PERSONAL DATA PROTECTION BILL, 2019: THE DRIVING OBJECTIVE
Updated: Jun 14, 2021
Data privacy, one of the most important issues facing the twenty-first century digital and technology laden world, has gained much currency world over and about 107 countries have already legislated some form of law in this respect. Asia-Pacific, having 60 countries, has about 27 legislations that comprise 45% of the implementation rate in APAC region.[i] This, however, is less than half of the implementation rate in Europe.[ii] Nonetheless, a majority of the economies are catching up fast on devising local regulatory frameworks for protecting data privacy and security, India being one of them.
India is one of the latest entrants in the data protection arena with the Personal Data Protection Bill, 2019 [hereinafter ‘PDP Bill’] having already been introduced in the Parliament by the Ministry of Electronics and Information Technology [hereinafter ‘MeitY’]. The Bill, governing the collection, storage and processing of personal data by public and private entities, however, has been referred to a Joint Parliamentary Committee for detailed examination before being tabled before the Lok Sabha. At this stage it would be appropriate to understand what comprises ‘personal data’ and ‘non-personal data’ and have a brief insight into the PDP Bill.
II. Personal Data versus Non-Personal Data
Data may broadly be categorized into two categories: (a) personal, and (b) non-personal data. Personal data relates to characteristics, traits or attributes of identity, which can be used to identify an individual.[iii] Non-personal data, on the other hand, includes aggregated data through which individuals cannot be identified.[iv]
To understand the difference let us consider the following example – mobile location of one individual would constitute personal data whereas the information derived from the mobile locations of multiple drivers, for analysing traffic flow, constitutes non-personal data.
III. The Personal Data Protection Bill, 2019: A Brief Insight
The PDP Bill essentially proposes to protect ‘personal data’. It also seeks to protect ‘sensitive personal data’ such as financial data, health data, official identifiers, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe and religious or political beliefs.[v]
For the purposes of protection of ‘personal data’ and ‘sensitive personal data’, the Bill proposes a scheme which may broadly be characterized under the following heads:
1. Application clause of the PDP Bill[vi]
Clause 2 of the PDP Bill mandates regulation of the processing of personal data, which has been collected, shared, disclosed, or otherwise processed in the territory of India, by the following:
(a) Indian government, citizen, company, or any person or body of persons that has been duly incorporated within the territory of India; and
(b) any foreign entity which is engaged in the processing of personal data in the territory of India.
The PDP Bill, however, does not extend to the processing of anonymized data, other than such anonymized or other non-personal data which is intended to allow the Central Government to better target service delivery or devise evidence-based policies and strategies.[vii]
2. Obligations of Data Fiduciaries[viii]
Data fiduciaries have been obligated to process personal data subject to certain specified clear and lawful purposes, and collection and storage limitations. Clauses 4 to 11 of the PDP Bill deal with the obligations of Data Fiduciaries. These obligations are enlisted below:
(a) only such personal data may be collected as is required for the purposes of processing;
(b) mandatory prior notice has to be served upon individual(s)/data principal(s) informing them of collection or processing of personal data;
(c) retention of personal data is limited to the time required to process it and for the limited purpose it was collected. At the end of the processing, all such personal data has to be deleted;
(d) free consent has to be taken from the data principal at the commencement of data processing;
(e) it is mandatory for the data fiduciary to verify the age of the user. In case the user is a minor, the data fiduciary is required to obtain parental consent for processing sensitive personal data of such minors.
Over and above, data fiduciaries are under an obligation to undertake certain transparency and accountability measures.[ix] Clauses 22 to 32 of the PDP Bill deal with such transparency and accountability measures which are briefly summarized herein below:
(i) preparing privacy by design policy and securing its certification;
(ii) maintaining transparency in the processing of personal and sensitive data;
(iii) ensuring that the technology used in the processing of personal data is in commercially accepted or certified standards;
(iv) making sure that necessary security safeguards are in place (such as data encryption to steer clear of misuse of data);
(v) making sure that necessary actions are taken in the event of security breach, most important being informing the Data Protection Authority [hereinafter ‘DPA’] of any breach of personal data;
(vi) auditing policies annually;
(vii) undertaking data impact assessment where significant data fiduciaries undertake data processing involving new technologies or large scale profiling or sensitive personal data;
(viii) appointing Data Protection Officer to advise and monitor its activities; and,
(ix) instituting procedures for grievance resolution in order to remedy individual grievances.
3. Processing of Personal Data without Consent[x]
One of the very important features of the PDP Bill is that fiduciaries can process personal data only with express consent of the data principal. Nevertheless, the Bill provides for certain exceptions which provide for processing of personal data without the consent of data principal under Clauses 12 to 15 of the PDP Bill. These conditions under which processing may be done without consent are:
(a)if it is mandated by the State for providing benefits to individuals;
(b)if it is for the purposes of any legal proceedings;
(c)if the processing of personal data is for the purposes of responding to any medical emergency;
(d)if the processing relates to employment;
(e) if the same is for reasonable purposes such as prevention of unlawful activities (for instance fraud), mergers and acquisitions, network and information security, recovery of debt, the operation of search engines and so on.
4. Rights of Individuals or Data Principals[xi]
Under the PDP Bill, individuals (or data principals) have certain rights which are enumerated in Clauses 17 to 21. These are:
(a)the right to obtain confirmation about the processing of their personal data from the data fiduciary;
(b)the right to seek updation of personal data or, in the alternative, seek correction of incomplete and inaccurate data;
(c)the right to data portability (that is the right to have personal data transferred to other data fiduciary in certain circumstances); and,
(d) the right to be forgotten (that is the data principal has the right to restrict continuing disclosure of one’s personal data by a fiduciary in the event it is no longer required or consent is withdrawn).
5. Data Protection Authority[xii]
To protect interests of individuals, prevent misuse of personal data, and ensure compliance with the provisions of the Bill as also to promote awareness about data protection and privacy, the Bill proposes the establishment of a Data Protection Authority. Clauses 41 to 56 of the PDP Bill deal with DPA. An appeal shall lie to an appellate tribunal against the orders of DPA. The orders of the appellate tribunal can be challenged before the Supreme Court of India.
6. Restrictions on Data Transfer[xiii]
Clauses 33 and 34 of the PDP Bill deal with restrictions on the transfer of personal data outside India. The PDP Bill mandates that sensitive personal data be stored in India. The transfer of any sensitive personal data outside India, for the purposes of processing, shall be subject to explicit consent of the data principal besides fulfillment of certain other additional conditions. It must be noted that any such data as may be notified by the Central Government as ‘critical personal data’ can only and only be processed in India.
Clauses 35 to 40 of the PDP Bill provide for exemption from applicability of the law. Any agency of the government may be exempted from the applicability of the PDP Bill by the government if it is necessary for:
(a)the interest of sovereignty and integrity of India, the security of the State, and friendly relations with foreign states,
(b) preventing incitement to commission of any cognizable offence relating to the above matters.
The PDP Bill also exempts the applicability of the law in cases of processing of personal data under certain conditions, such as for the purposes of: (i) prevention, investigation, or prosecution of any offence; (ii) personal or domestic purposes; (iii) journalistic purposes; and, (iv) for research, archiving or statistical purpose.
8. Penalties and Compensation for Non-Complaince with PDP Bill[xv]
Clauses 57 to 66 of the PDP Bill deal with penalties and compensation. It provides for a two tier system of penalties and compensation. These are:
(a) failure of the data fiduciary to fulfill its obligations for data protection may be punishable with a penalty which may be to the extent of Rs. 5 crores or 2% of its total worldwide turnover of the preceding financial year, whichever is higher.
(b) processing data in violation of the provisions of the PDP Bill is punishable with a fine of Rs.15 crores or 4% of the annual turnover of the data fiduciary, whichever is higher.
Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or with fine or with both.
IV. Present Regulation of ‘Personal Data’
While the PDP Bill proposes to regulate ‘personal data’ in a more comprehensive way, at present the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 [hereinafter ‘2011 Rules’] (enacted under the Information Technology Act, 2000 [hereinafter ‘IT Act’]) regulate the usage and transfer of personal data of citizens. The IT Act and the ancillary 2011 Rules apply only to companies and not to governments.
The existing rules hold such companies liable which are negligent in maintaining security standards while dealing with personal data besides mandating compensation to relevant data principal(s).[xvi]
The Committee of Experts under the Chairmanship of Justice B. N. Srikrishna [hereinafter ‘Expert Committee’] in its report noted that while the 2011 Rules were a novel attempt for protecting data at the time they were introduced, the pace of development of digital economy has shown its shortcomings.[xvii] For instance, (i) the definition of sensitive personal data under the 2011 Rules is narrow, and (ii) some of the provisions of the 2011 Rules can be overridden by a contract.
While the shortcomings of the 2011 Rules are an important driving objective behind the PDP Bill, it would now be appropriate to discuss the same in some detail.
V. The driving objective behind the PDP Bill
The growing digital footprint of individuals has led to them leaving a trail of sensitive data behind them – on the web, mobile, storage media and other unexpected crevices such as ambient data in IoT devices where data might get stored without either their knowledge, intent or consent. This data is at a constant risk of breach, leakage and misuse with major implications some of which may be theft of identity, harassment and extortion, financial fraud, customer loss, brand damage, and even lawsuits & fines. Under the given circumstances, not all data breach could be appropriately handled under the existent 2011 Rules.
In the meantime, the Government of India enacted the ambitious The Aadhaar (Targetted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 [hereinafter ‘Aadhaar Act’]. This led to the rise of apprehension in the minds of the general populace as respects the sanctity of sensitive personal information being collected for the Aadhaar Card. The constitutional validity of the Aadhar Act was challenged before the Supreme Court of India. However, the five judge bench referred the issue of “whether the norms for compilation of the demographic biometric data by the government violate the right to privay” for consideration by a larger bench. The nine judge bench of the Supreme Court held in its judgment (Justice K S Puttuswamy (Retd.) and Anr. v. Union of India and Ors.[xviii]) that the right to privacy is a fundamental right within the meaning of the right to life and personal liberty under Article 21 of the Constitution. The Court also observed that privacy of personal data and facts is an essential aspect of the right to privacy.
Taking cue from the judgment rendered by the Supreme Court and being cognizant of the realities as well as the importance of data protection, the Government of India constituted the Committee of Experts under the Chairmanship of Justice B. N. Srikrishna on July 31, 2017 to look into the issues of data privacy and breaches and suggest ways to march towards being a safe and secure digital economy.
It was also realized that many people were not even aware of the implication of the breaches of personal data – “while consuming digital media and transacting on social sites, wallets, banking apps, and e-commerce portals— the users’ typical intent is to grab the best deal, enlarge their social circle or such other things. How these digital platforms and businesses handle their data and what do they intend to do with it has largely remained an unasked question.”[xix] Another important realization was that technological shift made individuals even more vulnerable and absence of regulations would be detrimental for the establishment of a free and ordered society with the potential to wreck havoc. Considering all these, the Expert Committee submitted its report, along with a Draft Personal Data Protection Bill, 2018 to the MeitY in July 2018.
While there were concerted efforts to have orderliness in the society, the objective propelling or driving the PDP Bill is to secure digital citizens including organizations from data breach as well as penalize defaulters.
[i] Sunil Chandan, “India’s First Data Protection Bill: The Road Ahead”, The Economic Times, available at: https://cio.economictimes.indiatimes.com/news/government-policy/indias-first-data-protection-bill-the-road-ahead/72833120 (last visited on March 07, 2021). [ii] Ibid. [iii] See, Sub Clause 28 of Clause 3 of The Personal Data Protection Bill, 2019. [iv] “The Personal Data Protection Bill, 2019: All You Need to Know”, PRS Legislative Research, available at: https://www.prsindia.org/theprsblog/personal-data-protection-bill-2019-all-you-need-know (last visited on March 07, 2021). [v] See, Sub Clause 36 of Clause 3 of The Personal Data Protection Bill, 2019. [vi] See, Clause 2 of The Personal Data Protection Bill, 2019. [vii] See, Sub Clause 2 of Clause 91 of The Personal Data Protection Bill, 2019. [viii] See, Chapter II of The Personal Data Protection Bill, 2019. [ix] See, Chapter VI of The Personal Data Protection Bill, 2019. [x] See, Chapter III of The Personal Data Protection Bill, 2019. [xi] See, Chapter V of The Personal Data Protection Bill, 2019. [xii] See, Chapter IX of The Personal Data Protection Bill, 2019. [xiii] See, Chapter VII of The Personal Data Protection Bill, 2019. [xiv] See, Chapter VIII of The Personal Data Protection Bill, 2019. [xv] See, Chapter XI of The Personal Data Protection Bill, 2019. [xvi] See,Sunil Chandan, Supra Note 1. [xvii] “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians”, Report by the Committee of Experts under the Chairmanship of Justice B. N. Srikrishna, p. 7, available at: https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf (last visited on March 07, 2021). [xviii] (2017) 10 SCC 1 [xix] See,Sunil Chandan, Supra Note 1.