Personal Data Protection Bill, 2019
The digital gap between urban and rural India has reduced considerably. As per the annual report 2018-2019 published by the Ministry of Electronics and Information Technology, the number of internet users in India is expected to reach 829 million by 2021. The exponential growth in use of internet in India has brought into fore the need for informational privacy. Considering the amount of data being created and stored, there is an imminent need for data protection with the aim to safeguard information from corruption, compromise and loss.
To address the need for information privacy, the Government of India constituted a committee under the chairmanship of retired Justice B. N. Srikrishna to prepare a comprehensive data protection law. The committee submitted the draft Personal Data Protection Bill, in July 2018 (Bill 2018). Based on the comments and suggestions solicited from the public, various stakeholders, the Union Cabinet on December 4 2019 cleared the revised Personal Data Protection Bill, 2019 (Bill 2019).
An overview of Bill 2019
The Bill 2019 intends to regulate the collection, usage, storage and transmission of personal data of individuals (Data Principal) in India by government, companies incorporated in India, and even foreign companies (Data Fiduciary).
The Bill 2019 prohibits processing of personal data without any specific, clear and lawful purpose. An independent Data Protection Authority has been proposed who will be responsible to protect the interest of Data Principal, prevent any misuse of personal data, ensure compliance, and promote awareness about data protection.
Why is Bill 2019 critical and how can it help Indian citizens?
Considering the enormity of personal data available with Data Fiduciary, it is essential to have a framework, with adequate checks and balances in place in order to create a relationship of trust between Data Fiduciary and Data Principal.
Personal data of Data Principal relate to identifiable characteristic, trait, attribute or any other feature to identity such natural person, whether online or offline, or any combination of such features with any other information for drawing inference for the purpose of profiling.
The Bill 2019, seeks to bring transparency in the processing of personal data. It imposes certain obligations on the Data Fiduciary such as to obtain consent from every Data Principal for processing their personal data, clearly and distinctively disclose the reason for processing personal data, ensure that the personal data is utilised only for the purpose for which the consent is procured, and to delete the personal data at the end of processing.
The Bill 2019 provides adequate rights to the Data Principal such as to give, withdraw, review and manage their consent; right to correction and erasure of data in addition to the right to be forgotten.
The Bill 2019 aims to restore informational privacy and make the Data Principal in-charge of their personal data.
Understanding the key changes between the Bill 2019 and the previous drafts
The overall structure of the Bill 2019 is similar to the Bill 2018. However, few new concepts like social media intermediary, consent manager, sandbox for encouraging innovation in the field of artificial intelligence, machine learning and other emerging technology of public interest, requirement for a certification of the privacy by design policy by the data protection authority have been introduced.
The provisions with respect to eligibility criteria of data protection officer, information to be disclosed by the Data Fiduciary to maintain transparency, and concept of recovery officer have been deleted and the requirement for data localisation and transfer has been relaxed.
An important addition from the perspective of Data Principal is the right to erasure. This new right allows the Data Principal to request the Data Fiduciary to erase any personal data which is no longer necessary for the purpose for which it was processed. This right of erasure is in addition to the right to be forgotten, which was already there in Bill 2018.
Besides these changes, the Bill 2019 has granted overarching powers to the Central Government to receive any personal or non-personal data related to Data Principal in order to understand the target audience and accordingly frame policies. The Governmental agencies can be exempted from the applicability of any or all the provisions of Bill 2019 in the interest of sovereignty and integrity of India and to prevent any cognizable offence relating to the sovereignty and integrity of India, security of the country, friendly relations with foreign states and public order.
Important legal aspects that all social media companies must consider with respect to the Bill 2019.
It was felt that the social media intermediaries which solely enable online interaction between users and allows them to create, upload, share, disseminate, modify or access information using its services have significant impact on electoral democracy, security, public order, sovereignty and integrity of the country.
The Bill 2019, has brought the social media intermediaries within its purview. The Government will subsequently notify different thresholds for different classes of social media intermediaries. However, certain intermediaries which primarily enable commercial or business-oriented transactions, provide access to the Internet, in the nature of search-engines, on-line encyclopedias, e-mail services or online storage services have already been excluded.
The social media intermediary which may be notified as a significant Data Fiduciary by the Central Government will be required to allow its users to verify their accounts voluntarily and to provide demonstrated and visible mark of verification, to each verified account.
These notified social media intermediary will also be subject to audit by an independent data auditor, to ensure timely implementation and effective compliance of the applicable obligations. This will certainly have a bearing on popular social media platforms such as Facebook, Instagram, WhatsApp.
Legal aspects to consider with regards to cross-border sharing of information and data localization provision
Under the Bill 2018, the data fiduciaries were required to maintain a copy of all personal data in India, except certain categories of personal data which was exempted from the local storage requirement. However, the Bill 2019 does not provide any localisation or data transfer restrictions for personal data that is not considered sensitive or critical. This type of personal data can now be entirely stored and transferred outside India.
In fact, now sensitive personal data (like health, religion, political beliefs, biometric, genetic data) can also be transferred outside of India, but shall continue to be stored in India.
The Government will now be able to designate certain data as critical personal data. This type of data may not be transferred outside of India. However certain exceptions have been carved out like countries or organizations which provide an adequate level of protection where such transfer does not prejudicially affect the security and strategic interest of the Country or in case of health services or emergency services.
Compared to Bill 2018 under Bill 2019 the requirement for data localization and restriction on data transfer has been considerably relaxed.
Understanding the key challenges that the Bill 2019 still faces
The Bill 2019 captures the intention to secure and protect personal data and empowers the Data Principals. However, certain nuances, procedural and administrative details are absent. Even lead time and the timeline for the companies to start complying is missing.
In India, the Government is not only the custodian of law and order but also continues to be an employer, service provider, responsible for monitoring the economy, businesses, banks, maintaining postal service, education, public utilities, regulating health and safety and therefore a major data fiduciary. The overarching power and exemption provided to Governmental Agencies without proper checks and balances can also be a challenge.
How can the passing of this bill impact business in India?
The Bill 2019 intends to create a legislative landscape for data protection. The Data Fiduciaries should now take their obligation to protect and safeguard the personal data of Data Principals seriously. They need to maintain the confidentiality of information and data obtained as part of their business process. Take steps to meet the requirement of data localization and transfer, introduce data security safeguards, bring in transparency and accountability and put in place grievance redressal mechanism. The requirement to obtain informed, clear and specific consent from the Data Principal, is a paradigm shift. The Bill 2019 should be implemented in a manner that it does not become a legal and regulatory nightmare for the Data Fiduciaries.
Every Data Fiduciary will be required to prepare and adopt Privacy by Design Policy, approved by the Authority and published on the website of the Data Fiduciary and the Authority. All this will mandate periodic review of the personal data held by the Data Fiduciary to determine the necessity to retain the same. Certainly, this will require time and money to put in place the necessary procedures.
Stringent penalties, both fine and imprisonment, in order to deter the Data Fiduciary from being non-compliant has also been provided.
Considering the legal complexities, the Data Fiduciaries should ideally seek advice and take adequate steps to increase their preparedness level to face the onslaught of the new legislation. The intervening period can be effectively used to reorient their software, rejig their business practices and streamline the manner in which personal data is captured, stored and processed.
The Bill 2019 with all its frailties is a long-awaited step in the right direction. Hopefully, the Joint Committee of the Houses to which it has been referred for wider consultation will plug the gaps and provide the country with a robust data protection law, which is the need of the hour.
(The article has been co-written by Shisham Priyadarshini, partner, Rajani Associates and Aishwarya Derashri, associate, Rajani Associates)