In our vastly interconnected and globalized world, information technology is flourishing at an unprecedented rate. The world we live in today is immensely digitalized and data-driven. The spread of data driven technologies around the world has led to several citizen and consumer centric innovations including means of communication, access to goods and services through e-governance and online commerce and transactions. This has made data a vital resource for the internet economy, supporting innovation and for building new age businesses.
The advent of the General Data Protection Regime ("GDPR") was a watershed moment for the European Union and was also the first formal recognition of data as a vital resource in the digital economy and established a comprehensive data protection and privacy regime. Since then, the global conversation on data protection and privacy has expanded, notable examples being California's Consumer Privacy Act and South Korea's updating of its Personal Information Protection Act.
With the world's second largest population, having over 700 million internet users, India generates enormous data and the requirement to formulate robust data management policies, standards and best practices with accurate up-to-date data, appropriate data access, strong data security, privacy and ownership rights as well as a comprehensive legislation to regulate personal data collection, storage, processing, usage, sharing and misuse of personal information, has become the need of the hour.
In 2017, a nine Judge Constitutional Bench of the Supreme Court, in the matter of Justice K.S. Puttaswamy and another vs. Union of India, declared "privacy" as a fundamental right under Article 21 while noting that right to privacy lies at the core of the fundamental rights guaranteed under Article 14, 15 and 21 of the Constitution. The Supreme Court while delivering its final judgment in this case impressed upon the Government to bring out a robust data protection regime.
On the basis of the recommendations made in the report of the Committee of Experts on Data Protection constituted by the Government of India and chaired by Justice B. N. Srikrishna and the suggestions received from various stakeholders, the Government proposed to enact a legislation, namely the Personal Data Protection Bill, 2019 ("PDPB"), which was introduced in Lok Sabha on 11.12.2019.
With several controversies surrounding the PDPB, particularly on the proposed power of the Central Government to exempt any agency of the Government from application of the provisions of the PDPB, the draft was referred to a Joint Parliamentary Committee comprising of members of both Houses of the Parliament ("JPC") for detailed study. The Report of the JPC on the PDPB was presented to the Lok Sabha on 16.12.2021 consisting of the several recommendations on the PDPB and the revised draft of PDPB, now recoined as Data Protection Bill 2021 ("Bill 2021").
The Bill 2021 proposes to provide for, among other things, the protection of the digital privacy of individuals relating to their personal data, to specify the flow and usage of data, to protect the rights of individuals whose data is processed, norms for cross-border data transfer, accountability of data fiduciaries, remedies for unauthorized and harmful data processing and the framework for regulation and enforcement.
Key Actors and Stakeholders
In order to understand the provisions of the new Bill 2021, it is imperative to understand the various stakeholders covered in the Bill. The Bill 2021 regulates data fiduciaries as well as data processors and specifies certain duties and responsibilities of these actors.
Data fiduciary is any person including a state, a company, an NGO, juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing personal data vis a vis the natural persons to whom the personal data relates (i.e. data principals).
There is also another sub-category of data fiduciaries called the 'significant data fiduciaries' which, depending upon the extent of volume and sensitivity of the information processed, turnover of the data fiduciary, the risk of harm posed by processing, use of new technologies for processing, the processing of data relating to children or provision of services to them etc. are required to register themselves with the Data Protection Authority ("Authority"), proposed to be established under the Bill 2021. Significant Data Fiduciaries are required to meet certain additional compliances including appointment of a data protection officer, undertake data protection impact assessment, maintain accurate and up to date records in the form and manner specified, have its policies and the conduct of its processing of personal data audited annually. Social media platforms may also be categorized as significant data fiduciaries.
Data processors are persons that are involved in the processing of personal data, including activities such as collection, recording, organization, storage, etc. or otherwise making available, restriction, erasure or destruction, who do such processing on behalf of the data fiduciaries.
Different Data Sets and Applicability
The right to privacy is a fundamental right and since the growth of the digital economy has expanded the use of data as a critical means of communication between persons, it has become all the more necessary to protect personal data which is an essential facet of informational privacy.
The Bill applies to (i) processing of personal data within India, where such data has been collected, stored, disclosed, shared, or otherwise processed in India, (ii) processing of personal data by any person under Indian Law, (iii) processing of personal data by data fiduciaries or data processors not present within India, if the processing is in connection with any business carried out in India, or any systematic activity of offering goods and services to data principals within India or activity that involves the profiling of data principals in India and (iv) processing of non-personal data including anonymized personal data.
The Bill 2021 expands the scope of applicability to cover both personal data, sensitive personal data, critical personal data as well as non-personal data. Personal data is any data that is about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling. Non-personal is defined as data other than personal data. Though the regulations on non-personal data will be separately notified, non-personal data and its breach will be also governed by the provisions of the Bill 2021. The Authority's scope of powers now extends to non-personal data as well. With this the businesses will need to factor the non-personal data compliance obligations within their overall compliance processes and data management policies.
There is an additional layer of protections for 'sensitive personal data' which is defined to mean such personal data which may reveal, be related to or constitute financial data, health data, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation, all of which have been defined in the Bill 2021, and Critical personal data, another facet of personal data, which is yet to be defined.
Rules of Processing of Personal Data
The Bill 2021 permits any kind of processing of personal data by any person, as long as the processing is done in a fair and reasonable manner, while ensuring the privacy of the data principal and such processing is subject to the provisions enumerated within the Bill 2021 and the rules and regulations made thereunder.
Such processing would be permitted only if it is done according to the purpose consented to by the data principal or for any other purpose that is incidental or connected with such purpose and which the data principal would reasonably expect.
The Bill 2021 explicitly also states that personal data should only be collected to the extent that is necessary for the purposes of processing of such personal data.
Data fiduciaries are mandated to provide clear notice to data principals in multiple languages to the extent necessary so that they can easily comprehend. The notice should carry details of specific information, including purposes of processing, nature and categories of personal data being collected and the basis of processing.
It is even stipulated that a data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and is required to delete the personal data at the end of such period. Personal data may only be retained for a longer period if explicitly consented to by the data principal or to comply with any obligation under law.
For an effective implementation of the procedures and processes, the Bill 2021 requires the data fiduciaries to formulate and implement certain policies and measures to ensure that their managerial, organizational, business practices and technical systems are in order. Such policies are required to be certified from the Authority. Data fiduciaries are required to take steps to ensure personal data processed is complete, accurate not misleading and updated, having regard for the purpose for which it is processed. It is also the responsibility of data fiduciaries to use commercially accepted technology while dealing with the personal data, ensure that the legitimate interests of businesses are achieved, the processing is protected and carried out in a transparent manner and the interest of the data principal is taken into account at every stage of such processing to keep in check the procedures that are being implemented. These steps help keep the measures taken by the data fiduciary in strict compliance and ensure that the mechanism of processing remains effective at all stages.
Data fiduciaries are accountable for compliance of obligations under the Bill 2021 and rules made thereunder for data processed by them or on their behalf. Further, under the Bill 2021, the provision of goods and services or enjoyment of legal right cannot be made conditional on the consent to the processing of any personal data not necessary for the purpose or be denied based on the exercise of such choice. This is a significant difference from the position in the Information and Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011, wherein body corporates have the option not to provide goods or services for which the information was sought, in case the provider of information does not consent or provide the data or information sought to be collected or later withdraws their consent.
Processing of personal data of children below 18 years must be done in a manner that protects rights of the child. Data fiduciary is required to verify the age of user and obtain parent's or guardian's consent before processing personal data of a child. Profiling or tracking or behavioral monitoring of or direct advertising directed at children by data fiduciaries is prohibited.
The Bill 2021 also required the data fiduciaries and processors to implement data safety standards and practices and prevent unauthorized misuse, access, modifications, disclosures or destruction and also to review these safeguards periodically.
The Authority is to be notified by the Central Government of India to monitor and enforce the application of the data protection legislation, as and in the manner that has been laid down comprehensively in the Bill 2021. The Authority can issue directions to the data fiduciary or data processors for enforcing the provisions of the Data Protection Act.
Rights of the Data Principal
One of the most significant aspects of the Bill 2021 are the rights that have been granted to the data principal with respect to the processing of their personal data. Apart from the other basic rights such as obtaining of consent, provisions related to notices, etc. a data principal will also enjoy the following rights under the Bill 2021:
- Right to seek confirmation on whether the data fiduciary is processing or has processed data of personal data principal and further a right to access personal data processed and a summary of such data;
- Right requiring data fiduciary to correct misleading or inaccurate data and to seek erasure of personal data when purpose of collection is satisfied or when consent is withdrawn;
- Right to receive data in a structured, commonly used and machine readable format and right of data portability to any other data fiduciary; and
- Right to restrict continued disclosure or processing of personal data and right to be forgotten on certain specified grounds.
Storage and Transfer of Personal Data
The Bill 2021, has made it mandatory for critical personal data to be processed only in India. The Bill prescribes for conditional transfer of sensitive personal data. While sensitive personal data may be transferred outside India, it is required that such sensitive personal data continues to be stored in India. Mirror copy of sensitive personal data stored abroad by processors is to be bought back to India. For the transfer of sensitive personal data outside India, explicit consent of the data principal for such transfer is made mandatory. However, transfer of critical personal data is restricted with limited exceptions such as health or other emergency services or the specific circumstances permitted by the Central Government.
Comparison between the PDPB and the Bill 2021
In addition to significant differences already pointed above there are several other differences between the PDPB and the Bill 2021. The new bill brings both personal and non-personal data within its purview on account of JPC's resistance in discerning the difference between the two and having separate legal framework for different data sets and also its inclination to have a single Data Protection Authority to regulate both personal data and non-personal data.
Another significant difference is in respect of the provision related to retention of data by the data fiduciary. The JPC was of the opinion that the provision appearing in the PDPB was very restrictive and would become a major hurdle for agencies that process the collected data multiple times for various welfare purposes. With this in mind the JPC recommended revisions in the Bill 2021 to restrict the retention of personal data for the period necessary to satisfy the purpose for which it is processed.
There is no mention of the rights of the deceased data principal in the PDPB. In the Bill 2021 however, contains a provision which empowers the data principal to exercise their right to decide how their data is to be dealt with in case of death or casualty.
With respect to handling data breaches, the JPC observed that the PDPB did not carry any obligation on the data fiduciary to report any breach of personal data to the data principal. The JPC acknowledged that it is not advisable to report all kinds of data breaches to the data principal without informing the Authority since some data breaches may create panic among citizens and affect law and order if reported to the data principal without the Authority first analyzing and evaluating the personal data breach and the severity of harm possible to the data principal. Therefore, the JPC recommended that the Authority, after taking into account the personal data breach and the severity of harm possible to the data principal, direct the data fiduciary to report to the data principal about the data breach and to take appropriate remedial measures to mitigate such harm.
Another key difference with respect to data breaches between the two bills is that the PDPB did not provide a specific timeline to the data fiduciary to report the data breach. The breach reporting requirement have been made more specific and stricter. Bill 2021 however, mandates a time period of 72 hours for reporting a data breach.
Clause 35 of the PDPB empowered the Central government to exempt any Government agency from the application of this Act for legitimate purposes such as security of state, public order etc. The JPC was concerned about possible misuse of the provisions whereby the privacy rights of the individual may be subsumed for the protection of the larger interests of the State. The JPC was of the opinion that such a power should only be used under exceptional circumstances and subject to such procedure that is just, fair reasonable and proportionate and recommendations to this effect were made by the JPC in the Bill 2021.
The Bill 2021 also extends to the Authority the right to conditionally exempt the processing of personal data for research or statistical purposes from the provisions of the Bill, 2021.
The expression 'Sandbox' had not been explained in the relevant provision of the PDPB. Since it is a technical term, the JPC considered it necessary to include an explanation for 'Sandbox' in order to avoid ambiguity or misinterpretation of the term.
To that effect, the Bill 2021 bill defines sandbox as "live testing of new products or services in a controlled or test regulatory environment for which the Authority may or may not permit certain regulatory relaxations for a specified period of time for the limited purpose of testing." To encourage innovation, certain provisions of the Bill 2021 are not applicable to organizations that are part of the regulatory sandbox.
The Government is taking significant steps to overhaul the existing data protection legislation and put in place a comprehensive data protection regime to address the challenges and rigors of a rapidly digitizing India.
Considering the significance and scale of the overhaul of the existing data protection legislation, the JPC has asked the Government to follow a timeline for the phased implementation of the Data Protection Act and have recommended that a period of 24 months be provided for implementation of any and all provisions of the Data Protection Act so that the data fiduciaries and data processors have enough time to overhaul their policies, infrastructure and processes to transition to the new data protection regime.
It would be prudent for the stakeholders to be cognizant of the provisions of the Bill 2021 and their rights, responsibilities and obligations being proposed and to fundamentally rework and re-calibrate their internal processes, develop and update their internal policies and gear up for the new data protection framework.
Authors: Ms. Jayshree Navin Chandra, Senior Partner and Nitika Bakshi, Associate at ZEUS Law.