The Srikrishna Committee, after a long deliberation period, submitted the draft of the Indian Personal Data Protection Bill, 2018, to the Government of India for its action on 27 July 2018. A lot of opinions and feedback have already started flowing in, based on an initial review of the draft. We believe that an understanding of the true essence and flavour of the draft and the committee report (‘A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians) requires one to invest time. We discuss our views and perspectives below.
The draft bill calls out the data protection obligations, with fair and reasonable processing considered as the core principle. This, in our view, serves as the guiding factor to determine the rightful and lawful processing of data. The data fiduciary/entity is identified as the party responsible for compliance with the Personal Data Protection Act, 2018, and bears the onus of ensuring that data processors fulfil their contractual obligations. However, with no direct regulatory obligation on the data processor, the level of expected compliance will only be as strong as the contract.
The draft bill identifies the grounds for processing personal data, which covers the gamut of various lawful purposes. Consent is identified as one of the primary grounds for processing and is aimed at providing the data principal control over the processing of his or her personal data. The draft bill clearly identifies that consent, coupled with performance of a contract, will provide a greater degree of control to individuals. Also, lack of consent should not lead to denial of any goods or service. Unlike many international data privacy laws, the draft bill provides clarity on a much-debated topic—the imbalance of power between an employee and employer. Is consent a valid basis for processing employee personal data from an employment perspective? To address this issue, the draft bill calls out a separate legal ground for organisations to process employee personal data that is necessary for purposes of employment.
In a welcome move, the draft bill defines and calls out the need to treat sensitive personal data with extra care and protection. This means efforts to protect personal data shall be proportionate to the sensitivity of the personal data, reducing the burden of compliance. Additionally, the draft bill provisions for future identification of further categories of personal data by the Data Protection Authority of India (Authority), which should future-proof the Personal Data Protection Act against the disruption-prone and ever-evolving data and technology landscape.
Sensitive personal data includes passwords, financial health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation.
The draft bill realises the importance of protecting the personal and sensitive personal data of children and requires organisations processing such data to do so in a way that protects and advances the rights and best interests of the child. This higher proposed vigilance, which is above par compared to other data privacy regulations, is a strong move to safeguard the interests of an impressionable and vulnerable section of the population from a data-hungry world. However, these stringent requirements will have an impact on educational technology companies, social media organisations, healthcare institutions catering to children, targeted advertising companies, etc.
A risk-based approach is adopted by the draft bill where data fiduciaries (termed as ‘guardian data fiduciaries’) providing services that target children or process large volumes of personal data of children are barred from profiling, tracking or conducting behavioural monitoring of, directing targeted advertising at children, and undertaking any processing of personal data that can cause significant harm to a child.
In a move to empower data principals/individuals and provide them with more control over their own data, the bill grants them certain rights, such as right to confirmation and access, right to correction, right to data portability and right to be forgotten. Basic rights such as right to seek confirmation, access and rectification are exempt from any fees, thus promoting transparency. Further, the bill also provides for mechanisms to address the grievances of data principals in a timely and effective manner. However, there are a few shortcomings:
The draft bill draws on learnings from global privacy regimes and lays down key provisions to promote transparency and hold data fiduciaries/organisations accountable for their actions. Provisions around implementing adequate security safeguards extend to all entities, including entities which have been provided with exemptions under the bill. Another key provision relates to ‘privacy by design’, which requires organisations to embed privacy into their business processes and technologies. This would compel data fiduciaries/organisations to place consumer privacy at the heart of their solutions and services.
While the introduction of these sections lays a good foundation, it still comes with some sharp edges, which need to be smoothed out. For instance, the draft bill lays down the criteria for classifying data fiduciaries as ‘significant’ and places the responsibility on the authority to notify which data fiduciary or classes of data fiduciaries would be considered as ‘significant’. This introduces an element of risk as certain upcoming or niche sectors which carry out high-risk processing activities may fly under the radar if not known or identified by the authority. Careful research and analysis would be key for the authority to ensure adequate coverage and categorisation.
Additionally, requirements around ‘record keeping’ are only mandatory for significant data fiduciaries. This may cause some unrest as record keeping is a means for organisations to demonstrate visibility into personal data, which could help during risk assessments, fulfilling data subject requests, support investigations pertaining to data breaches, etc. Thus, not mandating record keeping for all data fiduciaries might lead to a weak control environment.
The draft bill also proposes that data fiduciaries/companies save a local copy of all personal data that is stored outside the boundaries of India. Although this move could have some negative consequences, as discussed here, it would ensure effective enforcement of the law, reduce bottlenecks in dealing with foreign jurisdictions, and protect national security and interests. Further, in a move focused on protecting national interests and containing the risk of surveillance from foreign states on critical data, the draft bill prevents data fiduciaries from sending ‘critical’ personal data outside the territory of India. However, what constitutes personal data and ‘critical’ personal data is a decision that has been left up to the authority.
Although the intentions behind the move are good, maintaining data locally will have an impact on businesses across multiple industries that are today cloud led. This will increase the general cost of doing business across industries.
Furthermore, the requirement of consent from data principals for the transfer of personal data outside India even with the presence of contract clauses or fulfilment of the adequacy criteria may lead to an additional burden of compliance on data fiduciaries. Another negative consequence of requiring consent is the provision for withdrawal of consent, which will have to be addressed by the data fiduciary at higher costs to ensure continuity of business.
The draft bill suggests exempting certain entities from various requirements based on turnover (<20 lakhs INR), volume of personal data processed (<100 data principal records per day and <100 data principals on any day in the past year), etc. Considering the Indian context, with the presence of a large number of medium and small enterprises, mom-and-pop stores, kirana stores, marts, etc., this move appears to be aimed at ensuring that the burden of compliance does not impede the economic growth of a fragile grass-roots Indian economy. However, the proposed thresholds for exempting small entities may be too low and impractical. Given the presence of numerous small entities with a turnover of more than 20 lakh INR or processing more than 100 data principals, a remarkably high number of entities may fall under the purview of the law, leading to counterproductive economic consequences.
Partner and Leader, Cyber Security, PwC India