Yesterday, the Justice Sri Krishna Committee released the much awaited first draft of the Personal Data Protection Bill, 2018. Following a structure which combines Europe’s General Data Protection Regulation and India’s Information Technology Act, 2000, the Bill runs into 112 sections.
These include positive features like broader definitions, horizontal application, extra-territorial jurisdiction and steep penalties for violations, as well as negative features like data localization requirements, many exceptions to state related processing. Amendments are proposed to the Right to Information Act and Information Technology Act, though no amendments are proposed at present to the Aadhaar Act.
The first part of this series provides a quick overview of the important features of the Personal Data Protection Bill (the Bill). This will be followed by a detailed analysis of the various chapters in the Bill.
Horizontal application and extra-territorial jurisdiction
The jurisdiction of the Bill under Section 2 is vast, including both territorial and extra-territorial provisions along the lines of the GDPR. Further, it has horizontal application, applying to both governmental and private actors. It applies to any processing within India, as well as to any processing by the State, Indian companies or Indian citizens. In its extraterritorial application, it applies to any entities providing goods and services in India, and also to any activity involving the profiling of persons in India.
Data mirroring, data localization requirements imposed
One of the related implications of this vast jurisdiction are the data localization rules to be imposed under Section 40, which confirm the data localization reports that arose some time ago. Under these, one copy of all personal data to which the law applies are to be kept in a server within India. Further, certain categories of data, which are to be specified by the government as critical personal data are to be stored in India alone. Additionally, requirements for cross-border transfer of data are also imposed.
New definitions of personal and sensitive personal data
The Bill introduces new definitions of personal data and sensitive personal data. Personal data refers to any data on a natural person which allows direct or indirect identifiability. Sensitive personal data (SPD) also contains welcome additions such as religious and political beliefs, caste, intersex/transgender status and official government identifiers (like the PAN number).
Financial data as SPD is also included, which has also been defined to specifically include data like financial status and credit history. Biometric data as SPD also now specifically includes facial images or photographs, but only when processed so as to allow unique identification of the person (such as facial recognition techniques). Section 106 further allows the Government to bar the processing of certain types of biometric data, except as permitted under law.
The Bill will not apply to anonymous or non-personal data.
Data ‘fiduciary’ and data ‘principal’
The Bill replaces the traditional concepts of data controller and data subject with data ‘fiduciary’ and data ‘principal’ (the natural person whose data is being collected). The aim seems to be an attempt to create a trust-based relationship between the two. It also introduces the concept of ‘significant’ data fiduciaries, such as data fiduciaries who process huge volumes of data. A valid contract will be necessary to allow processing by a processor.
Data Processing Principles
Turning to data processing principles, the Bill incorporates several of these in Chapter II, including many principles recommended by the Justice A.P. Shah Committee. These include purpose and collection limitation, detailed notice requirements, storage limitation, data quality requirements, and the principle of accountability.
Consent- the Primary ground of processing
Consent will be the primary ground of processing available to most entities, as per Section 12 (Chapter III). This consent is required to be free, informed, specific, clear and, in an important addition, capable of being withdrawn. One concern is with Clause (5) of this section, which states that when a data principal withdraws his consent for the processing of his personal data which is necessary for the performance of a contract, then all legal consequences for the effects of the withdrawal will be borne by him (the data principal).
Special conditions for SPD and children’s data
For SPD, explicit consent and other special conditions have been specified under Chapter IV. For children, parental consent and use of age verification mechanisms by data fiduciaries will be required under Section 23. One issue that may be a concern is that the exception created for parental consent for child counselling services and child protection services is very limited.
State processing allowed for ‘provision of services’
Bill creates several exceptions and exemptions for processing by the State. An additional ground of processing under Section 13 (Chapter III) includes the processing of data required for the function of the State (authorized by law), parliament or legislature. This includes processing for the provision of any service or benefit to the data principal to the State. Aadhaar related activities would fall under this. It is to be noted that consent, which is an important argument being made against the Aadhaar related processing of personal data, has not been mandated here.
A broad list of exemptions have also been included under Chapter IX- including for the security of the state and for prevention, detection and investigation of crimes. Other exemptions include for legal proceedings. research, domestic purposes, journalistic purposes, and manual processing.
Processing for emergencies, employment
Other grounds of processing under Chapter III include that for compliance with a law or judicial order and processing necessary for an emergency like a medical emergency, safety, etc. Processing for employment purposes such as recruitment, attendance, or ‘any activity’ needed for employee assessment has also been permitted. The extent of the processing allowed is a concern considering issues like workplace surveillance.
Permitting processing for ‘reasonable purposes’ like whistleblowing
Another ground created is for processing on other ‘reasonable purposes’ under Section 17. This is an ambiguous ground which allows the Data Protection Authority of India (DPA), which is to be established under the Bill, to specify the purposes. This includes a broad and vague range of activities including whistleblowing, preventing unlawful activities, debt recovery and processing of publicly available data.
Rights of the Data Principals
Chapter VI provides some basic rights to data principals. These include the right to access and correction, the right to data portability and right to be forgotten. The right to be forgotten, it is to be noted, is not a right to erasure or deletion as granted under the GDPR. Instead, it is like the commonly understood notion of the right to be forgotten – a right to prevent or restrict disclosure of personal data by a fiduciary. This would be applicable to the known cases such as removal of search links by Google. The Bill, in fact, does not provide a right to erasure. Rights against automated decision making and profiling are also missing.
Privacy by Design, DPIA and other security requirements
Chapter VII imposes privacy by design requirements. This also includes transparency obligations, such as with regards to the categories of data collected and the purposes of processing, and security safeguards like de-identification and encryption. Requirements of conducting Data Protection Impact Assessments, audits and appointing a Data Protection Officer are also specified.
Assessing ‘harm’ for data breach notifications
Section 32 on data breach notifications requires these to be made to the DPA only. Notifications to the data principals and notices on websites, etc., are to be made only when required by the DPA. Further, the notifications to the DPA are to be made only if the breach is likely to cause ‘harm’ to the data principal.
The Bill introduces a broad, but closed definition of ‘harm’. It specifies 10 factors, including mental or physical injury, loss of property or reputation, identity theft, discrimination, any denial of service, restriction of the right to freedom of speech, and any observation or surveillance that is not reasonably expected. Leaving the discretion to the data fiduciary to judge if the data breach causes harm to the data principal is a concern. Consider Cambridge Analytica, where the data breach was not disclosed.
RTI amendments to include the ‘harm’ concept
Further, this concept of harm is also to be introduced via an amendment to Section 8(1)(j) of the Right to Information Act, 2005. The new section will allow any information which is likely to cause ‘harm’ to be exempted from disclosure under the Act. This may greatly increase the scope of refusals on this basis.
Central govt to appoint DPA members
Many concerns were raised as to whether a DPA in India would ensure equal representation of different stakeholders, in order to ensure its independence. These concerns remain unaddressed, as the Bill makes no specifications as to equal representation.
The Bill establishes a Data Protection Authority of India, consisting of one chairperson and 6 whole time members. The DPA members are to be appointed by the Central Government, based on the recommendations of a body that will consist of the Chief Justice of India, the Cabinet secretary and one CJI nominated expert. The Bill specifies the qualifications and expertise of the persons to be appointed.
Steep penalties of 4% of the turnover
The Bill prescribes steep penalties along the lines of the GDPR. This includes penalties of the higher of Rs. 5 Crores or 2% of annual global turnover for violations like failing to conduct a DPA. The higher of Rs. 15 crores or 4% of the annual global turnover are prescribed for violations like processing personal data in contravention of the Bill. Complaints can be filed by an aggrieved data principal before Adjudicating Officers appointed under the Bill. Appeal from their orders lies to an Appellate Tribunal and thereafter to the Supreme Court.
Non-bailable criminal offences and applicability to State authorities
The Act also prescribes a list of non-bailable and cognizable criminal offences. This includes a maximum fine of 2 lakhs or imprisonment of 3 years for obtaining, transferring, or selling personal data in violation of the law. If the data is SPD, then this goes upto 5 years or 3 lakhs. Similar provisions apply to re-identification of data.
Central of state government departments, any authority of the State as well as companies can be proceeded against for commission of these offences. This would also include the UIDAI, as an authority of the State.
Act replaces Section 43A
Lastly, Section 43A of the Information Technology Act, 2000, on compensation for failure to protect data, is to be omitted. Section 72A of the IT Act (Punishment for disclosure of information in breach of lawful contract) has been retained.
Despite containing both positive and negative features, the Bill is a welcome first step towards a comprehensive data protection law. The next part of the series will consist of a detailed analysis of the territorial and material scope of the Bill.
The author is a lawyer specializing in technology, privacy and cyber laws. She is also a certified information privacy professional.