Editors Note: The Personal Data Protection Bill, 2018, was released by the Justice BN Srikrishna panel on 27 July. Pertaining to that we are doing a multi-part series explaining the finer nuances of the data protection bill. This is part II of the series analyses the territorial and extra-territorial jurisdiction laid down under India’s draft data protection law.
When looking at the Personal Data Protection Bill, 2018, released last week by the Justice BN Srikrishna Committee, the first question which arises is the extent of its jurisdiction. This is a particularly relevant question in the internet age, which establishes whether India can take action against an entity like Cambridge Analytica, which has no presence in India, but acquired the data of 5 lakh Indians and misused it.
The Bill prescribes a very broad jurisdiction clause, including both territorial jurisdiction and extra-territorial jurisdiction along the lines of the General Data Protection Regulation (GDPR). Following the GDPR, however, is likely to lead to the same worldwide concerns that GDPR itself sparked. The Justice BN Srikrishna Committee’s Report, published along with the Bill, has further suggested some exemptions to be included by the Central government to this jurisdiction.
Territorial Scope of the law
To begin with, the Personal Data Protection Bill (the Bill) applies to the whole of India (some laws like the Indian Contract Act draw out an exception for Jammu & Kashmir — this is absent here). Section 2(1) of the Bill then draws out the following territorial scope to include:
i) Any processing of personal data within the territory of India, and
ii) Any processing by the State, an Indian company, an Indian citizen, or anybody incorporated/ created under Indian law.
No application to anonymised, non-personal data
‘Processing’ refers to a range of activities including the collection, storage, use, disclosure, etc. of the data. Firstly, this clause applies to the processing of data other than personal data, such as of non-personal data will be outside the scope of this law. Processing of anonymised data, in fact, is specifically exempted under Section 2(3) of the Bill.
Suggestion for exempting application to non-foreign nationals
Secondly, the bare section indicates that this applies irrespective of whose data is being processed—be it an Indian citizen or a non-citizen. The Justice BN Srikrishna Committee Report (the Report), recommends that the processing of personal data of foreign nationals, within India or by an Indian entity, be exempted by the Central Government. This would exempt, say, the processing done of foreign nationals in the outsourcing industry in India from the provisions of the law.
The aim of the Committee in suggesting this exemption appears to be to avoid creating a conflict of law, as the processing of the data of such non-citizens would already be the subject of their own law. However, an issue that arises with this proposed exemption is that this is likely to affect cross-border transfer of data from those countries to India.
For instance, under the GDPR, the European Commission decides on countries to which data can be transferred freely, on the basis of ‘adequacy decisions’ taken by it. These decisions are taken, in particular, on the basis of whether the country to which the data is proposed to be transferred provides an adequate amount of protection to that data under the law. This includes the rights and remedies available to the people in that jurisdiction. Such an exemption would render the protection adequate and thus can affect such decisions and the transfer of data to India. Further, foreign nationals coming from countries without a strong data protection law will be left remediless.
Processing within India or by an Indian entity
Thirdly, the law applies to any processing that takes place within the territory of India, irrespective of where the person/entity doing the processing is incorporated. This is unlike the GDPR, which requires an ‘establishment’ in the EU, or India’s Information Technology (Sensitive Personal Data) Rules, applies only to body corporates located within India. In addition, it applies to the processing by any Indian entity, the Indian government, or an Indian citizen, regardless of whether the processing is actually taking place within India or no.
Extra-territorial scope of the law
Next, Section 2(2) of the Bill lays out the extra-territorial scope of jurisdiction. This will apply to the processing of personal data, whether by a data fiduciary (commonly known as the data controller) or a data processor, who is not within the territory of India.
This is subject to the processing fulfilling one of the following conditions:
i) The processing is in connection with a business carried out in India, or any systematic activity of offering goods and services to people within India, or
ii) The processing is in connection with any activity involving the profiling of people within India.
This clause is borrowed from Article 3(2) of the GDPR. Like the GDPR, this applies irrespective of the citizenship or residential status of the individual, and quite simply to any person within India. For instance, if a business in India uses a cloud-based server based abroad, such as Google Drive or Amazon Web Services, for some of its processing, then these cloud-based entities will need to be compliant with the Indian law.
Requirement of a significant economic activity/commercial transaction
The Report here clarifies that the requirement is of entities with a significant economic presence in India, or which is carrying out a systematic commercial activity. This is along the lines of rulings given under Indian judgments such as Banyan Tree Holding v. Murali Krishna Reddy, a Delhi High Court judgment. This laid down that to consider if the activities of a website are within the jurisdiction, the level of accessibility and interactivity with people (in India), as well as whether a commercial transaction results have to be taken into account. Unlike the GDPR, where it is expressly stated that this applies irrespective of whether a payment by the person with respect to the goods and services offered is required, this has not been specified under Indian law.
Profiling within scope
Next, any activity involving the profiling of a person within India, such as analysing or predicting the behaviour of the person, will also attract the provisions of the Bill. According to the Report, this would cover any entity which is not involved in significant ‘economic’ activities in India or does not involve ‘commercial’ transactions but is involved in profiling of people in India.
For instance, this would apply to a website which installs a permanent cookie onto the device of a visitor from India, and then systematically collects and analyses data from his web activities. Cambridge Analytica’s activities involving the profiling of Indians would also come under this head.
Entities not actively targeting people in India
A question that arises in this context is about how the Bill would apply to an entity that is not actively targeting people in India, but an Indian person visits the site anyway. The Report with the Bill here proposes the exemption of the ad-hoc or irregular collection of data of persons in India. It is suggested that the processing of data that is neither large scale nor capable of causing significant harm to be exempted from the law.
Consider an Indian who visits a hotel abroad, and the hotel stores and processes some of his data. This would amount to an irregular collection of data. A website that actively targets a worldwide audience, profiles Indian visitors to the websites and targets them with ads, on the other hand, would not be so exempted. The Report also cites examples, such as access made to a popular music streaming app, which is otherwise unavailable within India, by a person in India via a virtual private network. While this proposed exemption does not spark any concern, care will have to be taken with its wording, to ensure that the exemption does not become too broad.
In conclusion, the jurisdiction clause proposed under the Bill is quite comprehensive. The broad extra-territorial clause is crucial for ensuring protection to the people in the internet age. This will define not only which entities, across the world, need to comply with the law but will also empower Indian courts to act against those misusing the data.
The next part of the series will examine ‘personal data’ and other important definitions laid down under the Bill. You can read the past parts of the series:
The author is a lawyer specialising in technology, privacy, and cyber laws. She is also a certified information privacy professional.