This article is written by M.Arjun, a final year student of Government Law College, Thrissur. In this article, he discusses the Data Protection Bill 2019 And Its Repercussions.
With internet penetration recording an all-time high of 58%, data has become an outright solution for most of the present-day problems. The world’s largest and most substantial data protection regulation, the General Data Protection Regulation (GDPR) hit the European Union by storm as it came into force from May 25, 2018. Despite having the second-largest internet users in the world, India was lacking a comprehensive data protection regulation. The need for such a regulation was addressed through the Personal Data Protection Bill 2019 (PDPB).
On July 28, 2018, Justice Sri Krishna Committee submitted the draft of the Personal Data Protection Bill. The draft invited a lot of criticism for certain provisions such as the data localisation policy. The bill was introduced in the parliament on December 11, 2018. Later, it was referred to the Joint Select Committee which has to submit its report when the Parliament meets for the budget session on 2020.
What is it all about?
The PDPB regulates the processing of “personal data” which is basically any data that can identify an individual. The Bill applies to any private/public body or corporation incorporated in India. It also applies to any overseas corporation dealing with personal data of Indian entities. Data, as per the Bill, should be processed in a ‘fair and reasonable’ manner. The bill also includes “sensitive personal data” which requires a more severe level of supervision and regulation. Sensitive personal data includes financial data, biometric data, data about caste, religion and political beliefs etc. The Bill grants an individual certain rights during data processing. Data fiduciaries/processors are under certain obligations to maintain definite standards for data protection. However, exemptions are provided for some entities and certain kinds of data processing.
Implications of the Bill
The Personal Data Protection Bill is expected to have great implications for data fiduciaries and data principals. A data fiduciary refers to an entity that collects user data whereas data principles are the common users whose data is collected. The PDPB can have a great impact on Indian data subjects considering the amount of personal data processed on the internet. The Bill can change the way how data is collected and processed throughout the Indian cyberspace. From internet giants like Facebook and Amazon to a very basic blog that collects personal data, compliance with PDPB is inevitable.
How does the PDPB affect the Data Principals?
India’s data protection regulation is expected to resolve one of India’s modern problems i.e coping with data leakages. The PDPB provides the basic framework for ensuring data privacy through minimising data breaches. The Constitution grants a fundamental right to privacy. Additionally, various provisions for data protection under the Information Technology Act couldn’t suffice India’s rising problems pertaining to data protection. The Bill provides various rights to the data principals on their data with regards to the data processing. It includes:
Right to confirmation and access
The data principal will have the rights to know about his personal data which is processed by the data fiduciary. He is entitled to get a confirmation on whether his data is already processed or is under processing. The data principal is also empowered to get an abstract of the processing activities undertaken by the data fiduciary. It should be noted that the information provided by the data fiduciary should be in a clear and concise manner which is easy to understand.
Right to correction and erasure
The Bill sanctions the data principal to make corrections in relation to his/her personal data. It includes:
- Correction of any misleading data,
- Completion of any incomplete personal data,
- Updation of any obsolete data,
- Erasure of any data whose processing is no longer necessary.
Data fiduciaries can reject the application of the data principal on the grounds that such data is integral for processing, provided that it makes a written justification for the same. If the data fiduciary rejects the application of the data principal without any reasonable justification, the data principal can dispute it. If any correction, modification or erasure is effected, the data fiduciary is under the obligation to notify the changes to all the parties with whom the data is disclosed or shared.
Right to be forgotten
This right enables the data principal to restrict or discontinue the disclosure of his personal data if such disclosure is:
- Made with consent and such consent is withdrawn,
- Data collected is no longer useful for the purpose for which it is collected,
- Contrary to any law or any provisions made under any law.
For availing this right, the data principal has to file an application with an adjudicating officer who shall make an order for the same.
Right to data portability
The right to data portability confers the data principal, a right to receive his personal data in a commonly used or machine-readable format when the processing is done through automated means. It also facilitates the data principal to transfer the personal data to a different data fiduciary. This right to transfer the data may not be available if such transfer is not technically feasible, if it reveals the trade secret of the transferor or is in compliance with law or an order of the court.
Obligations of Data Fiduciaries
The Bill imposes certain obligations on data fiduciaries in relation to:
The Personal Data Protection Bill mandates the data fiduciaries to process personal data
only for clear, specific and lawful purposes. The processing shall be done only in a fair and reasonable manner in accordance with the consent given by the data principal. When the data is processed for a purpose incidental to the purpose consented by the data principal, the data principal should reasonably expect the circumstances of such processing. The Bill also directs the data fiduciary to only collect the data required for data processing
Serving the notice
The data fiduciary is expected to serve a notice to the data principal at the time when the personal data is collected. If the data is already obtained, the data fiduciary should inform the data principal that his personal data is collected along with the following details:
- Purpose of collection;
- Source of collection;
- Nature and categories of data collected;
- Basis of data processing;
- Identity and contact details of the data fiduciary and Data Protection Officer, if required;
- Individuals and entities with whom the data may be shared;
- Information about cross border transfer of data;
- Information pertaining to grievance redressal;
- Any other information as specified by the regulations.
In certain circumstances such as, in compliance with an order of a court of the state, medical emergencies, disasters and public order situations the data fiduciaries are not required to serve a notice.
Standards for the collected data
The data fiduciary is expected to maintain the quality of the data collected. It should take the necessary steps to maintain the correctness, completeness and accuracy of the data collected. It shall maintain the data collected with a certain level of prudence. When the personal data transferred to other data fiduciaries are not maintained as per the directions, the data fiduciary should inform the same to the data principal.
The Bill prohibits the data fiduciaries from retaining the personal data after the period necessary for processing. Such data should be deleted once its purpose is served. Data fiduciaries are also expected to conduct a periodic review for the same. However, data fiduciaries are allowed to retain the data on explicit consent from the data principal or if it’s necessary for complying with any law in force.
Processing of Personal Data On Non-Consensual Grounds
Generally, the personal data of an individual can only be processed with the consent of the data principal. However, there are instances in which it can be processed without his consent, if such processing is in relation to the performance of a state function. It includes activities like the issue of license and certificates as well as for providing any service supplied by the state. Consent is also not necessary when the data processing is as per the order of a court or in compliance with any law in force. The Bill also permits an employer to use the personal data of the employee without his consent in situations such as:
- For recruitment and termination of an employee.
- For providing any service to the employee.
- For verifying the attendance of the employee.
- Any other activity for assessing the performance of the employee.
The conditions referred above are for the processing of personal data without the consent of the data principal. It does not apply for the processing of sensitive personal data.
How Does The Bill Affect An Entity That Collects Personal Data?
Data fiduciaries never had to comply with any data protection mechanisms to date. But the PDPB bill imposes a significant amount of compliance and data protection standards on them. A data fiduciary is expected to act in conformity with these policies and guidelines. They are:
Privacy by design policy
Transparency in processing
Data fiduciaries are directed to maintain transparency throughout the process of data processing i.e from the time of collection of data until the data is deleted. The categories of data collected and the manner by which data is collected should be communicated to the data principal. All the purposes for data collection including the information related to cross border data transfers should be disclosed. The rights available to the data principal under the Bill along with the right to file a complaint to the Authority against the data fiduciary should also be conveyed. The data fiduciary can give and withdraw consent through a consent manager who shall be registered under the Authority.
The Bill imposes certain security safeguards on the data fiduciaries. It should employ certain security mechanism for eliminating all sorts of harm that may be incurred during data processing activities. It should use technologies such as de-identification and encryption to safeguard personal data. Moreover, the integrity of the data should be protected so that unauthorized data disclosures and destruction of data can be avoided. A review of security safeguards should be conducted from time to time and the data fiduciaries should take appropriate measures.
Reporting of a personal data breach
Data fiduciaries are obliged to report any sorts of data breaches. When such breach may result in harm to a data principal, It shall inform the Data Protection Authority about the breach through a notice consisting of the following particulars:
- Nature of the personal data subjected to breach;
- Number of data principals affected;
- Consequences of the breach;
- Actions taken to cure the breach.
The notice shall be made without any undue delay, within the time prescribed by the regulations. The Authority may also direct the data fiduciary to communicate the breach with the data principal considering the severity of the breach. The Authority can also post the details of the breach on its website.
Data fiduciaries are expected to follow certain immediate grievance redressal procedures for remedying any sort of data breaches. Data principals can file a complaint when the provisions of the Bill are not complied by the data fiduciaries. Such a complaint is filed to:
- Data Protection Officer- If the data fiduciary is classified as a “significant data fiduciary”.
- Any other officer as may be prescribed in case of other data fiduciary.
A complaint filed should be resolved by the data fiduciary within 30 days of receipt of such complaint. If it fails to resolve the complaint with the prescribed time or if the redressal mechanism was not satisfactory, the data principal can file a complaint with the Data Protection Authority in the prescribed format.
Significant Data Fiduciary
As mentioned in the above paragraph, the PDPB has given the power to the Data Protection Authority to classify a certain set of data fiduciaries as “significant data fiduciary” on the basis of:
- The volume of data processed.
- The sensitivity of data processed.
- Turnover of the data fiduciary.
- Use of new technologies in the data processing.
- Risk of harm caused by data processing.
- Any other factor which may cause harm during data processing.
A data fiduciary classified as significant data fiduciary is mandated to register itself with the Data Protection Authority in the manner specified by the regulations.
The Central government can classify certain social media intermediaries as “significant data fiduciaries” on the basis of a certain threshold which varies according to the nature of the social media intermediary. The Bill regards social media intermediaries as an entity that allows the exchange of information online. These entities are expected to have a considerable impact on electoral democracy, the security of the state, sovereignty and public order.
Significant data fiduciaries are mandated to follow a higher degree of compliance and security standards for data protection. It includes:
Data Protection Impact Assessment
When the significant data fiduciary undertakes data processing activities, involving complex technologies and sensitive personal data, the Bill mandates the data fiduciary to conduct a Data Protection Impact Assessment (DPIA). The Authority by law shall select certain data fiduciaries or a class of data fiduciaries who are required to comply with the same. It may also specify the cases where a data auditor is required to audit the DPIA. The Data Protection Impact Assessment shall include:
- A detailed list of processing activities including the nature and purpose of activities;
- Assessment of harm that may be caused while processing;
- Measures for minimising and removing such harm.
The Data Protection Impact Assessment shall be reviewed by the Data Protection Officer, who shall submit a report of the same to the Authority in the manner specified. If the Authority finds that even after the DPIA there is a probability for any harm to the data principal, the Authority can cease such data processing or mandate other conditions for such processing.
Maintenance of Records and Audit of Data
A significant data fiduciary should keep up to date records of all data processing activities in the manner specified in the regulations. Various records include:
- List of all important operations in the data processing life cycle;
- Records of periodic review of security safeguards ;
- Records of Data Protection Impact Assessment;
- Any other aspects of processing as specified under the regulation.
A significant data fiduciary should audit all its conducts and policies with the help of an independent data auditor. The Authority shall register persons with expertise in fields such as data science, privacy, data security etc as an independent data auditor. It shall entrust the independent data auditor to provide a rating known as the “data trust score”. The Authority shall appoint an auditor to audit the data processing activities when the data processing activities are apprehended to cause any harm to the data principal.
Data Protection Officer
Every significant data fiduciary should appoint a Data Protection Officer with sufficient qualifications and experience to perform various functions such as:
- Maintaining the records specified under the Bill;
- Conducting Data Protection Impact Assessments;
- Act as a point of contact for the data fiduciary for grievance redressal mechanisms
- Advising and assisting for ensuring compliance with various provisions under the Bill.
The data fiduciary can assign other functions which it may consider necessary. The Data Protection Officer should be based in India and act as a representative of the data fiduciary.
Restrictions On Transfer of Data Outside India
The data localisation policy of the Draft Bill submitted by Justice Sri Krishna committee invited a lot of criticisms. It required a copy of personal data to be stored in India for every cross border transfer of data. Further, it prevented sensitive personal data to be transferred outside India. The PDPB bill has diluted the provisions related to the cross border transfer of data. As per the Bill, there are no restrictions on transfer and processing of cross border personal data.
Sensitive personal data can be transferred outside India for the purpose of processing. However, such data should be stored in India. Cross border transfer of sensitive personal data should only be done after explicit consent from the data principal subject to other conditions mentioned in the bill. The Central Government can also classify a certain set of data as “critical personal data” whose processing can be done only in India.
Data Protection Authority
The Bill proposes the creation of the Data Protection Authority (DPA) as the regulatory and enforcing body. The Authority shall have a chairperson and 6 other members with at least 10 years experience on matters relating to data protection, information security, data privacy, data science etc. The Bill explains various matters in relation to the powers, functions and administration of the Data Protection Authority.
It shall create a “code of practice” that ensures that the data fiduciaries are in compliance with the Bill. Code of practice can be generally applicable or may be specific to a particular industry. It also has the power to conduct inquiries, investigations and appoint inquiry officers in the exercise of its functions specified in the Bill.
The DPA has the power to impose penalties for offences committed in contravention to the provisions envisaged in the bill. The penalties are classified into 2 brackets depending upon the provisions contravened by the data fiduciary. Penalties can range from Rupees 5 crore or 2% of global annual turnover (whichever is higher) and extend up to 15 crores or 4% of global turnover (whichever is higher). Re-Identification of data is criminalised and is subjected to a fine which may extend up to Rs 2 lakh or an imprisonment of up to 3 years. Re-Identification of data is the practice of matching anonymous data with publicly available information to identify an individual.
Compensation is provided to data principals who suffer harm during data breaches. An adjudicating officer of the DPA decides the compensation if the data breach is due to negligence or breach on the part of data fiduciary. The decision of the adjudicating officer can be appealed in the Appellate Tribunal.
The PDPB bill comes with certain exemptions. The Central Government in writing can exempt any government agency from the provisions of the Bill if it is necessary for the prevention of a cognizable offence relating to the security of the state, sovereignty and integrity of India, friendly relations among states and public order. Certain kinds of personal data such as the one used for research, statistical and journalistic purposes are also exempted. Personal data processed by a natural person for personal and domestic use are also exempted from the purview of the Bill. However such data should not be processed for commercial activities. Finally, a regulatory sandbox to encourage innovation in new fields of technologies such as Artificial intelligence, Blockchain etc is also exempted from certain provisions of the Bill.
What It Means to Startups And Small Businesses?
Just like the GDPR, the new data protection regulation is said to have its implications on startups and small businesses. One year after the implementation of GDPR, studies suggest that the investments for tech start-ups in the European Economic Area had considerably gone down. Several data-driven start-ups had to shut down when compliance costs and legal complications became insurmountable. They will be forced to comply with data protection norms directed by the Bill and the ‘Data Protection Authority. Non-compliance with the law can result in heavy penalties.
Startups/small businesses will have a hard time ensuring compliance with the Bill. The cost involved in compliance can cause trouble for small businesses. Restrictions on using, modifying, storing and processing of data can cause headaches for startups relying largely on personal data. They have to depend more on existing businesses for anonymised data which may kill the competition in the industry. Government entities are also expected to gain an unfair advantage over the private service providers due to the exemption available to the government agencies for data processing. Monetising first-hand personal data had been the life-line for start-ups which by the new regulation can be a challenging thing to do. The Internet And Mobile Association of India (IAMAI) has already mentioned its concern that the Bill can have adverse effects on innovations and tech-startups. However, most of the obligations do not apply to small entities that process personal data manually barring by any automated means.
There is no doubt that the PDPB can solve a lot of India’s problems relating to data protection and privacy. The PDPB draws a lot of inspiration from the GDPR. The GDPR does not exempt government agencies and also has compulsory provisions to inform the data principals in cases of data breaches. Whereas in PDPB, it is the discretion of the DPA to inform the data principal.
Justice Sri Krishna, who prepared the Draft Bill, believes that the exemption of government agencies is a clear dilution of the Bill. It means that the ultimate beneficiaries of the Bill, the data principals, will be deprived of their rights granted by the Bill if the data processing is done by government agencies. Amidst all the data leakages caused by Aadhar, the Bill was expected to cure a lot of data-related problems. But exemption of Central Government agencies can defeat a lot of purposes intended by this much-needed legislation.
The Joint Parliamentary Committee has invited the comments from the major stakeholders to address any loopholes in the Bill. However, the final Bill is not expected to have significant changes from the one introduced in the Parliament. All data-driven businesses are going to have a busy time complying with the Bill once it becomes a law.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.