The second working session at the Bar Association of India's Seminar on the Personal Data Protection Bill, 2021 held on 3rd May 2022 at New Delhi looked into the nuances of the impact that the impugned bill might bring upon industries. It focusses on what such a bill and its regulations mean for corporations and clients of law firms. The Panel was chaired by Dr. Pinky Anand, Senior Advocate & Vice President, BAI. She set the stage for the discussion by emphasizing how such a regulatory framework would increase the ease of doing business in the country, and why the absence of such a regulation so far had led the companies to uncertain junctions on data privacy. Dr. Pinky also stated how data changeability will be a big advantage for corporations given by the new bill.
Mr. Ashish Aggarwal is the head of policy at NASSCOM. His work focusses on the regulatory framework of data, e-commerce, social media platforms, fin-tech and telecom value added services. He was also part of the team that designed the National Pension Scheme. Mr. Aggarwal submits that law, unlike a software code is not created overnight, wherein you could test out a code with dummy data and immediately fix the glitches. The creative process of law is much more complex, and therefore this bill invites such an extensive process. To establish the importance of such a law, Mr. Aggarwal invited the panels attention to the demographics of India. India is the IT and business process management (BPM) services hub to more than 120 odd countries, and we as a country are clocking in a massive $178 billion IT-BPM export industry, and domestic markets are going to touch $50 billion. These numbers add a dimension to our perspective on the data privacy law that is different from that of a European or American perspective. We have an opportunity in our law to help further enhance the trust of the global markets in our industry by enabling more global data to be processed here in safe manner without burdensome compliances. At the same time, there is a big surge in the number of tech start-ups over the past decade, who aim to be Unicorns (valued over $1 billion) and to be global. Therefore, our law will need to be global in its approach and be interoperable with, at least, the laws of our main trading partners on key principles of privacy laws protection and enforcement mechanisms. It becomes imperative that we have a comprehensive law that protects data privacy, since that would induce trust on digital markets and promote their growth.
The bill also needs to recognize that the heterogeneity in our population will make it difficult for the common citizen to understand and exercise the right to privacy. Therefore, the focus on state capacity for creating awareness and addressing complaints swiftly and fairly will be a key parameter of success.All these aspects must be kept in mind while analyzing the possible impact of this law.
The two big positives of this law are that first it enhances privacy, and second that it is applicable horizontally across industries. A flaw, however, is that the law has tried to bring under it — both personal, and non-personal data. One of the big concerns that is often faced with the General Data Protection Regulation (GDPR) is that of compliance, with the record keeping requirements being one such example. A Data Protection Bill which tries to bring both personal and non-personal data under it will raise the level of complexity to avoidable level and add additional layers of uncertainty for the industry. Therefore, Mr. Aggarwal believes that if they are separated, there will be better ease of compliance for corporations and industries. It will also enable the data protection authority to focus on its main objective of privacy protection.
He highlighted a few other points where this law falls short:
- First, with respect to data classification – Official identifiers by default are seen as sensitive personal data. This will result in enormous costs, as official identifiers like Aadhar, and Passport numbers are processed on a daily basis for various reasons. The GDPR allows for such regulations but leaves it for national authorities to decide on additional safeguards without automatically recognizing it as a sensitive personal data. Financial information is by default a sensitive personal data in our bill whereas globally it is not treated as such. Given that financial sector is highly regulated and also the fact that all personal data enjoys a high level of protection – treating a wide range of financial information as sensitive data by default is likely to lead to burdensome compliance. Our proposed definition of health data is very broad. Given this is a sensitive data, it is important that the definition is narrowed down to the data of an individual's health condition. This will also align it to the global understanding. A broad definition of health information could unintentionally make health care expensive without additional privacy protection.
- Second, the law lacks clarity on how it will deal with foreign data that is being processed in India. While there is an enabling exemption clause, it will be difficult for an industry to work around such uncertainties. Given the unique position of our IT-BPM industry, the bill needs to encourage foreign data to be processed in India while providing suitable data protection measures.
- Third, in the exemptions allowed under the bill. While state exemptions are necessary for security reasons, the wordings in the bill 'necessary and expedient' under section 35 leaves much room for misuse and must be more focused on proportionality. Moreover, exemption under section 36 is available to private parties also and is not limited to the state.
- Fourth, the default localization of sensitive personal data is likely to burden the data protection authority with inflexibility. Mr. Aggarwal suggests that data localization should, at best, be provided as one of the regulatory tools, rather than making it a default for sensitive personal data.
- Fifth, the proposal to have the data protection authority and the central government examine and approve all international data transfer schemes and contracts and to verify if these transfers violate some state or public policy will be very time consuming. Instead, appropriate standard contractual clauses should be specified for contracts and schemes to ensure international transfers carry the requisite obligations.
Ms. Chatterjee is a Partner with the Shardul Amarchand Mangaldas Public Policy and Regulatory Affairs team. She works on policy matters in fields from healthcare to data privacy and financial reforms. Ms. Chatterjee's discussion was focused on the changes this bill will bring on the business models of the industry. She believes that the impugned bill is a gamechanger and will have a massive impact on corporations. The horizontal applicability of the bill will ensure that its impact coexists in all fields and sectors. The scope of this law is evolving. The competing interests of an individuals' fundamental rights, against the needs of industry and commerce must be balanced while also keeping in mind the concerns of national security.
Ms. Chatterjee identified a few issues that clients of all sectors may face in complying with the guidelines under the impugned bill.
- Applicability: This law has a vast and broad bracket of applicability and will even apply to entities that are not setup in India but are profiling data of Indian citizens. Therefore, this law has extra-territorial application. This law also follows a horizontal mode of application meaning that all industries and sectors that processes data will come under its purview.
- Consent: This bill makes consent the cornerstone for processing any data. This becomes a challenge for big corporations that often deal with mixed sets of personal data. These mixed sets could have personal data (name, phone number, address) with elements of sensitive personal data (health status, vaccination status, financial status) along with elements of critical personal data. The standards for obtaining consent for each of these data sets would be different and making a comprehensive consent format becomes a challenge for large corporations. Further concerns that may arise are whether a particular form of consent is adequate? How long can the consent be maintained? And whether for each new venture consent is to be re-obtained?
- Data subject rights: This bill gives very significant rights to the data subjects and therefore, it becomes important to decide who will be seen as a data fiduciary and who as a data processor. The rights given to a data subject under this law includes the right to have their data erased from the processing system, and as lawyers it becomes our duty to identify the data fiduciary who has the obligation to delete such data. This gets followed up with the concern of data fiduciaries who have shared the data with other entities, and whether they can also be tied with similar obligations.
- Data localization: The bill suggests that sensitive personal data must be stored in India, but can be processed outside, while for critical personal data it must be stored and processed in India. The bill also now requires steps to be followed for cross border transfer of data, which includes not only the consent of the data subject, but also approvals from the DPA, and government agencies. Multiple corporations work with business models that employ instantaneous cross border data transfers, with parent companies or others. Such a regulatory framework will require these organizations to reform their data processing mechanisms.
- Transition periods: The industry will have to make a massive expenditure of time and resources to rethink the way they procure and process data. This is combined with the legal expenditure they will have to bear to ensure compliance with the new norms. Therefore, there must be an adequate transition period for companies to accept and comply with the new law.
Ms. Chatterjee concluded her discussion noting the role that lawyers will have to play and the need for staying in loop with all the new developments that are coming in this law for the welfare of our clients. We must also be aware of the data operations and flows used by all our clients.
Bhagmishika Puhan is an Associate Partner at TMT Law Practice. She worked as an inhouse counsel at WIPRO and worked with the GDPR implementation team. Ms. Puhan focused her discussion on the few aspects that dealt with the implementation of the law. First, the Rechristening of data controllers as data fiduciaries: The Electronic Health Record Standards released by the Ministry of Health in 2013 saw data principles as the owners of the data. The new bill, however, sees the data fiduciary as the one obligated to see that the data is accurate. This increases a chance of users being denied access to various platforms, as data fiduciaries will be more cautious about the accuracy of the data they are being provided with. In the GDPR there was much more legroom given to the custodians of such data. There must be some provision in the impugned bill to put some liability on the data subject also, rather than imposing all of it on the data fiduciary. Second, the level of awareness here cannot be compared to that in European Union: While the new law brings in multiple classification and definitions for data; the ground reality remains that citizens are more or less unaware about the difference between directly identifiable sets of data, and data that can be used without directly tying them to a person's identity. There is a need for consumers to be aware about their rights and also for companies to be very careful in classifying the information coming their way. Finally, she also emphasized on the need to comply with multiple steps before doing a cross border data sharing for large business conglomerates as being extremely time consuming and might result in lapses of services during transition periods.