Personal Data Protection Bill: Why it may impose an unnecessary burden on India Inc

The Committee headed by Justice B N Srikrishna released their report formalising the legal framework for Data Protection in India. The Committee also released a draft of the Personal Data Protection Bill, 2018 (referred to as the Draft Bill). The Draft Bill proposes to establish a legal framework for monitoring and supervising processing (Defined in Section 3(32) of the Draft Bill) of personal data. The Draft Bill, if implemented in its present form, will cast a series of obligations onto data fiduciaries, i.e., the entities which determine the purpose for which the personal data would be used. Contravention of such obligations will invite substantial penalties, with offenses likely to invite imprisonment, or fine, or both. One of the core principles on which the present Draft Bill is based involves data fiduciaries obtaining specific and explicit consent from data principals (i.e., individuals to whom the personal data is related to). The data fiduciaries are obligated under the Draft Bill to provide specific notice(s) indicating the purpose for which the personal data is to be processed. [caption id=“attachment_3970161” align=“alignleft” width=“380”]  Representative Image[/caption] The data fiduciaries are also obligated to ensure that the personal data being handled is correct and error-free, and that it is stored to the extent it is required by the data fiduciaries. The utility of the personal data the data fiduciaries maintain must be re-evaluated periodically - the personal data, if found to be no longer required for the purpose for which it was collected, has to be deleted by the data fiduciaries. In addition, the data fiduciaries are to conduct periodic audits. As would be understood, discharging such obligations under the Draft Bill would require regular review and monitoring of the personal data being maintained and processed by the data fiduciaries. Such monitoring would most certainly require additional resources and groups within an organisation for addressing the requirements as proposed under the Draft Bill. As a result, the organisations may have to establish a division to ensure that the organisation remains aligned with the requirements under the Draft Bill. This may not be the only impact which the Draft Bill may have on organisations. The Draft Bill also requires that the data fiduciaries undertake a data protection impact assessment in case the data fiduciaries use any ‘new technology’, implement ‘processing which carries a risk of significant harm’, perform large-scale profiling, or process sensitive (Section 33(1) of the Draft Bill) personal data. The present requirement does appear to have merit in relation to profiling or processing of sensitive personal data, but has raised concerns owing to terms such as ‘new technology’ which may have a much broader impact than intended. For example, large organisations routinely handle large volumes of data, which may be processed using techniques involving Data Analytics or Big Data.

This field is continuously evolving with organisations very frequently updating their IT systems – such updates in technologies may end being considered as ‘new technologies’.

If this is the case, an organisation would have to regularly conduct such an assessment before implementing any improvements within their organisation. This will perhaps impose an unnecessary burden on the organisation and may reduce the time such updates may be brought out. Furthermore, the provision also does not prescribe the basis on which a process involving a risk likely to cause significant harm is to be assessed. Although the Draft Bill permits cross-border transfer of data (subject to certain prescribed conditions –Section 41 of the Draft Bill), it also mandates that a copy of such data be maintained within India as well. This requirement appears to be similar to the requirement mandated (RBI Notification No. RBI/2017-18/153 dated April 6, 2018) by the Reserve Bank of India, although for data relating to payment systems. The Draft Bill however does not make any distinction regarding the type of data for which a copy is to be stored in India. This may inadvertently impose a substantial burden on an organisation in terms of time and infrastructure to ensure that a copy of data is also available in India. The Draft Bill is most certainly in the right direction and does provide a balanced foundation over which the data privacy legal framework may be built upon. The Committee is likely to review the comments and suggested changes which will only supplement the effectivity of the proposed draft. (The writer is Partner, Lakshmikumaran & Sridharan Attorneys)