As a new decade dawn, India is likely to witness the passage of crucial and high-impact data legislation, which will a gamechanger in the digital landscape. A Bill, entitled the 'Personal Data Protection Bill, 2019', which was introduced in Parliament in the last month of 2019, comes in the wake of the categorical reaffirmation of the fundamental right to privacy by the Hon'ble Supreme Court of India, in the case of Puttaswamy v. Union of India.
Specifically, the Court had recognized that in the current internet age, there is a crucial need for overarching legislation for the protection of personal data, in order to guarantee this fundamental right to privacy.
- How the Bill protects data
The Bill imposes certain obligations on the entities who control the data (by determining the purpose and means of its processing). Such entities are called 'data fiduciaries', and include both private entities as well as the Government. The person whose data is collected or processed is termed the 'data principal'. The compliance burden of these obligations is on the data fiduciary, and this forms the backbone of the data protection law.
The obligations include requirements to provide notice to the data principal before collecting their data, processing the collected data only for the purposes specified, ensuring that the data is accurate and stored only as long as necessary, ensuring that valid consent is taken from the data principal before the data is processed for any purpose including transferring it to any third party (the standard of consent specified for this purpose is very high), and that the data principal is provided with certain 'rights' in relation to their data - to access, correct/ erase, port, and prevent disclosure of their data. These obligations are clearly aimed at securing the data principal's control and ownership over their own data, consistent with the ruling of the Supreme Court in Puttaswamy.
The Bill provides penalties for non-compliance of the obligations, and sets up a Regulatory/Adjudicatory Body called the 'Data Protection Authority', which is the nodal authority for all matters in relation to the Bill.
- Broad exemption powers in favour of Government allowing Government access to all categories of data
The Bill also provides certain 'exemptions', to exclude applicability of the obligations in the law, in certain cases where it would be inappropriate. For example, manual processing by small entities is exempted, who would not have the capability to implement them, entities processing data of specific exclusions for the BPO industry, exemptions for research, archiving or statistical purposes, etc. All these exemptions are applicable both to private as well as Government entities.
However, in addition to these, there is a specific provision in the Bill, which applies only to the Government, and not to private entities. This provision empowers the Central Government to exempt any agency of the Government from the application of all or any of the provisions of the Bill, and allows sharing by or sharing with such agency of the Government by any data fiduciary, data processor or data principal (without application of the safeguards required of non-exempted data fiduciaries). Moreover, the list of exempted Government agencies can be added to from time to time.
This provision extends the broadest possible powers to the Government to requisition all categories of data (including, for example, sensitive personal data such as financial, health, biometric data or data relating to sexual orientation or religious beliefs or political beliefs) from companies with whom individuals may have shared such data under contractual terms of confidentiality. It, thus, renders toothless, many of the foundational safeguards of the Bill which protect the privacy and control of data principals, in relation to Government agencies. These are the very safeguards which protect and ensure the fundamental right of privacy of the individual, as recognized by the Hon'ble Supreme Court in Puttaswamy v. Union of India.
- Conflict of Interest when Government is a data fiduciary
While the Bill itself sets out the obligations upon data fiduciaries, these obligations (as well as the rights of the data principal) are often operationalized only by means of 'Regulations' to be framed by the Data Protection Authority.
Without these Regulations, the existence of the obligation/right in the Bill itself would be meaningless. For example, the Regulations are meant to specify the categories of information required to be provided by the data fiduciary to the data principal regarding collection of their data before consent is taken, the manner in which the personal data retained by the data fiduciary must be deleted, the safeguards for protecting the rights of data principals, the form and manner of maintaining records, etc.
Now, a 'Memorandum' attached to the Bill, specifies in relation to the making of such Regulations, that the Data Protection Authority may make such Regulations only with the previous approval of the Central Government. In fact, the Data Protection Authority itself is to be established by the Central Government.
This control over the Data Protection Authority by the Central Government denotes a clear conflict of interest, given that the Government itself falls under the category of a 'data fiduciary', on whom the obligations specified under the Bill are imposed. Further, data fiduciaries are also subject to adjudication by the Data Protection Authority in case of any disputes with data principals over the processing of their data; and the Government may be subject to the adjudicatory powers of the Data Protection Authority as well, in its capacity as a data fiduciary.
- Exemptions first, Obligations later
The Bill in its current form does not specify a timeframe within which the Data Protection Authority must be established, or within which it must specify the Regulations operationalizing obligations on data fiduciaries. Thus, even after the Bill is enacted, the obligations will remain toothless until the Regulations are actually notified. On the other hand, the exemption powers, allowing the Government to mandate sharing of data with itself, will kick in as soon as the Bill is notified.
The Data Protection Authority has been empowered to create a 'sandbox' (not defined under the Bill), for the purposes of 'encouraging innovation in artificial intelligence, machine learning or any other emerging technology in public interest'. This language is extremely broad.
Data fiduciaries may apply for inclusion in the sandbox to the DPA, which will then evaluate the application and decide whether or not to include the data fiduciary in the sandbox. Data fiduciaries which are included in the sandbox would be exempted from certain specified obligations, namely, the obligation to specify clear and specific purposes, obligations relating to limitation on collection of personal data and obligations relating to retention of personal data. Notably, the data in the sandbox is likely to include personal data and sensitive personal data held by the data fiduciaries which are a part of the sandbox.
This provision, again, heavily dilutes the obligations to safeguard individuals' data privacy and security, which was intended to be the backbone of the legislation, consistent with the Supreme Court's decision in Puttaswamy.
- Non Personal Data
Given that the data legislation is intended to secure the fundamental right to privacy as recognized in Puttaswamy, its applicability should be restricted to 'personal data', being data which is capable of identifying individuals, whether directly or indirectly. This, in fact, was the limited applicability of the 2018 draft Bill submitted by the Srikrishna Committee, which specifically stated that the legislation would not apply to 'anonymised personal data' and 'non-personal data'.
Breaking away from this, the 2019 Bill empowers the Central Government to direct any data fiduciary or data processor to provide to it, any anonymised personal data or other non-personal data, 'to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government'. Given that anonymised personal data and other non-personal data have no connection with protection of the right to privacy, they should not have been included as a part of this legislation; rather, may form part of an independent policy discussion by the Government.
This unrestrained power to issue a mandatory direction to data fiduciaries and data processors (backed by penalties for non-compliance as provided under the Bill) to provide such data to the Central Government, is excessive, especially as the criteria for making such requisition is worded extremely broadly.
Further, companies (data fiduciaries) have a legitimate copyright interest in processed datasets comprising of anonymised data or non-personal data (as well as inferences drawn from such datasets) that they generate using proprietary software, and which forms an integral core of their business models. Such processed datasets are likely to pass the test of 'originality' and be copyright-protected as 'literary works'. Thus, any direction that mandates sharing such protected datasets with the Government is likely to violate copyright protections as well as other proprietary economic rights vested in businesses.
At a policy level, such measures will severely disincentivise reputed foreign companies from setting up new operations in India, or continuing existing ones, leading to a further downturn in the Indian economy.
- Social Media Intermediary
The Bill also introduces a new concept called a 'social media intermediary', and empowers the Central Government to notify certain social media intermediaries as 'significant data fiduciaries'. Significant data fiduciaries must register themselves with the Data Protection Authority, and abide by additional obligations as specified in the Bill. Once the Bill is enacted, many online portals forming part of the Indian digital economy may find themselves regulated by the additional norms.
The Bill also prescribes norms for users of such social media intermediaries in India, to verify their accounts. Verified users shall be provided with a visible mark of verification, which shall be visible to all users of the service.
Depending on the nature of verification documents prescribed and the way in which the verification process is carried out by social media platforms (especially those compelled to register themselves), users may find themselves being profiled or targeted based on the nature of their online speech. This is likely to have a chilling effect on their right to freedom of speech as guaranteed under the Indian Constitution.
[The opinions expressed in this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of LiveLaw and LiveLaw does not assume any responsibility or liability for the same]