The Personal Data Protection Bill, 2019 was introduced in the Lower House of the Indian Parliament in December 2019. It proposed to provide for protection of personal data and to establish Data Protection Authority (“DPA”) to ensure protection of the right to privacy of individuals. The Bill appears to have now moved closer to being a law. Joint Parliamentary Committee (“JPC”) on the Personal Data Protection Bill of 2019 (“PDP Bill”) is said to have adopted the final draft and it is slated to be tabled in the Winter Session of the Parliament starting from November 29, 2021. The text of the JPC report has not yet been made public.
Like any other data protection regime in the world, PDP Bill is also based on the principle of Transparency; Purpose limitation; Data minimization; Accuracy; Storage limitation; Confidentiality (security); and Accountability. The Bill has adopted the principles laid down by the Supreme Court of India in K.S. Puttaswamy v. Union of India judgment according to which the measures restricting the right to privacy of person must be backed by law, proportionate to the objective of the law, serve a legitimate aim and must have procedural safeguards against abuse.
The Bill proposes to divide data into three categories – personal data, sensitive personal data, and critical data. It would be applicable on Indian and foreign entities dealing with data of Indian citizens. It broadly provides for right to confirmation and access to data; right to correction and erasure; right to data portability; and right to be forgotten to the data principals. The right to erasure was initially not there in the earlier Bill. It has been provided as an additional right for the data principal, in the revised Bill. This enhances data principal’s rights who can now request for deletion of data which is no longer needed for the purpose of processing.
The Bill also provides for the creation of an independent regulator DPA to oversee data protection assessments and audits. Every data fiduciary would have the obligation to prepare a privacy by design policy which may be submitted to DPA for certification purposes.
Blanket Exemptions to govt. agencies to secure national security and public order:
Section 35 has been one of the most widely debated provisions of the draft bill since it empowers the central government to exempt any government agency from the obligation of complying with the law; in the interest of “public order”, ‘sovereignty’, “friendly relations with foreign states” and “security of the state”. Similarly, under Section 12(a)(i), the requirement of express consent from the data principal is waived if the processing thereof is necessary for the performance of any function of the State authorised by law for the provision of any service or benefit to the data principal from the State. It has been debated that such blanket exemptions without judicial oversight and checks and balances mechanism may lead to misuse of the immunity provided under the law. Since right to privacy of individuals has been recognized as fundamental right under Article 21 of the Constitution of India, any exception to such right should be “just, fair and proportionate” and by the procedure established by law. This will enable judiciary to intervene and give enough room to the data principals to challenge the exemption.
In the earlier draft of the Bill, there was a requirement of mirroring of all personal data (i.e. a copy of the data must be stored in India) which could be quite hard hitting on data colonialism. However, after much debate, the requirement was relaxed / diluted in the revised Bill. Summarized below is the data localization regime, which is now envisaged, under the Bill:
Personal data: No cross-border transfer restrictions. No local storage requirement.
Sensitive personal data: “Sensitive personal data’ may be transferred outside of India, but such data shall continue to be stored in India. Sensitive personal data constitutes “special categories of personal data” including data relating to health, religion, sex life, political beliefs, biometric, genetic, finance etc. Passwords have been removed from the definition.
Critical personal data: Government may define certain personal data as “critical personal data” which cannot be transferred outside India. Transfer to countries deemed to provide an adequate level of protection will be allowed, though.
Having said that, there are some sector specific laws on data localization, which are already in place. For example – RBI notification of 2018 specifically bars transfer of payment system data outside India. Directive issued by RBI, in this regard, under Section 10(2) read with Section 18 of Payment and Settlement Systems Act 2007 can be accessed here:
It is pertinent to note that data localization mandate can bring economic benefits to local industry because it would require creation of local infrastructure for storage, which would in turn generate employment; and encourage innovation as well as investment in the AI ecosystem. Therefore, there is a need to introduce a policy, in consultation with sectoral regulators, as to how could the requisite infrastructure for mirroring of data in India, be provided. For the time being, restricting the applicability of the provision on data localization to sensitive data and critical data only is a welcome move.
Requirements on Consent:
The Bill provides that the consent of the data principal must be free, informed, specific, clear and capable of being withdrawn. This means that pre-ticked opt-in boxes on the websites, may not be considered as enough for full compliance of law as far as consent collection is concerned. Below are some examples of opt-in boxes which may be used by businesses to collect consent by affirmative action, before sending any messages or emails to them for marketing purposes:
Opt-in box 1 – “I would love to keep in touch and receive messages from you regarding your services, operations and other updates on the working of your organization”
Opt-in box 2 – “I would love to keep in touch and receive messages from you about new offers, new clothing collections that you may launch in future”
Significant Social Media Intermediaries:
The Bill provides for enhanced responsibility on significant social media intermediaries. The question as to what is a ‘significant social media intermediary’ needs to be addressed by the government under the Rules, however, the Bill provides for the factors that would be considered for the purpose of determination. The number of users and the impact of a social media intermediary on electoral democracy, security of the State, public order or the sovereignty and integrity of India, shall be considered for this purpose. Such intermediaries would need to maintain up to date records of the data lifecycle including collection, transfers, and erasure of personal data, to demonstrate compliance. They would need to conduct annual audit and data protection impact assessments; and would also need to provide users with the option of verification of their accounts. The Bill, therefore, puts the social media intermediaries which collect and store massive data at a different footing and provides for additional obligations for them.
Blanket bar on processing of certain forms of Biometric data:
Out of different forms of sensitive data, biometrics has been put on a different footing, because there is a specific provision for the same in the Bill. Section 92 of the Bill says that “No data fiduciary shall process such biometric data as may be notified by the Central Government, unless such processing is permitted by law.”
The form of data will be notified by government; so as of now, there is no clarity on the type of data, the processing whereof would be completely barred.
Penalties and Compensation:
The Bill provides that processing or transferring personal data in violation of the law, will be punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and failure to conduct a data audit, punishable with a fine of Rupees 5 Crores or 2% of the annual turnover of the fiduciary, whichever is higher.
Social Media Platforms to be held accountable for the content from unverified accounts?:
Since the JPC report is not in public domain as yet, from the news reports, it appears that the social media platforms may be held responsible for content from unverified user accounts, and their immunity from liability could be taken away. In other words, if the social media platforms do not verify user accounts, then they would not be able to claim intermediary safe harbors. Recommendation has also been made to set up a new media regulatory authority to regulate content on such platforms.
Widening the ambit of the Bill? – From the news reports it also appears that the Committee Report has called for widening of the ambit of the Bill to include non-personal data and data collection by electronic hardware like smart devices etc. within its scope. It means the things that we speak to smart devices, before and after the wake word, which is processed for AI improvement, even if it doesn’t constitute personal data may also be regulated.
Once the JPC report is tabled and made public, we will publish another update on the PDP Bill and the way it progresses to become the law of the land.
Authors – Manisha Singh & Simrat Kaur