Privacy (and particularly data privacy) has become a major talking point over the last few years. With the exponential growth in digitization of services and expanded surveillance capabilities (both government and the private sector), more and more citizens around the world have pushed for governments to legislate strong privacy controls. The most prominent example of this is Europe’s General Data Protection Regulation (GDPR), which we’ve covered in a series of posts.

In the Indian context, the groundwork was set by the Supreme Court in its ruling in Justice Puttaswamy (Retd.) V. Union of India and Others, where it held privacy to be a fundamental right. In furtherance of this, a committee headed by former Justice BN Srikrishna was set up to formulate a privacy legislation which would address the needs of Indian citizens in a modern context. The draft Personal Data Protection Bill, 2018 was accordingly framed, and has been open to the public between July and October 2018 seeking comments and feedback. In this post, we’ll be examining some of the key features of the bill. The Bill takes a lot of inspiration from the GDPR, and adds some additional safeguards as well. The Bill also proposes changes to other legislation such as the IT Act, 2000 (although interestingly, not the Aadhar Act).

Considering that we’ve done a few posts on the GDPR previously, this post will be looking at the provisions of the Indian Bill in comparison to the GDPR as well.

Definitions

The Bill replaces the GDPR’s data subjects and data controllers with the terms data principal and data fiduciaries respectively. A data principal, like a data subject, is simply a natural person whose data is collected. A data fiduciary is an entity which determines the purpose for which any collected data is processed. The use of the term is quite interesting, as it apparently seeks to create a trust-based relationship between the principal and the fiduciary.

The Bill applies to any data collected, disclosed, shared or otherwise processed within the territory of India. Further, like the GDPR, it establishes jurisdiction over processing of personal data by entities not present with in the territory of India, if they process data in connection with any business in India, or if they are engaged in the profiling of data principals in India.

The Bill establishes a Data Protection Authority, which will consist of six full-time members, who would be selected by a committee consisting of the CJI or a Supreme Court judge nominated by the CJI (who would also be its chairman), the Cabinet Secretary, and an expert of repute in the field of data protection and related subjects.

The Bill also provides for different types of data, similar to the GDPR. Personal data refers to any data which could identify a natural person. Sensitive personal data refers to information such as passwords, financial data, credit history, medical history, sexual orientation and history, bio-metric and genetic data, religious or political affiliation, or caste/tribe membership. It also allows the Authority to designate any other form of data as being sensitive personal data.

Consent and Privacy by Design

Just like the GDPR, the Bill also envisages a strong concept of informed and express consent given by the data principal to the processing of data. The fiduciary must obtain the consent in a clear and specific manner. It also states that the principal must be able to withdraw consent at any time. The Bill also envisages a number of Privacy by Design principles similar to the GDPR.

However, there are a few loopholes/causes for concern with the way that these are framed in the current Bill. One of these is that the Bill only requires consent prior to processing, as opposed to consent at the time of collection. The natural extension of this is that an entity could simply collect personal data and not process it until much later, and still be in compliance with the law. Another potentially troubling provision is that the Bill states that if consent is withdrawn, all legal consequences for the effects of such withdrawal shall be borne by the data principal.

The Bill also allows Parliament and the State Legislatures to process data if necessary for their functions. There is also the provision for processing of data for “reasonable purposes”, such as prevention and detection of any unlawful activity including fraud; (b) whistle blowing; (c) mergers and acquisitions; (d) network and information security; (e) credit scoring; (f) recovery of debt; (g) processing of publicly available personal data.

Notice and Notifications

Following from the above principle of consent, the fiduciary must provide the principal with clear notice of the following (among others):

  1. Thee basis and purposes of data processing,
  2. The categories of data processed
  3. Contact details of the data fiduciary
  4. The right to withdraw consent and the procedure to do so,
  5. Other entities with whom the data may be shared
  6. Details of cross-border transfer of data (if applicable),
  7. Period of retention of data
  8. Grievance redressal mechanisms

Further, in case of any breach of collected data, the fiduciary must notify the Authority if such breach is “likely to cause harm” to any Data Principal.

Localization

The Bill mandates that a copy of any personal data is to be stored on a server or data centre in India. Similar to the GDPR, there are also restrictions on cross-border data transfer. The Bill states that cross-border transfer may be allowed in cases where the Authority has approved certain standard contract clauses, or if a particular jurisdiction has been designated by the Authority as having satisfactory data protection regulations in place.

Penalties

In another parallel to the GDPR, the Bill imposes strict penalties of up to 4% of global revenue or 15 crores (whichever is higher) in case of breach of obligations by a data fiduciary. Interestingly, the Bill also provides for criminal liability for any offences listed under the Bill. Such offences would include the collection, transfer, or sale of data in violation of the law. Similar provisions apply to re-identification of randomized or pseudonymized data. The penalties include up to 3 years imprisonment and a fine of up to 3 lakh rupees. The offences have also been categorized as being cognizable and non-bailable.

Exemptions

Of particular concern in the Bill are the wide exemptions granted to the State for the collection and processing of data. As mentioned briefly above, the Bill allows for collection of data in reasonable circumstances, as well as also providing an opportunity for the same in the interests of “security and defence.” We will be examining these in greater detail in a future post.

Conclusion

On the whole, the Bill contains many welcome provisions which go a long way in establishing a modern legislation that would balance and protect the rights of citizens with commercial interests of fiduciaries. However, the exemptions provided to the State could allow for easier surveillance of citizens by the Government. There is also concern surrounding the apparent lack of amendments to the Aadhar Act in in the Bill. The natural extension of these issues could result in a practical implementation which does not necessarily protect citizens’ privacy in the manner befitting a Fundamental Right, and the same concern has already been expressed by policy groups and think-tanks. It should be noted that the Government had sought feedback on the Bill until October 2018, so it remains to be seen if there are any modifications to the Bill after the same.