Personal Data Protection Bill 2019: Impact on private companies is hard to tell yet, given the exemptions for State intervention

The private sector is closely watching the new Personal Data Protection Bill as data has become the most crucial asset of a company.

The draft Personal Data Protection Bill 2019 led to widespread debate last week on account of the exemption it provides to the State for its activities. Apart from this controversial stand, the private sector is also closely watching the new law, given that data has become the most crucial asset of a company today. The 2018 Bill gave an indication of the significant changes entailed for data-related activities, be it via data localisation or the need for consent for data-related activities. The 2019 Bill retains most of these provisions, with certain changes that need to be noted.

Image: Pixabay

The 2018 Bill gave an indication of the significant changes entailed for data-related activities, be it via data localisation or the need for consent for data-related activities. Image: Pixabay

New norms on data localisation and cross border transfers of data

Data mirroring

In a major relief to private companies, the data mirroring requirement for personal data has been removed and restricted to sensitive personal data (‘SPD’). Thus, a copy of data like religious, biometric, medical, financial data and the like will need to be stored in India. The ambiguous requirement of a ‘serving’ copy as under the 2018 Bill has been removed.

(Also read: Personal Data Protection Bill 2019 is out; law raises questions on govt provisions which hint at unfettered access to data)

Cross-border data transfers

When transferring SPD outside India, say if the company is a multi-national group requiring such transfers or where a foreign cloud service provider is used, then two requirements must be fulfilled. First, the explicit consent of the data principal (the person) is required and second, a cross-border data transfer measure must be in place, such as an adequacy decision or approved contract or intra-group scheme.

Interestingly, the requirement for cross-border data transfers for personal data has been removed completely. While this is a positive step for companies with one less compliance measure for data transfers, it is a dilution of the protection granted to personal data. Apart from the risk of the transfer to a country with inadequate protections, a second factor is that this may affect the possibility of India acquiring an adequacy decision from, say, Europe. Such a decision can significantly ease business between Europe and India, since thereby free transfer of data from Europe would be possible. Such a decision would decrease one compliance measure for companies.

Critical personal data

On critical personal data, which remains undefined, the law continues to require it to be processed within India only. The restriction on ‘processing’ entirely implies that for this data category, no activity including sharing, analysis, storage, etc., can be done. The 2019 Bill however, clarifies that there may be some relaxations, such as if the other country’s privacy laws are adequate and the government sees no harm with the transfer, or if it is for emergency purposes like health. While this provides some relief, more clarity on this will help companies better prepare for the upcoming law, given the significance of the restriction. Earlier, the Justice Sri Krishna Committee Report had indicated that data like the Aadhaar number, genetic data, biometric data, health data, etc. may be included. 

Consent and consent managers under the new law

Consent under the new law

The 2018 Bill had brought to the fore that consent will be the bedrock of the new law. This is a major issue for companies because a number of activities like marketing, lead generation, data analytics, research, fraud checks, etc. are often done without consent.

Say under Europe’s General Data Protection Regulation, such activities normally rely on other grounds of processing, such as ‘legitimate interests (of a company)’. The advantage of this is that under the GDPR, companies have some flexibility in determining for themselves what activities are reasonable and within the scope of the law. A second advantage is that some of the burden on the data protection authority in having to determine the legality of each and every processing activity is reduced.


On critical personal data, which remains undefined, the law continues to require it to be processed within India only.

Under the Indian law, most processing will be consent-based. Exemptions are present, in the form of the ‘reasonable purposes’ exemption, compliance with laws, the employment purposes exemption, etc. The flexibility  however, as under the GDPR, is lost.  The 2019 Bill now reemphasizes the importance given to consent, by structurally positioning consent along with the basic principles of processing (‘Obligations of Data Fiduciaries’), instead of the previous grounds of processing (under the 2018 Bill). This indicates the unlikelihood of introducing alternative grounds of processing which could give companies more freedom. 

Consent managers under the new law

Additionally, the 2019 Bill introduces ‘consent managers’. These are a type of intermediary which will serve the role of helping a data principal give, withdraw and otherwise manage consent with a data fiduciary, and to exercise any of his data subject rights under the law (the right to erasure, the right to access, etc.). These are to be data fiduciaries operating through a transparent, accessible and interoperable platform.

(Also read: Personal Data Protection Bill 2019: Lawyers claim bill could move India closer to china in terms of control over internet)

The concept is at present very ambiguous. It is unclear if a consent manager will enable a data principal to communicate with many or all data fiduciaries with whom he has dealings, or if a data fiduciary can select a single consent manager or a set of managers which a data principal can use for his dealings with it. The former is similar to the account aggregator system for financial data. This offers a significant advantage to a data principal in terms of easing consent management and rights exercise with multiple data fiduciaries. For companies, however, this can mean a huge compliance burden, particular in terms of integrating with multiple consent managers.

The second form, where a given company or a class of companies use a specific consent manager(s) may work better, reducing compliance burdens for companies and making sure that the consent manager works effectively. The wording of the Bill indicates that an internal consent manager, much like a data protection officer, may not be possible. Giving companies some flexibility to come up with a consent management system that works for the people while reducing compliance burdens must be considered. Alternatively, separate consent management systems for specific industries, much like the account aggregators for the financial industry, must be considered.

Liabilities of consent managers

An additional point that the law is unclear on is with how liabilities will be determined with the use of consent managers. For instance, who is responsible if communication of consent fails, is incorrectly conveyed, or if there is a data breach at some point? This is a significant issue, given the huge penalties under the 2019 Bill, as well as the fact that a communication with a consent manager is deemed to be a communication with the data fiduciary. It needs to be clarified if such liabilities are to be contractually determined, or if the Data Protection Authority of India (DPAI) is to define this.

Certification of privacy by design policies and a sandbox

Optional certification of privacy by design policies

Next, the 2018 Bill had introduced the concept of a ‘data trust score’, to be awarded based on a company’s data protection practices and which must be disclosed in the privacy policy. This will serve as a public benchmark for privacy, much like the ISO marks do for security. The 2019 Bill now states that subject to regulations, data fiduciaries ‘may’ have their privacy by design policies certified. This indicates that at their option, companies can have these policies certified, and that certain standards will be prescribed for the policy to be certifiable. At present it is unclear whether for certain processing activities or fiduciaries, such a certification will be mandatory. For companies, this can act as another public benchmark alongwith the data trust score.

A sandbox for AI, ML, etc.

Certification also comes with a benefit, since this is a prerequisite for applying to a sandbox proposed under the 2019 Bill. The DPAI is to set up such a sandbox for encouraging innovation in relation to artificial intelligence, machine learning, and other emerging tech. The benefits of the sandbox can be utilized for a maximum term of 36 months. Provided people’s privacy is not compromised, this could be advantageous with the DPAI monitoring new developments at a closer level, and through the possibility of more flexible regulations. As per the 2019 Bill, the processing allowed under this will be consent based, and regulatory relaxations provided may include the purpose, collection and storage limitations.

State access to anonymous, non-personal and personal data

Anonymous and non-personal data

Another clause that has been creating controversy is the Central government’s right under the law to ask any fiduciary to provide any anonymous and non-personal data, which is to be used for ‘better targeted delivery of services’ or forming ‘evidence based policy’. This is an issue given the scope of non-personal data which can relate to anything from statistical data to confidential business data, and with no clarity as to how the rights of companies over such data will be respected. Moreover, given that a law on non-personal data is under formulation separately, there is no clarity as to why this provision is included here or how it will interplay with the proposed law.

Personal data

The highly controversial exemption to state processing affects private companies as well. The provision allows the grant of a broad exemption to a governmental agency for national security reasons, from any or all the provisions of the law. For private companies, this means that for national security reasons, the government could require or intercept any personal data in their possession as well. 

Specific provisions on social media intermediaries

The 2019 Bill also includes certain provisions on social media intermediaries (‘SMIs’), for which special requirements are to be prescribed for classification as a significant data fiduciary. It also specifies that SMIs classified as such must mandatorily provide users with the option to verify themselves, and such verification must be made demonstrable and visible.

The presence of this clause is unusual- for one, it is unclear why there is a separate provision for classifying SMIs, when the general provision for classifying fiduciaries as significant data fiduciaries applies to every fiduciary including an SMI. This would be better placed as a regulation issued by the DPAI, which provides complete details as to the criteria of classification and the obligations, than as a part of the primary law. A second factor is that the clause on verification would be better placed as a compliance obligation under intermediary law than under a privacy law.

(Also read: Personal data protection bill seeks access to users' data from companies)

Significant compliance burden

Currently, the Bill has been referred for deliberation by a select committee of the parliament, meaning that further changes are likely before the law takes a final form. The Bill, in its current form, implies that companies around India and the world will have a significant compliance burden. While there must be no compromise with the rights of the people, where reducing the compliance burden on companies is possible, such measures should be considered. In addition, the huge amount of power on the DPAI also implies that the DPAI will likely be overburdened with the number of decisions it will have to take. Methods to ease this, such as through allowing some amount of self-regulation and industry determined standards (subject to the DPAI’s approval), must be considered.

Asheeta Regidi is Head, Fintech Policy at CashFree. She is also a certified privacy professional.

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.