Understanding the Personal Data Protection Bill, 2018 and Bracing for Impact
"We do not have to make a trade-off between ensuring personal data protection and the manner in which we do business. Law and technology gives us the ability to have both"
The Personal Data Protection Bill, 2018 ("PDP Bill") is aimed at securing the rights of data subjects and overhauling completely the present data privacy and protection regime in India or rather the lack of it. The Government of India, constituted a committee of experts to study various issues relating to data protection in India and make specific suggestions on principles to be considered for data protection in India and draft legislation. The committee, formed with the idea to create a powerful data protection law in India, submitted the draft PDP Bill to the Ministry of Electronics and Information Technology on July 27, 2018. The PDP Bill is yet to be passed by the Parliament and is expected to be tabled in the current winter session of the parliament.
The proposed PDP Bill is said to have been modeled along the lines of General Data Protection Regulation (GDPR), which is one of the most complicated and far-reaching pieces of legislation to have emerged from EU Parliament.
Presently, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("IT Rules"), govern protection of personal data in India and are applicable to all body corporates. The PDP Bill is much more than an extension of it as it seeks to address the lacunae's under the IT Rules. The PDP Bill prescribes in detail the manner in which the personal data shall be, amongst other things, collected, processed, used, disclosed, stored and transferred.
It is pertinent to note that, the PDP Bill applies to both government and private entities. The applicability of this law will extend to data controllers/ fiduciaries or data processors not present within the territory of India, if they carry out processing of personal data in connection with:
• Any business carried in India,
• Systematic offering of good and services to data principles (also generally referred to as data subject) in India,
• Any activity which involves profiling of data principals within the territory of India.
Further the term in connection with 'any business carried in India', in relation to exercise of jurisdiction over any data fiduciary or data processor not located within India, is vague in nature and lacks specificity. This implies that the PDP Bill has an extra-territorial application and imposes additional compliance requirements for foreign data fiduciaries and data processors. As it currently stands, the PDP Bill may even be applicable to foreign data fiduciaries and data processors which have insignificant commercial relationships in India.
The concept of 'data principal' and 'data fiduciary' has been introduced. The natural person whose personal data is collected is referred to as the 'data principal' and the entity that determines the purpose or means of processing this data is referred to as the 'data fiduciary'. Data fiduciaries include the State, corporate entities and individuals.
The definition of 'sensitive personal data' has been widened vis-à-vis the IT Rules to include intersex status, caste, tribe and religious beliefs. In fact, it is wider than the ambit of sensitive personal data under the IT Rules. Therefore, organisations processing sensitive personal data will be subject to additional compliance requirements once the PDP Bill is enacted.
Requirement to give notice and take consent for processing data
The data fiduciary is required to give notice to the data principal before collecting, processing and/or using the personal data of a data principal.
The notice shall, inter-alia, include the purposes for which the personal data is to be processed; the categories of personal data being collected; the details of the data protection officer; the right of the data principal to withdraw such consent, and the procedure for such withdrawal.
Personal data may be processed on the basis of the consent of the data principal. For the consent of the data principal to be valid, it must be free, informed, specific, clear and capable of being withdrawn. Processing of sensitive personal data is based on explicit consent from the data principal.
The PDP Bill focusses largely on compliances and once this law is enacted, in its current form, it may prove to be cumbersome for data fiduciaries. Further, certain obligations such as the requirement of giving notice, obtaining consent, etc., may pose practical and logistical issues for organisations and compliance with the same would mean additional administrative burden and costs. Providing consent in multiple languages may prove to be a major practical challenge for social media platforms, e-commerce companies, etc., which have a wide base of users across locations.
Additionally, in terms of the PDP Bill, exemption to obtaining consent of the data principal for processing their data has been granted for certain employment related matters. However, this ground for processing of personal data can only be invoked if processing of personal data on the basis of consent is not appropriate giving regard to the employer-employee relationship between the data fiduciary and the data principal or would involve a disproportionate effort on the part of the data fiduciary due to the nature of the processing activities.
This requirement of taking consent for processing data is enshrined in the IT Rules, albeit, not in such detail.
Retention of data and audits
The data fiduciary shall retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed, unless required to be retained for a longer period of time, if such retention is explicitly mandated by law.The data fiduciary shall have necessary policies in place and conduct annual compliance audits by an independent data auditor. The data fiduciary shall maintain accurate and up-to-date records.
Similar provisions are encapsulated in the IT Rules as well. The IT Rules prescribe that the body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified by the Central Government shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on an annual basis by entities through independent auditor, duly approved by the Central Government.
Data Protection Officer and the Data Protection Authority
The Data Protection Officer ("DPO") is to be appointed by the data fiduciary. The DPO's eligibility and qualification requirements shall be specified at a later date. The DPO is required to resolve the grievance in an expeditious manner and no later than 30 days from the date of receipt of grievance from a data principal.
Further, the PDP Bill creates a central regulatory and adjudicatory body called the Data Protection Authority ("DPA") to administer and enforce the provisions of the PDP Bill. The DPA also has the power to set standards for the implementation of the provisions of the PDP Bill. The powers granted to the DPA appear to be very wide and discretionary. The DPA is proposed to function as a supervisory body, enforcement agency and an adjudicatory body. Significantly, the DPA has extensive powers including the power to suspend the business or activity of a data fiduciary or a data processor which is in breach of the provisions of the PDP Bill, conducting search and seizures or suspending or discontinuing cross border flow of personal data.
The IT Rules does not provide for a DPO or DPA, however, it provides for appointment of a 'grievance officer' by the body corporate dealing in personal data. Further the body corporate is required to publish the name and contact details of the grievance officer on its website. The prescribed timeline for redressal of grievance by the grievance officer is a maximum of one month from the date of receipt of grievance.
Significant Data Fiduciary
The PDP Bill recognises a class of data controllers called significant data fiduciaries. These data fiduciaries are subject to a registration requirement and certain additional compliances than a data fiduciary. Significant data fiduciaries will be notified by the DPA based on factors such as sensitivity of data, volume of data processed, annual turnover, risk of harm from such processing etc. However, the thresholds for such factors have not been provided in the PDP Bill leaving this concept vague and ambiguous. This concept is absent from the presently operating IT Rules.
Data localisation and cross border transfer of data
The PDP Bill requires data fiduciaries to ensure the storage, on a server or data centre located in India, of at least one copy of personal data to which it applies. It also specifies the conditions under which data transfers outside the territory of India may take place.
Data localisation requirements would entail additional time and cost for setting up/ leasing local servers in India, which may become a cost centre for businesses. This would have to be complied with even when an organisation does not have a presence in India but where the provisions of the PDP Bill are applicable to such foreign entities (which do not have a physical presence in India). With the exception of certain exempted categories of processing under the PDP Bill, all entities irrespective of size or scale of processing, would still need to comply with measures such as privacy by design, security standards – encryption and de-identification, breach notifications and transparency obligations.
Cross border transfer of personal data is permitted in certain instances, such as: (i) transfer is made subject to execution of standard contractual clauses or intra-group schemes approved by the DPA, (ii) where the Central Government in consultation with the Authority, has prescribed that transfer of personal data is permissible to a country, or to a sector within a country or to international organisations (where the personal data is adequately protected), and (iii) the DPA may also approve transfer due to a situation of necessity.
Amongst the various conditions for cross border transfer of personal data, it appears that mostly personal data will be transferred under standard contractual clauses. More so, as there are very few countries in the world that have a robust data protection regime, it appears that personal data would be impeded by non-adequacy of robust data protection laws.
The presently applicable IT Rules do not specifically define cross border transfer of data and data localization. However, it prescribes that a body corporate or any person on its behalf may transfer sensitive personal data, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under the IT Rules. Further, the transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.
Depending on the nature of contravention, the penalties differ. Penalties are as high as INR 5 Crore to INR 15 Crore, or 2 per cent to 4 per cent of an entity's total worldwide turnover in the preceding financial year, whichever is higher.
The penalties prescribed under the PDP Bill are quite stringent and notably more stringent than the penalties prescribed in the IT Rules. Further, compensation can be sought by a data principal against a data fiduciary and/or a data processor, which will be over and above any penalties imposed.
Once the PDP Bill becomes law, it will have far-reaching consequences and corporates will have to have proper security systems and safeguards in place to comply with the provisions of the PDP Bill. Some key implications and action points will be:
Practicing a culture of 'privacy by design' in the organisation, focusing on the complete data life cycle, developing internal controls and systems for data mapping, from collection at all data touchpoints, storage, access and use to destruction of personal data.
Preparing comprehensive privacy policies in line with legal requirements, including formulating data collection, storage, access, retention, data disposal policies and procedures,
Providing data access i.e. notice to the data principal for collection and use of personal data and obtain consent letters for data collection,
Appointing a DPO to handle grievances,
Storing personal data collected in a manner and form compliant with the PDP Bill, ensuring storage in a local server,
carrying out annual audits by an independent data auditor,
sensitization of the employer and employee in terms of what rights are available to the employee (like withdrawal of consent) and what are the obligations in terms of the PDP Bill,
Implementing security measures to protect digital, as well as, physical data; and
Data minimization, i.e. limiting storage of personal data for legitimate purpose.
While the legalese and nuances should be left to the lawyers, the corporates need to be aware of their obligations and potential liabilities under the PDP Bill. Lack of awareness, often leads to inadvertent non-compliances, which could sooner or later result in unforeseen and severe consequences.
The PDP Bill is heavy on compliance and proposes a stringent penalty scheme to act as a deterrent for non-compliance. To balance this approach with economic and trade interests, the Government of India must also be mindful that the final law should meet the adequacy standards as prescribed by similar legislations of other countries, to enable mutual cross border transfer of data.
Considering that certain provisions of the PDP Bill will only take effect after a period of time, it will allow data fiduciaries to prepare their systems and processes to ensure compliance. The PDP Bill is the most prominent step towards a comprehensive law on personal data protection in India. However, some elements in the PDP Bill should ideally be further clarified and discussed with various stakeholders for effective implementation.
For any clarification or further information, please contact
About Clasis Law
Clasis Law is a full service Indian law firm with a rich experience of advising international and domestic clients (ranging from individuals to multinational corporations) on various aspects of Indian laws across numerous industry sectors. With several partners recognized as leading experts in their field and acknowledged by industry peers for their in-depth expertise and know-how, together with highly trained teams, the firm is able to provide clients with bespoke solutions and exceptional service. Expertise within the firm spans a range of practice areas such as aviation, banking and finance, competition laws, compliances & audits, corporate governance, corporate & commercial, employment, energy, healthcare, hospitality & leisure, insurance, intellectual property, litigation and dispute resolution, insolvency & bankruptcy, projects and infrastructure, real estate, retail, shipping and technology, media & telecommunications. The core values of the firm are high degree of legal expertise, commitment to excellence, efficiency, integrity, focus and client care, all of which guide each member of the firm. Our commitment to our values enables us to consistently provide high quality, commercially relevant legal advice specific to our clients' needs. We strive to ensure that each and every client receives our best attention and services at all times. We pride ourselves in being a firm that works in accordance with the international standards of quality, timely delivery and transparency of billing. Our lawyers are trained to not only successfully handle but also to go beyond the client expectations. Recognising the growing market need to adhere to strict guidelines and budgets for transactions and other commercial requirements, the firm works closely with clients to ensure they are provided with valueadded, cost-effective solutions at all times, without compromising on quality or dedication. The transparent and clear billing arrangements promoted by Clasis Law build trust and confidence with clients.
New Delhi Dr Gopal Das Bhawan 14th Floor, 28 Barakhamba Road New Delhi - 110001 Phone : +91 11 4213 0000 Fax : +91 11 4213 0099
Mumbai Bajaj Bhawan 1 st Floor, 226, Nariman Point Mumbai - 400 021 Phone : +91 22 4910 0000 Fax : +91 22 4910 0099
Website : www.clasislaw.com Email : firstname.lastname@example.org