In combination with the plethora of exemptions and powers in the hands of the Central Government under this Bill, this provision leaves some doubts regarding the application of the law to its full extent against the State.

Due to how important the independent nature of the DPAI and the Adjudicating Officer is, it would be worth specifying the criteria for selection of an Adjudicating Officer in the Bill itself instead of leaving this to be modified easily by every Government that comes into power. The need to amend an existing legislation in order to create a bias in the criteria for selection of an Adjudicating Officer would provide more public scrutiny, stability, predictability and reduced chances of influence from the Executive of the day.

It is our recommendation that an independent adjudicatory wing should be established, not just at the Central level, but in a multi-tier format in line with the consumer redressal forums in the country, so that access to adjudication is not an impediment for the enforcement of the law and people have speedy recourse to redressal mechanisms.

[Back to top]

Appellate Tribunal

The Information Technology Act, 2000 allows for appeals against the order of a Controller of Certifying Authorities or an Adjudicating Officer to be filed at the Cyber Appellate Tribunal. The Cyber Appellate Tribunal has been dysfunctional since 2011 due to the lack of a Chairperson. Matters listed before the Cyber Appellate Tribunal have been left unresolved until the appointment of a Chairperson. There is no time limit specified in the IT Act for appointment of a Chairperson.

It is unfortunate that this issue was not resolved in the Bill while forming a new Appellate Tribunal to adjudicate on appeals from the Authority or Adjudicating Officers. There is no time limit for the appointment of the Chairperson. Formation of benches, distribution of business and transfer of cases between different benches can all be done only by the Chairperson. The absence of a Chairperson at any point in time would prove crippling to the Appellate Tribunal that would be established under this Bill, as already seen in the case of the Cyber Appellate Tribunal.

Under Section 80, the conditions for appointment and removal of members of the Appellate Tribunal is in the hands of the Central Government. This gives disproportionate power to the Central Government to influence members of the Appellate Tribunal. Since doubts exist regarding the impartiality of the Adjudicating Officers at the Data Protection Authority as well as the members of the Appellate Tribunal, only one step in the chain of appeals is left impartial to violations by the Central Government: appeals arising out of decisions of the Appellate Tribunal.

Appeals from the Appellate Tribunal lie to the Supreme Court of India. This is contrary to the decision of the Hon'ble Supreme Court of India in the case of L. Chandra Kumar Vs. Union of India (UOI) & Ors[37]. wherein it was held that: "... the power vested in the High Courts to exercise judicial superintendence over the decisions of all Courts and Tribunals within their respective jurisdictions is also part of the basic structure of the Constitution."

[Back to top]

Criminal Offences

The Bill contains criminal offences with 3-5 year imprisonment and / or fines. All offences are cognizable and non-bailable. For comparison, the European Union's General Data Protection Regulation does not contain any clause for imprisonment. We welcome the addition of criminal offences to the Bill as they can be an effective tool to ensure compliance with the law, however, certain aspects of imposing criminal liability require a closer look.

India has already seen the abuse of criminal provisions by those in power to harass people and to stifle freedom of speech and expression. Some provisions that have been abused and misused in such a manner in the past include Section 124A of the Indian Penal Code and Section 66A of the Information Technology Act, 2000. A closer look at the offences is required in order to ensure that the provisions in the Bill cannot be misused by complainants or the Executive in order to harass people, or compel actions or inactions by the accused.

Under the Bill, heads of government departments [Section 96] and every person in charge of, and responsible to the company for the conduct of business of the company, as well as the company itself [S. 95] would be responsible for violations of the criminal provisions. Under the present legal system in India, Sections 95(1) and 96(1) of the Bill would result in automatic arrest of the top management of an accused company, or the head of a government department or authority, during the investigation of offences. Under Section 95(2) and 96(2), they would then be required to prove that they had no knowledge of the offence or that they had exercised all due diligence to prevent the commission of the offence. This could result in unnecessary harassment of top executives of a company or the heads of government departments/authorities.

[Back to top]


  1. https://iapp.org/media/pdf/resource_center/wp29-transparency-12-12-17.pdf ↩︎

  2. Dvara Research: Response to white paper on data protection, https://www.dvara.com/blog/wp-content/uploads/2018/02/Response-to-White-Paper-Public-Consultation-Dvara-Research.pdf ↩︎

  3. Narayanan, A. and Shmatikov, V, Robust De-anonymization of Large Sparse Datasets, available at https://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf , last accessed on Nov.7, 2017 ↩︎

  4. Ibid. at Pg. 45 of the Report ↩︎

  5. Kindly refer to the White Paper published by the Justice BN Srikrishna Committee at Pg. 86 ↩︎

  6. Milda Macenaite & Eleni Kosta (2017) Consent for processing children's personal data in the EU: following in US footsteps?, Information & Communications Technology Law, 26:2, 146-197. Accessed on 08/10/2018, can be downloaded from - < https://www.tandfonline.com/doi/full/10.1080/13600834.2017.1321096 > ↩︎

  7. Ibid. ↩︎

  8. Ibid. ↩︎

  9. WP (Civil) No. 494 of 2012 ↩︎

  10. WP (Civil) No. 494 of 2012 ↩︎

  11. Kindly refer to Pg. 263 of Justice Chandrachud's judgment in the Puttaswamy case ↩︎

  12. Kindly refer to Pg. 35 of Jutice Sanjay Kishan Kaul's judgment in the Puttaswamy case ↩︎

  13. Lilian Mitrou and Maria Karyda - EU's Data Protection Reform and the right to be forgotten - A legal response to a technological challenge? can be downloaded from - < https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2165245 > ↩︎

  14. Supra. ↩︎

  15. Section 36(1)(e), The Personal Data Protection Bill, 2018 ↩︎

  16. Section 36(1)(b), Ibid ↩︎

  17. Article 38, The EU General Data Protection Obligation ↩︎

  18. Free and Fair Digital Economy: Committee of Experts under the Chairmanship of Justice B.N. Srikrishna at p.84 ↩︎

  19. Anupam Chander and Uyen P. Le: Data Nationalism, available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2577947 ↩︎

  20. Supra 1 p. 90 ↩︎

  21. Supra 4 ↩︎

  22. ORF Special Report August '17 ↩︎

  23. Supra 4 ↩︎

  24. Supra 4 ↩︎

  25. Supra 1 pg. 91 ↩︎

  26. Patrick S. Ryan, Sarah Falvey & Ronak Merchant, When the Cloud Goes Local: The Global Problem with Data Localization, Computer, Dec. 2013. ↩︎

  27. Matthias Bauer, Hosuk Lee-Makiyama, Erik van der Marel, & Bert Verschelde, The Costs of Data Localisation: A Friendly Fire on Economic Recovery, ECIPE Occasional Paper No. 03/2014 ↩︎

  28. Ibid. ↩︎

  29. Iva Mihaylova: Could the recently enacted data localisation requirements in Russia backfire? https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2629533 ↩︎

  30. Ibid ↩︎

  31. The Costs of Data Localisation: Friendly Fire on Economic Recovery(ECIPE) ↩︎

  32. The Guardian: How viral cat videos are warming the planet, https://www.theguardian.com/environment/2015/sep/25/server-data-centre-emissions-air-travel-web-google-facebook-greenhouse-gas ↩︎

  33. The Hindu Businessline: Over 53,000 cyber security incidents observed in 2017, https://www.thehindubusinessline.com/info-tech/over-53000-cyber-security-incidents-observed-in-2017/article22705876.ece ↩︎

  34. QZ India: Frequent data breaches are bleeding Indian companies, https://qz.com/india/1325647/data-breaches-cost-indian-companies-millions-of-dollars-says-ibm-study/ ↩︎

  35. http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm#part3 ↩︎

  36. K.S Puttaswamy v. Union of India ↩︎

  37. (1997)3 SCC 261 ↩︎