Fd Leg. Drafting.docx

DR. RAM MANOHAR LOHIYA NATIONAL LAW UNIVERSITY

LEGISLATIVE DRAFTING SEMINAR PAPER ON

ANALYSIS OF PERSONAL DATA PROTECTION BILL,2018 Submitted for the seminar paper undertaken in the partial fulfillment of B.A.LLB(Hons) 5year integrated course at Dr. Ram Manohar Lohiya National Law University,Lucknow.

UNDER THE GUIDANCE OF

SUBMITTED BY

MS. ANKITA YADAV

APOORWA VERMA

ASSISTANT PROFESSOR (LAW)

ENROLL. NO. 140101037

Dr.RMLNLU

SEC-A ,9TH SEM B.A.L.L.B(HONS)

1|Page

ACKNOWLEDGEMENT I want to express my sincere thanks towards my teacher,Ms. Ankita Yadav,for her guidance and support as and when needed while making this seminar paper. She has helped me in removing the errors and in making the necessary corrections so as to give the paper its final shape .She has guided me in a supportive manner which enabled me to make progressive research and complete my seminar paper work. I would also like to express my gratitude towards my seniors,who have helped me in the best possible way.My batchmates and faculty members also deserve a special mention in this regard for their constant help in various ways.I am thankful to everyone who have spent their precious time in helping me for my paper. This work could not have been accomplished without their help.

2|Page

TABLE OF CONTENTS

PART-I 1.Introduction 2. Existing Data Protection Framework in India 3. Need for revamping the Data Protection Framework in India 4. Proposed Data Protection Framework for India

PART-II 5. Key Features of the Bill 6.Applicability and Purpose 7. Data Protection Obligations 8. Categories of Data 9. Grounds for processing Personal Data and Sensitive Personal Data 10. Processing of Personal Data and Sensitive Personal Data of Children 11. Rights of Data Principal 12.Cross Border Transfer of Personal Data 13. Data Protection Authority 14. Exemptions 15.TRAI Recommendations and the Personal Data Protection Bill,2018

3|Page

PART-III 16.Important Observations 17. Suggestions 18. Conclusion 19.Bibliography

4|Page

1.INTRODUCTION The 21st century has been described as the 'information age' due to the extensive use of information and almost everyone is constantly connected to the internet. The analysis of large and complex sets of data has become a specialized science called 'Big Data' analytics providing never before insights to alleviate societal problems relating to areas such as health, food security, transport and urban planning. Governments of the day are launching specialised programmes focused on this digital revolution, like the one launched by the Government of India called 'Digital India' initiative. With nearly 450 million Internet users and a growth rate of 7-8%, India is well on the path to becoming a digital economy, which has a large market for global players. While the transition to a digital economy is underway, the processing of personal data has already become omnipresent. The reality of the digital environment today, is that almost every single activity undertaken by an individual involves some sort of data transaction or the other. Some of the largest companies in the world today are data driven.The Internet has given birth to entirely new markets: those dealing in the collection, organization, and processing of personal information, whether directly, or as a critical component of their business model. “Uber”, the world‟s largest taxi company, owns no vehicles “Facebook”, the world’s most popular media owner, creates no content , “Alibaba”, the most valuable retailer, has no inventory, “Airbnb”, the world’s largest accommodation provider, owns no real estate. Both the public and the private sector are engaged in amassing personal data which seems to be generated ceaselessly. While there are justifiable uses that are vastly beneficial, such centralization of data, profiling of individuals and increased surveillance, has led to concerns relating to erosion of privacy of individuals, ability to impact public decision-making process and national security.1 Various countries have been over the years trying to formulate strategies to counter or control the negative affects of this digital aggregation. The EU has adopted a rights-based approach to privacy where personal privacy of an individual is the central pillar of the protection regime. The US being a laissez faire culture, has mainly focused on individual's right to be left alone

1

Amba Kak,The Emergence of the Personal Data Protection Bill, 2018, (October 3, 2018, 4:00 PM),

https://www.epw.in/journal/2018/38/commentary/emergence-personal-data-protection-bill.html.

5|Page

by the State and thus the legislations have been regarding personal information being processed by the government, where processing of personal information by the private sector has been left open through a notice and choice model. China on the other hand has adopted a centrally dominant model where personal information has been perimetered within the country through legislation on grounds of national security.2

2.EXISTING DATA PROTECTION FRAMEWORK IN INDIA In India too the digital era has triggered concerns about data protection. For mitigating against privacy concerns and national security concerns, the Indian legislature and governments have over the years passed some specific laws in this regard: General Application: Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011 Govt. Collection of Data: Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016; Aadhaar (Data Security) Regulations, 2016 Banking Sector: Credit Information Companies (Regulation) Act, 2005; Credit Information Companies Regulations, 2006; circulars of Reserve Bank of India including KYC circulars; Master Circulars on credit cards, etc.; Master Circulars on Customer Services; Code of Bank's commitment to Customers Telecom Sector: Unified License Agreement issued to telecom service providers by the Department of Telecommunications; Telecom Commercial Communication Preference Regulations, 2010 Healthcare Sector: Clinical Establishments (Central Government) Rules, 2012; Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 It may appear that the aforesaid data protection regime in India is similar in scope to the US data protection regime as it is applicable to specific sectors with a target audience. Having said that, the core differentiator is the fact that in the US the data protection laws are focused on 'protection from the State' and mostly do not have an application relative to the private sector,

2

Ibid.

6|Page

while in India, such a distinction is not present and the principle driver seems to be protection of data simpliciter being equally applicable to public and private sector.

3.NEED FOR REVAMPING THE DATA PROTECTION FRAMEWORK IN INDIA While the aforesaid specific legislations exist, the complexity, dynamism and all-encompassing reach of the digital revolution require a far more comprehensive regulatory regime to mitigate the concerns that are ever present. Essentially, it appears that there were three main drivers for revamping the existing data protection framework in India: a. Justice Puttuswamy judgment: A nine -judge bench of the Supreme Court of India delivered a landmark judgment in the case of Justice K.S. Puttaswamy (Retd.) v. Union of India & Ors. 2017 (10) SCALE 1,3 wherein it was held that the right to privacy is an intrinsic part of the fundamental right to life and personal liberty under Article 21 (in particular and in all fundamental rights in Part III which protect freedoms in general) of the Constitution of India. It was held that the Constitution of India must evolve with the circumstances of time to meet the challenges thrown up in a democratic order governed by the rule of law and that the interpretation of the Constitution of India cannot be frozen on the perspectives present when it was adopted. The Supreme Court acknowledged that the concept of the right to privacy has evolved from the basic right to be let alone, to a range of negative and positive rights. The Court recognised 'informational privacy' as an important aspect of the right to privacy that can be claimed against state and non-state actors, but such a right is not an absolute right and may be subject to reasonable restrictions. Further, the Court has laid down a test to limit the possibility of the State clamping down on the right, i.e., such an action must be sanctioned by law, it must be necessary to fulfil a legitimate aim of the State, the extent of the State interference must be 'proportionate to the need for such interference' and there must be procedural safeguards to prevent the State from abusing its power. b. State's duty to protect national security: India is a vast country with multiple cultures, religions and linguistic diversity and such diversity presents its own challenges

3

K S Puttaswamy v Union of India (2017): Writ Petition (Civil) No 494 of 2012.

7|Page

for the State. This is further complicated by its geo-political location, due to which India has ranked third on the list of countries suffering from terror attacks. For tackling the internal and external security challenges, the State necessarily needs to have the ability to engage in real-time surveillance of its data subjects if the need arises. For such surveillance to be effective, the State must have the ability to access the data centres, however, in today's digital world, the physical site of the data may be outside India.4 c. India's prowess in IT enabled services: India had a 55% share of the US$185-190 billion global outsourcing business in FY18. With the advent of the General Data Protection Regulation in the EU w.e.f. May 25, 2018, transfer of data from the EU to another non-EU country will need to pass either (i) the adequacy test, or (ii) be in accordance with standard contractual clauses offering enough safeguards in relation with the data. Although, the transfer of data from EU nations at present is being undertaken under the standard contractual clauses, due to the sheer size of economic activity and the pervading global protectionist environment, a view may be taken that India's data protection regime is not in sync with the EU requirements despite the contractual clauses being in place citing difficulty in enforcing the contractual clauses in absence of a regulatory framework. This threat is mitigated if India fulfils the adequacy test, i.e., India has adequate level of data protection framework in place. For this test, the European Commission will examine the data protection rules in place in India, data protection rights and their effective administration, data protection authority, powers vested with such authority, international commitments with regard to data protection and a periodic review of the aforesaid criteria. In the present list of countries determined to be “adequate”, India does not figure, however, countries like Argentina, Canada, Israel, Isle of Man, New Zealand and the United States have been determined as 'adequate'. Accordingly, it may be strategically prudent for India to bring its own regulatory framework on data protection in line with the EU (which has been trailblazing the global data protection practices).

4

Amba Kak,The Emergence of the Personal Data Protection Bill, 2018, (October 3, 2018, 4:00 PM),

https://www.epw.in/journal/2018/38/commentary/emergence-personal-data-protection-bill.html.

8|Page

4.PROPOSED DATA PROTECTION FRAMEWORK FOR INDIA The Government of India constituted a committee, chaired by Justice Srikrishna (retired), Supreme Court of India in August 2017 to design and draft data protection laws for India. The committee after a year of deliberations and public consultations has released a draft bill titled 'The Personal Data Protection Bill, 2018 (Draft Bill). 5 The long awaited Personal Data Protection Bill, 2018 (the “Bill”) was released on July 27, 2018 along with the report by the Committee of Experts under the chairmanship of Justice B.N. Srikrishna (the “Report”). The Committee, chaired by Justice Srikrishna, was constituted by the Ministry of Electronics & Information Technology, Government of India to put together a draft of data protection law for India. The Report elaborates on the Committee discussions and deliberations and throws light on the provisions of the Bill. The Bill may undergo further changes before it is adopted as law. This is a keystone development in the evolution of data protection law in India. With India moving towards digitization, a robust and efficient data protection law was the need of the hour. The Bill has been drafted with an intention to fill in the vacuum that existed in the current data protection regime, and to enhance individual rights by providing individuals full control over their personal data, while ensuring a high level of data protection. The Bill has been broadly based on the framework and principles of the General Data Protection Regulation (the “GDPR”) recently notified in the European Union and on the foundation of the landmark judgement of the apex court: Justice K.S. Puttaswamy (Retd.) & Anr v Union of India & Ors (W.P. (Civil) No. 494 of 2012), wherein the Supreme Court of India upheld the right to privacy as a fundamental right under the Indian Constitution. The Bill shall come in supersession of Section 43A of the Information Technology, 2000 (the “IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “IT Rules”) which was enacted under Section 43A of the IT Act.

5

Krishnadas

Rajagopal,Drafting

a

Data

Protection

Bill

(

October

3,2018,

6:15

PM),

https://www.thehindu.com/opinion/op-ed/drafting-a-data-protection-bill/article24584467.ece.

9|Page

5.KEY FEATURES OF THE BILL Some of the key observations on the Bill are outlined below: 5.1. Wide Definition of Sensitive Personal Data The Bill has defined sensitive personal data to include personal data revealing or relating to password, financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe. Such a broad definition of sensitive personal data (for instance, to include passwords and financial data) is not in line with international data protection laws, which have provided a much narrower definition for sensitive personal data. Therefore, foreign companies and multinational companies would face a higher compliance requirement under the data protection law in India. Such companies may find it difficult to adhere to these unique onerous compliance requirements, which would significantly affect their ease of doing business in India. 5.2. Data Localization Every data fiduciary is required to store one serving copy of the personal data on a server or data centre that is located within the territory of India. The data fiduciaries are likely to find this obligation onerous, as it will increase operational costs for most of them. This restriction may also operate as a trade barrier and hinder the ability of global companies to transfer and process personal data across different jurisdictions.Importantly, this requirement does not seem to be relevant in the context of a framework that seeks to protect the right to privacy of individuals. Hopefully there will be clarifications provided or interpretations evolve in the future allowing such copies of data to be backed up over periodic cycle instead of backing up on a real time basis and this may somewhat ease the burden of this obligation on data localisation.6 One alternative that may have been provided is a choice for companies to either localise or have a representative like a data protection officer who is responsible for making available any data as needed by the Data Protection Authority.7

6

Amber

Sinha,Draft

Privacy

Bill

and

its

Loopholes,

(October

5,2018,

12:04

PM)

https://www.livemint.com/Opinion/zY8NPWoWWZw8AfI5JQhjmL/Draft-privacy-bill-and-its-loopholes.html. 7

Ibid.

10 | P a g e

5.3 Scope of Applicability Under the Justice B. N. SriKrishna Report, an exception has been made based on the principle of territoriality. The Report states that any entity located in India only processing personal data of foreign nationals not present in India may be exempted from the application of the Bill by the Central Government. However, this exemption has not been brought out in the Bill. It is likely that this exemption would be provided under the rules adopted under the Bill. But, in case no such exemption is provided under the rules, the scope and applicability of the Bill may be more over-reaching than the GDPR.Further the term in connection with ‘any business that is carried out in India’, in relation to exercise of jurisdiction over any data fiduciary or data processor not located within India, is vague in nature and lacks specificity. 5.4 Definition of Critical Personal Data The Bill states that critical personal data shall be only processed in a server or data centre located in India. This effectively means that such data cannot be transferred to any country outside India. It may be a challenge for businesses to service Indian consumers solely through the data centres in India. Further, the Bill does not define the term critical personal data or give any guiding principles for its determination. 5.5 Excessive Liability The Bill imposes liability on the directors of a company or the officers in charge for the conduct of the business of the company at the time of commission of the offence. This seems to be draconian measure and takes an extreme stand as even most international legislations such as the GDPR do not provide, in case of data breach, for liability of the person responsible for the conduct of business. Further, due to lack of clarity in the law, the directors and officers in-charge may be held liable to pay the same quantum of penalties as may be imposed on the company. Additionally, there is lack of clarity on the nature of liability imposed inter se between a data fiduciary and a data processor, or between multiple data processors in case of data breach. 5.6 Repeal of Section 43A of IT Act and IT Rules The Bill comes in supersession of Section 43A of the Information Technology, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which was enacted under the same provision. However, there are certain provisions under the Rules, which are not specifically provided for under the Bill, for instance the disclosure of information in a privacy policy. There is lack of clarity on whether data fiduciaries need to have a separate privacy policy or whether the detailed notice requirements under the Bill would be sufficient compliance under the law. 11 | P a g e

5.7 Employment Under the Bill, exemption to obtaining consent of the data principal for processing their data has been granted for certain employment related matters. However, this ground for processing of personal data can only be invoked if processing of personal data on the basis of consent is not appropriate giving regard to the employer-employee relationship between the data fiduciary and the data principal or would involve a disproportionate effort on the part of the data fiduciary due to the nature of the processing activities. With the Bill coming into effect, it may pose a possible challenge for employers to continue retaining data of their former employees, obtained during the course of employment, post their separation from the employer. 5.8 Periodic Review of Stored Personal Data Under the Bill, the data fiduciaries are under an obligation to conduct periodic review of the personal data stored with them so that it is not retained beyond the period necessary for the purpose of processing. The term periodic review is too general in nature and the Bill does not specify whether such periodic reviews need to be conducted monthly, bi-annually or annually. Further, this is mostly likely to increase operational costs for all companies. 5.9 Notice Under the Bill, the data fiduciary is under an obligation to provide the data principal with adequate notice before collection of personal data. The notice is required to be clear and concise, and if necessary and practicable, the notice shall be in multiple languages. In a country like India with multiple languages, this may be an operational challenge and may increase the cost of compliance. 5.10 Data Protection Authority – Scope of authority The Bill has vested the Authority with a wide range of administrative, discretionary, quasilegislative and quasi-judicial powers. The exercise of powers vested in the Authority under the rules adopted under the Bill, should be in a manner to avoid any concentration of multiple conflicting powers and excessive delegation, thereby defeating the purpose of the Bill. Further, the Bill does not make any provision for filing of a class action suit or a representative suit in situations where a data breach affects large number of individuals. 5.11 Status of TRAI Recommendations The Telecom Regulatory Authority of India recently released its Recommendations on Privacy, Security and Ownership of Data in the Telecom Sector. The TRAI recommendations provide that till the adoption of a general data protection legislation, the existing rules/ license conditions applicable to telecom service providers for protection of users’ privacy be made applicable to all the entities in the digital ecosystem. 12 | P a g e

Hence, it is uncertain whether the TRAI Recommendations offering sector-specific guidelines (such as encryption standards) will be applicable to data fiduciaries operating in the telecom sector along with the provisions of the Bill, or whether the TRAI Recommendations will cease to govern the privacy, security and ownership of data in the telecom sector.

6. APPLICABILITY AND PURPOSE Under the current personal data protection regime in India, which is governed by the IT Rules, all government bodies and related organizations have been excluded from its purview. However, in contrast to this, GDPR makes no such exception and its application is extended to all entities, depending on the processing of personal data. The Bill has been drafted along this same principle and is applicable to all entities whether or not such entities are controlled or owned by the government. The IT Act and hence the IT Rules applies to the whole of India and to any offence committed outside India by any person, if the conduct that amounts to an offence involves a computer, computer system or computer network located in India. The effect of the offence being felt in India or a threat to Indian security or the security of its citizens, and not presence of the offender in India, is the key to establishing jurisdiction. The Bill has adopted an enhanced principle of extra-territorial scope from the provisions of GDPR. The Bill shall be applicable to processing of personal data: (i) where personal data has been collected, disclosed, shared or processed in any manner within the Indian territory; and (ii) where the processing has been undertaken by the government, by any Indian company, by any Indian citizen or any person or body of persons that has been incorporated under the Indian laws.8So the Bill recognises the principle of territoriality and nationality in defining the scope of application. Further, the Bill shall also be applicable to processing undertaken by a data fiduciary or data processor not located within the territory of India (i) if such processing is in connection with any business that is carried out in India or if the there is any systematic activity of offering goods and services to data principals6 within the territory of India (ii) in connection with any activity that involves profiling of data principals within the territory of India.9 The principal of extra-territorial application has been broadened under the Bill to cover offences, even in cases which do not involve a computer, computer system or computer network in India, considerably improving the privacy rights of the data principals. The long arm jurisdiction of the Bill would bring India at par with international standards of data

8 9

Section 2(1) of the Personal Data Protection Bill, 2018. Section 2(2) of the Personal Data Protection Bill, 2018.

13 | P a g e

protection. However, there is lack of clarity in the language of the law. The term ‘in connection with any business that is carried out in India’ is vague in nature and lacks specificity. Therefore, it would be advisable that above the term should be separately defined or an explanation should be provided. The extra territorial jurisdiction of the Bill is in line with the terms of GDPR. However, there are certain difference between the two legislations. The GDPR shall be applicable if foreign data controllers (equivalent to data fiduciaries) or data processors are offering goods and services to the data subjects (equivalent to data principals) in the European Union. Processing of personal data in connection with business carried out in the European Union has been left out of its ambit. Further, the Bill covers such processing of personal data in relation to a systematic activity of offering of goods or services to data subjects in India, unlike the GDPR which applies to all instances of offering of goods or services, including irregular and ad hoc processing of personal data. Further with regard to processing of personal data in relation of data subjects in the European Union, to monitor their behaviour, GDPR states that applies if such monitoring takes place within the territory of the European Union. In the case of the Bill, any processing of data involving profiling of data principals in India, regardless of where the profiling takes place, gets covered. Under the Report, an exception has been made based on the principle of territoriality. It states that any entity located in India only processing personal data of foreign nationals not present in India may be exempted from the application of Bill by the Central Government. However, this exemption has not been brought out in the Bill. It is likely that this exemption would be provided under the rules adopted under the Bill. But, in case no such exemption is provided under the rules, the scope and applicability of the Bill may be more over-reaching than the GDPR.Further, the Report has suggested that the Bill shall not be applicable retrospectively i.e. it shall only be applicable to on-going or future processing activities and shall not apply to processing activities that have been completed before the law comes into effect.

7.DATA PROTECTION OBLIGATIONS The Bill sets out the data protection obligations that are required to be fulfilled for processing personal data of any data principal. The data protection obligations are as follows. 7.1 Fair and Reasonable Processing of personal data shall be conducted in a manner that is fair and reasonable and in a manner that respects one’s right to privacy.10 10

Section 4 of the Personal Data Protection Bill, 2018.

14 | P a g e

7.2 Data Quality Ensure that the personal data that is processed is complete, accurate, not misleading and kept updated at all times.11 7.3 Purpose, Collection, and Storage Limitation The personal data shall be processed only for purposes that are clear, specific and lawful. Processing of personal data shall be limited only to the purpose that has been specified or any incidental purposes reasonably expected by the data principal.12 With regard to collection of personal data, it shall only be limited to such data that would be necessary for processing.13 Hence, broadly defined purposes, such as “improving user experience” or “marketing purposes” may not meet the standard set out under the Bill and there must be a reasonable nexus between the actual use of the personal data collected and the list of purposes stated in the notice to data principals. Additionally, the personal data shall be retained only for the time period necessary to fulfil the purpose related to the processing.14 The data fiduciary is under an obligation to undertake a periodic review of all its stored personal data to ensure that no personal data has not been retained for more than the necessary time period.15 The term periodic review is too general in nature and does not specify whether such periodic reviews need to be conducted monthly, bi-annually or annually. Although, such periodic review is likely to increase compliance costs for data fiduciaries, in the interest of privacy it is essential that provision should be retained and made more specific. 7.4 Notice Notice is a significant step towards obtaining consent from the data principals for processing their personal data. Under the Bill, the data fiduciary is under an obligation to provide the data principal with adequate notice before collection of personal data, or as soon as reasonably possible if the personal data has not been collected directly from the data principal.The notice shall be in a clear and concise, and if required and if practical, the notice shall be in multiple languages also.Providing notice in multiple languages is an additional compliance for the data fiduciaries, considerably increasing their operational costs. Among the other requirements regarding the contents of the notice, the notice shall state the purpose for which personal data is being processed and the categories of personal data 11

Section 9 of the Personal Data Protection Bill, 2018. Section 5 of the Personal Data Protection Bill, 2018. 13 Section 6 of the Personal Data Protection Bill, 2018. 14 Section 10 of the Personal Data Protection Bill, 2018. 15 Ibid. 12

15 | P a g e

collected. The data fiduciary shall provide its identity and contact details along with the contact details of the data protection officer (if applicable). In case, the personal data has not been collected directly from the data principal, the notice shall mention the sources from which the personal data has been collected. Other information such as name of the entities/ persons with which the personal data shall be shared, information regarding cross border transfer of personal data, the time period for which the personal data shall be retained shall also be included in the notice. Additionally, the notice shall also inform the data principal about its right to withdraw consent and the right to file a complaint against the data fiduciary. If a credit score has been assigned to the data fiduciary, such credit score shall also be mentioned in the notice. The Data Protection Authority (the “Authority”) has reserved it right to add additional information as it deems fit. 7.5 Accountability The data fiduciary shall be accountable and responsible for protecting the personal data of the data principals. It is the responsibility of all data fiduciaries to ensure compliance with the provisions of the Bill. The obligations of data protection are similar to the principles enumerated under GDPR, bringing the data protection obligations in line with international best practices.16 The GDPR enumerates the following principles of data processing: lawfulness, fairness, transparency, purpose and storage limitation, data minimisation, accuracy, integrity and confidentiality and accountability.However, under the IT Rules, the data protection obligations are limited only to the collection, use and storage of information falling in the category of sensitive personal information, excluding personal data from its ambit. Therefore, it is essential to extend the above data protection obligations to all personal data of a data principal, as achieved by the Bill. Further, under the Bill a data fiduciary shall engage a data processor for processing personal data only through a valid contract between the two of them. However, there is a necessity that certain non-negotiable clauses be prescribed to be included in the contract between the data controller and the data processor. Further, the data processor is barred from subcontracting with another data processor, unless there is specific clause in the agreement with the data fiduciary and data processor, allowing the same.17However, assuming that the data processor is permitted

16 17

Article 5 of General Data Protection Regulation, 2016. Article 37 of General Data Protection Regulation, 2016.

16 | P a g e

to sub-contract with another data processor, the Bill does not discuss the manner in which such multiple data processors would be liable for breach of any provisions of the Bill.

8. CATEGORIES OF DATA The Bill categorises data into three different categories - personal data, sensitive personal data and critical personal data.18 Personal Data has been defined under the Bill to mean “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such feature with any other information”.19 The definition of personal data is in line with the definition of personal data enumerated under GDPR, Further, the definition also covers personal data that may indirectly lead to identification of a natural person. This is important as certain entities using modern technologies carry on targeting online advertisement and use an individual’s online activities and pattern to customise their advertisements. Although such data gathered from one’s online activities may not be identifiable individually, but when taken collectively, may result in identifying a person. Sensitive personal data has been defined under the Bill to include personal data revealing or relating to password, financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe.20Currently under the IT Rules, sensitive personal information includes only seven (7) categories of information, that are - password, financial information, physical, physiological and mental health condition, sexual orientation, medical records and history, biometric information; and other details relating to the above categories for providing services, any of the above information received by body corporate to process data under lawful contract. Expanding the scope of sensitive personal data is not in consistent with the international standards and law, which would mean that foreign companies or multi-national companies would face stricter compliance requirements under the Indian law. Such companies may find it difficult to adhere to such onerous compliance requirements, which would significantly affect their ease of doing business in India. However, on the positive side the remedies available to the data principal in case of data breach, extend to both breach of personal data and sensitive personal data, unlike under the IT Rules which provides for compensation only in case of breach of sensitive personal information of a 18

Article 40 (2) of General Data Protection Regulation, 2016. Article 2(29) of General Data Protection Regulation, 2016. 20 Section 2(35) of the Personal Data Protection Bill, 2018. 19

17 | P a g e

data principal. With regard to the term critical personal data, the Bill does not provide any specific definition. However, it states that the Authority may notify certain categories of data to be critical personal data. It remains to be seen whether there will be any additional data security requirements or compliances that will be prescribed in relation to critical personal data. Further, it has been stated that the Bill shall not be applicable to processing of anonymised data 21.Even though anonymised data has been excluded from the ambit of the Bill, de-identified data continues to be treated as personal data and will be governed by the provisions of the Bill.

9. GROUNDS FOR PROCESSING PERSONAL DATA AND SENSITIVE PERSONAL DATA With regard to processing of personal data and sensitive personal data, the Bill provides the lawful grounds on which such data can be processed. Out of all, consent of the data principal is the primary ground for processing personal data or sensitive personal data. The others are the ground on which personal data or sensitive personal data can be processed without obtaining the consent of data principal. Such grounds of processing has been mentioned below. It is to be noted that the Bill does not provide for any separate grounds for processing critical personal data. 9.1 Consent It is the basic ground for processing personal data or sensitive personal data. 22The consent of the data principals shall be free, informed, specific, clear and capable of being withdrawn. The burden of proof to establish that the consent has been giving lawfully lies with the data fiduciary. For processing sensitive personal data, in addition to the above requirements, the consent shall be provided explicitly, meaning that the data principal shall be informed about the possible consequences of the processing; it shall be clear without needing to refer to context in which it had been provided; and specific in the context such that the data principal has the choice to give separate consents for different purposes, operations and use of different categories of sensitive personal data relevant to the processing.23This means that implied consent, inactivity or pre-checked boxes that indirectly signifies consent may no longer be acceptable modes of consent under the Bill. The GDPR alsorecognizes the importance of consent for processing personal data and the need for explicit consent for processing special categories of personal data. Even in India, the IT Rules, subject to certain other provisions, 21

Section 2(3) of the Personal Data Protection Bill, 2018. Section 12 of the Personal Data Protection Bill, 2018. 23 Section 18 of Data Protection Bill, 2018. 22

18 | P a g e

consent of the individual before collecting, disclosing or transferring sensitive personal information is required. However, in the case of performance of a contract, there is a difference between the two legislations. Under the Bill, performance of a contract cannot be made contingent on the basis of the need for consent for processing personal data that is not necessary for the purpose. This is a departure from the current IT Rules, whereby entity can deny performance of a contract (such as delivery of goods or performance of service) if consent has not been given for processing personal data, regardless of whether such data is required to be processed in connection with performance of the contract or not. It is evident that consent is a primary ground for processing personal data. However, consent shall not be the only ground on which consent shall be processed. The Bill makes provision for other grounds on which personal or sensitive personal data can be processed, without the need to obtain consent. Such grounds are as follows: 9.2 Functions of the State Personal data or sensitive personal data (as the case may be) can be processed if such processing is necessary for the function of the parliament or any state legislature or for exercising any function of the state such as providing any service or benefit to the data principals, or for issuing any certificate, license or permit for any activity of the data principal. 9.3 Compliance with Law or Any Legal Order Personal data or sensitive personal data can be processed for complying with any provision of the law or any order of a court or tribunal.24 9.4 Prompt Action Personal data and sensitive personal data can be processed without obtaining the consent of the data principal in situations where the processing is necessary to cater to medical emergencies; providing health services during any epidemic, outbreak of disease or any kind of threat to public health. Further, processing of personal data can be undertaken for any prompt action that would be required in case of break down public order.25 9.5 Employment Related Action Personal Data can be processed if it is necessary for employment related purposes such as recruitment, termination, assessment of performance, provision of any benefit to the data principal (employee), verification of attendance of the data principal.26

24

Section 14 of the Personal Data Protection Bill, 2018. Section 15 (c) of the Personal Data Protection Bill, 2018. 26 Section 16(1) of the Personal Data Protection Bill, 2018. 25

19 | P a g e

However, this ground for processing of personal data can only be invoked if processing of personal data on the basis of consent is not appropriate giving regard to the employeremployee relationship between the data fiduciary and the data principal, or would involve a disproportionate effort on the part of the data fiduciary due to the nature of the processing activities. Although such ground is a reasonable ground to process personal data, it is important to impose strict obligations on the employer (data fiduciary) to first take all reasonable steps toobtain the consent from its employee. Further, the law should clearly state that the burden of proof to establish that it was not reasonably possible for the employer to obtain consent shall strictly vest with the employer. Additionally, many of the employers retain the personal data of their former employees for various purposes, several years post cessation of their employment. With the Bill coming into effect it may pose a challenge for employers to continue retaining data of their former employees, obtained during the course of employment, post their separation from the employer. 9.6 Reasonable Purposes Personal Data can be processed for reasonable purposes as may be specified by the Authority. The Authority may specify the reasonable purposes for prevention and detection of unlawful activity including fraud, whistle blowing, mergers and acquisitions, network of information security, credit score, recovery of debt, processing personal data available in public. As such reasonable ground for processing of personal data will be set out by the Authority, there is a very limited scope for misusing this provision. Further, in this regard, the Authority would also be prescribing the safeguards for the protection of the rights of the data principals. Under the current IT Rules, the scope of processing personal data without the consent is very limited. Information including sensitive personal information (as defined under IT Rules) can be shared with a third party without the consent of the information provider only with government agencies that are mandated under law to obtain such information, and for purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.27 Even under GDPR several grounds have been recognized for processing of personal data and sensitive personal data without the consent of the data subject. However, the scope under the

27

Rule 6(1), proviso of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

20 | P a g e

GDPR is a little wider than the scope under Bill. For example, under GDPR, processing is also considered lawful without the consent of data subject, when such processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

10. PROCESSING OF PERSONAL DATA AND SENSITIVE PERSONAL DATA OF CHILDREN The Bill recognises and seeks to protect the personal data and right to privacy of children. Every data fiduciary is required to process personal data of children in a manner that protects and advances the rights and best interests of the child. Under the current IT Rules, there are no special provisions with respect to processing of personal data or sensitive personal data of specifically for children. The provisions relating to processing of personal data and sensitive personal data of children are as follows. 10.1 Age limit The Bill, defines a child to mean any data principal below the age of 18 (eighteen) years of age.28 The age limit set out is in compliance with the provisions of the Indian Contract Act, 1872, but differs from the age limit set out in GDPR, which is 16 (sixteen) years of age. 10.2 Parental Consent and Age Verification To process personal data of children, the data fiduciary shall obtain the consent of the parents and incorporate age verification mechanism to verify the age of the child. Similar obligations under the GDPR have been imposed upon the data controller. 10.3 Guardian Data Fiduciaries The Authority shall notify data fiduciaries as guardian data fiduciaries who (i) operate commercial websites or online services directed towards children, or (ii) process large volumes of personal data of children. Guardian data fiduciaries shall not perform any kind of processing or profiling, tracking, behavioural monitoring of, or targeted advertising directed at, children, which causes significant harm to children. However, if a guardian data fiduciary is exclusively involved in providing specified child counselling services or child protection services, it shall be exempted from obtaining parental consent. Under the GDPR, there is no such provision such as guardian data fiduciaries. However, such distinction under the Bill would be a valuable addition to the data protection regime in India, restricting all gaming websites regularly accessed by children, from exploiting the privacy rights of children. 28

Section 2(19) of the Personal Data Protection Bill, 2018.

21 | P a g e

11. RIGHTS OF DATA PRINCIPAL The Bill grants certain rights to the data principals with regard to processing their person data, which are broadly based on the framework of the right granted to data subjects under GDPR. The rights granted to the data principals are as follows: 11.1 Right to confirmation The data principal has the right to obtain confirmation whether the data fiduciary is processing or has processed its personal data; obtain summary of the personal data that is being processed; obtain summary of the processing activities undertaken by the data fiduciary. Similarly, under GDPR, a data subject has the right to obtain confirmation from the data controller whether or not the personal data concerning him/ her is being processed. Also, under the GDPR, the data subjects have the right to access his personal data and all other information related to it.29 11.2 Right to correction The data principal has the right to demand correction of inaccurate or misleading personal data, completion of the personal data, which is incomplete and an update any personal data, which is out of date. Similarly rights to rectify and update inaccurate or incomplete personal data or information has been provided under GDPR and under the current IT Rules.30 11.3 Right to data portability The data principal shall have the right to obtain their personal data from the data fiduciary in a structured, commonly used and machine readable format, where data has been processed through automated means. The data principal has a right to receive the personal data: (i) which the data principal has provided the data fiduciary, (ii) which is generated by the data fiduciary in the course of providing services or use of goods, and (iii) which forms part of any profile on the data principal, or which the data fiduciary has otherwise obtained.In addition to the above, the data principal shall also have the right to transfer the abovementioned personal data to any other data fiduciary. However, the right to data portability shall not be applicable in certain situations such as where processing is necessary for the function of the state, where processing is in compliance with an applicable law, or where processing would result in revelation of any trade secret of any data fiduciary or where it would not be technically feasible. Similarly, right of data portability has been provided to data subjects under GDPR. Under the IT Rules, there is no specific provision whereby a data principal/individual has the right of portability towards its personal data.

29 30

Section 24 of the Personal Data Protection Bill, 2018. Section 25 of the Personal Data Protection Bill, 2018.

22 | P a g e

11.4 Right to be forgotten The Bill provides the data principals with a limited right to restrict or prevent the continuation of disclosure of any personal data by the data fiduciary where such disclosure (i) has finished its purpose and is no longer needed, (ii) the consent on the basis of which it was done has been withdrawn, or (iii) disclosure was made in contradiction to the provision of the Bill or any other law in force.31This right may be exercised by the data principal by filing an application with the adjudicating officer. Although the right to be forgotten is a part of our fundamental right to privacy, it is essential to balance such right with respect to the fundamental right to freedom of speech and expression of the general public. GDPR has also provided the data subjects with the right to erase their personal data (subject to certain conditions). However, under the IT Rules, there is no specific provision whereby an individual has the option to exercise his or her right to be forgotten.

12. CROSS BORDER TRANSFER OF PERSONAL DATA The Bill imposes strict regulations on the transfer of personal data outside the territory of India. 12.1 Data Localisation As per the Bill, every data fiduciary shall store one serving copy of the personal data on a server or data centre that is located within the territory of India.

32

However, the central government

has the right to exempt certain categories of personal data from the above requirement on the grounds of necessity or strategic interests of the State, but sensitive personal data in no way will be exempted from the above requirement.The obligation to store a copy of the personal data that is being transferred outside India, within the territory of India may not be accepted and may be criticised as it is likely to increase operational costs for most entities, especially for start-ups. This will also hinder the ability of global companies to transfer and process personal data across different jurisdictions. Even under the GDPR, there is no obligation to store a copy of the personal data in the member country to which the data relates. This may affect ease of doing business with India.33 12.2 Critical Personal Data The Bill imposes and absolute restriction on processing of critical personal data (personal data as notified by the Central Government) stating that such critical personal data shall be only 31

Section 27(1) of the Personal Data Protection Bill, 2018. Section 40 (1) of the Personal Data Protection Bill, 2018. 33 Nirvaan Gupta,Data Protection In India(October 32

12,

2018,

9:45

PM)

http://www.mondaq.com/article.asp?article_id=744160&signup=true.

23 | P a g e

processed in a server or data centre located in India. This effectively means that such data cannot be transferred to any country outside India. It may be a challenge for businesses to service Indian consumers solely through the data centres in India. It is important to have the term critical personal data clearly defined to avoid confusion or misrepresentation.34

12.3 Conditions for Cross Border Transfer The Bill has laid down the conditions for transferring personal data outside the territory. Such of these conditions are as follows. (a) Transfer of data is according to standard contractual clauses or inter-group schemes that have been approved by the Authority; (b) The central government in consultation with the Authority has prescribed a country or section within a country or a particular international organization where such transfers are permissible based on the adequacy of the data protection framework in such country and monitoring of circumstances applicable to such data; or (c) A particular transfer is approved by the Authority on grounds of necessity. Along with the above 3 (three) conditions the data principal shall consent and explicitly consent to the transfer of personal data and transfer of sensitive personal data, respectively. Further, the Bill also lays down additional requirement for transferring sensitive personal data clearly (as notified) outside the territory of India. Under the current IT Rules, sensitive personal information or any information may be transferred to a body corporate or person outside India that ensures the same level of data protection that is to be adhered under these Rules. Further, the transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate and provider of information or where such person has consented to data transfer.

13. DATA PROTECTION AUTHORITY The Bill establishes an independent body called the Data Protection Authority of India.35 Currently, there was no such independent authority under the present data protection regime in India. The Data Protection Authority shall possess all characteristics of a body corporate. The Authority shall consist of a chairperson and 6 (six) whole time members.The Bill has vested the Authority with a wide range of powers.Such powers may be divided into the broad head of administrative, discretionary, quasi-legislative and judicial powers. It remains to be seen the

34

Ibid.

35

Section 49 of the Personal Data Protection Bill, 2018.

24 | P a g e

manner in which the exercise of powers vested in the Authority shall be prescribed under the rules adopted under the Bill, to avoid any concentration of multiple conflicting powers and excessive delegation, thereby defeating the purpose of the Bill. Further, the Bill does not make any provision for filing of a class action suit or a representative suit in situations where a data breach affects large number of individuals.

14. EXEMPTIONS The Bill list down certain categories that are exempted from application of the Bill in whole or part. The exempted categories are- security of state, prevention detection, investigation or contravention of law, processing for purposed related to legal proceedings, research, archival or statistical purposes, personal or domestic purposes, journalistic purposes or processing done by small entities.

15. TRAI RECOMMENDATIONS AND THE PERSONAL DATA PROTECTION BILL, 2018 The Telecom Regulatory Authority of India had released its Recommendations on Privacy, Security and Ownership of Data in the Telecom Sector (the “TRAI Recommendations”) on 16 July, 2018. The TRAI Recommendations highlights the importance of data privacy and data protection in the sector which is driven by telecommunications and digital services. The Bill, to some extent, has incorporated the TRAI RecommendationsThe TRAI Recommendations also state that entities collecting and processing data are mere custodians or fiduciaries and do not have any primary rights over such data. TRAI Recommendations on rights of individuals with respect to choice, notice, consent, portability and right to be forgotten, in the telecommunication sector have been recognised and incorporated under the Bill, subject to certain limitations. The Bill has also incorporated the principles suggested in the TRAI recommendations, which are: privacy by design, data minimisation, purpose limitation and collection limitation.36 The TRAI Recommendations stresses the importance of conducting a hybrid model of audit (which would be a combination of both technology based and human based audit). Under the Bill, audit obligations have been made compulsory for significant data fiduciaries. With regard to cross border flow of data, the Bill has incorporated TRAI’s Recommendation suggesting the need to localise sensitive critical data such as financial data, data related to healthcare.

36

Para 2.57 of TRAI Recommendations on Privacy, Security and Ownership of Data in the Telecom Sector.

25 | P a g e

However, there is no particular definition of critical sensitive data under the Bill and it is up to the Central Government to notify personal data as sensitive personal data. However, the TRAI recommendations provide that till the adoption of a general data protection, the existing rules/ license conditions applicable to telecom service providers for protection of users’ privacy be made applicable to all the entities in the digital ecosystem. Hence, it is uncertain whether the TRAI Recommendations offering sector-specific guidelines will be applicable to data fiduciaries operating in the telecom sector along with the provisions of the Bill, or whether the TRAI Recommendations will cease to govern the privacy, security and ownership of data in the telecom sector. This is relevant because certain recommendations, such as encryption standards, are critical to the telecom sector and may not be adequately addressed with the provisions of the Bill, which are more generic in nature.

16. IMPORTANT OBSERVATIONS Some of the important observations on the bill are as following-

16.1 Dilution Of The RTI Act 16.1.1 Issue of accountability The Personal Data Protection Bill, 2018, drafted by the Srikrishna Committee, identifies “personal data” as any data that directly or indirectlyidentifies a person. It then calls for amending clause 8.1.j of the Right to Information (RTI) Act, 2005. The clause currently exempts the following from disclosure: “information which relates to personal information, the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Public Information Officer is satisfied that the larger public interest justifies the disclosure. Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.” The Srikrishna Committee suggests amending this clause to authorise public information officers, or PIOs, to deny information containing ‘personal data’, if they feel that such disclosure is likely to cause harm to ‘the data principal’, and if such harm outweighs public interest. The Bill defines ‘data principal’ as whoever the data relates to. This amendment may seem reasonable on first reading, but for the practical experiences of RTI users in the past years. The RTI Act’s core aim is to bring accountability by making available public records that disclose the actions and decisions of specific, identifiable members of the political class and the bureaucracy. The Data Protection Bill extends the cloak of ‘personal data’ over all such

26 | P a g e

information. It asks PIOs (now overwhelmingly appointed at junior levels) to weigh public interest against the potential for harm to those identifiable in public documents. The Bill defines harm expansively to include everything from blackmail and bodily injury to loss of reputation, humiliation and “mental injury”. The Bill ignores that another key aim of the RTI Act is “containing corruption”. By bringing corruption to light, dogged RTI users have served public interest and caused ‘harm’, in terms of the Bill, to those exposed. 37 16.1.2 A ‘powerful proviso’ Further, most public records identify one or more persons. For instance, file notings identify bureaucrats making decisions by their posts, or even initials/names; public records, such as contracts awarded or clearances issued, identify specific private actors. Under the proposed amendment, PIOs will be forced to test public interest versus potentialis a responsibility they will be reluctant to take on. When nine judges of the Supreme Court are unable to frame the bounds of privacy, can we expect PIOs to assess which information is private, and then weigh the potential harm to individuals due to disclosure, guided all the while by public interest and the cause of accountability? The amended clause will chill the RTI Act, as PIOs will now have a strong legal ground to play safe, and toss out RTI requests deploying an amended clause 8.1.j. In fact, this is already happening on account of how the Supreme Court has perhaps inadvertently mangled the privacy safeguard provided in the existing Section 8.1.j. The RTI Act currently provides an acid test to help PIOs respond to requests: “Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.” This is a powerful proviso, also retained in the proposed amendment. It implies that PIOs can deny only that information to applicants which they would deny to Parliament or State legislatures. However, in Girish Deshpande v. Central Information Commission & Ors. (2012), a two judge Bench of the Supreme Court ignored this proviso and prior precedents in order to rule that the assets and details about the performance of a public servant constituted personal information, and were exempt from disclosure. This has set a precedent for subsequent court rulings and for PIOs to indiscriminately expand the ambit of personal information, and reject RTI requests, using clause 8.1.j. Recently, the Union Department of Personnel and Training denied information about the mere number of IAS officers whose annual performance appraisal reports were pending, as of 2017. The PIO cited clause 8.1.j and the 2012 SC ruling

37

Aniket

Aga

&

Chitrangada

Choudhury,Opacity

in

the

name

of

privacy

,(September

29,2018,6:15PM),https://www.thehindu.com/opinion/op-ed/opacity-in-the-name-of-privacy/article25051410.ece

27 | P a g e

as grounds for denial. In essence, the court has implicitly read down the powerful proviso above, prompting PIOs to “profusely abuse” the privacy exemption in the RTI Act, as Central Information Commissioner M. Sridhar Acharyulu has observed. According to Acharyulu, PIOs’ “misuse of 8.1.j is rampant”, and is reducing RTI to “a mockery.” The government should be addressing these alarms raised by the Central Information Commission, the RTI’s apex watchdog. The precedent created by Deshpande and its widespread abuse by PIOs need to be corrected, to reaffirm the fundamental right to information. Instead, the government is embarking on a project to legalise such ‘abuse’, by diluting transparency in the guise of an amendment furthering privacy. 16.2 Ownership Over Data Vs. Rights Over Data The PDP Bill doesn’t recognize an individual as an owner of the data which pertains to her. It considers an individual as a ‘Data Principal’ with certain rights available against a person collecting and processing that data called ‘Data Fiduciary’. The Bill has been criticized for not upholding an individual’s ownership of her data which flows from the understanding that ‘one’s data is an extension of oneself’ and one can choose who to entrust it to. Ownership creates not just rights but a sense of control as well, which empowers an individual. However, a member of the Expert Committee has tried to justify this omission by arguing that if an individual is considered owner of her data, then data is reduced to a ‘property’ which can be traded, bought, sold and in some cases, even forcefully acquired (like acquisition of land by government for development programs).38 There seems to be an effort to create a false dichotomy between owning data and having rights over it. On the contrary, not owning one’s data can seriously hinder practising the rights provided under this Bill. It must also be noted that just before the Expert Committee’s report, the Telecom Authority of India came out with its report on the protection of data privacy of telecom subscribers, in which it categorically held that each user owns her data and has primary rights over it. Every person who collects the data is a custodian bound by certain obligations.

38

Maansi Verma,Personal Data Protection Bill: Looking At Loopholes In Sections Of The Bill Pertaining To

Data Ownership, RTI

And More( October 3,2018,4:25 PM) https://www.firstpost.com/tech/news-

analysis/personal-data-protection-bill-looking-at-loopholes-in-sections-of-the-bill-pertaining-to-data-ownershiprti-and-more-2-5197791.html.

28 | P a g e

And when we take stock of the many provisions in the Bill in which the State is provided with untrammelled powers to collect and process data without consent, it seems that the argument of the Expert Committee against ownership of data is borne out of convenience because it can give more bargaining power to an individual against vested business interests and state excess.39

16.3 Segregation Of Personal Data & Sensitive Data The draft Bill includes comprehensive definitions of personal data and sensitive data and separates these two. Personal data as per the said Bill means any data which can directly or indirectly identify the natural person whereas a list is being provided as being sensitive personal data which also includes intersex status, religious or political beliefs or affiliations. The Bill doesn't talk about how the already existing mass volume of data of the data principal (natural person to whom the data relates) be segregated into personal and sensitive data. This is an added burden on the data fiduciaries (the one who alone or in conjunction with others determines the purpose and means of processing of personal data) and data processors (the one who processes the personal data on behalf of data fiduciary but doesn't include an employee of the data fiduciary). Also, how such segregation would serve the purpose of privacy or protection from unrequited surveillance. Sensitive data, say for example religious beliefs, biometrics, political affiliations or health data can also be collected through google searches or a combinations of various other factors.

16.4 Anonymisation As per the Bill, personal data may be irreversibly processed converting it into a form in which the data principal cannot be identified. The Act doesn't apply to the processing of anonymised data and thus the provisions of the Act need not be complied with in case of anonymised data. The companies dealing with analytics or research where data mining takes places of huge volumes of data can process and analyze their anonymised data without fear of any 39

Anuja Nair,Observations/Recommendations On Personal Data Protection Bill, 2018(October 18,2018, 2:05

AM)http://www.mondaq.com/india/x/734422/data+protection/ObservationsRecommendations+on+Personal+D ata+Protection+Bill+2018.

29 | P a g e

repercussions. However the Bill clearly states that anonymisation has to meet the standards set by the Authority. How far it can remain anonymised where the source data is not deleted is a food for thought as the source data can be used to identify the anonymised data. The Bill doesn't talk about regular audits or reviews to check whether standards have been met for the data to be anonymised or whether the source still contains the personal data of the data principal.

16.5 Data Deletion Sec 10 of the Bill states that the personal data which is no longer required for the purpose for which it was collected, must be deleted in a manner as may be specified unless such retention is explicitly mandated or necessary under law. Such data if not deleted regularly, would be at a huge risk of being misused. There's always a higher chance for the data to be not deleted and used for purposes for which the data principal hasn't given his consent. The Bill doesn't put a larger emphasis on this vital aspect involved in data protection.40

16.6 Consent It is specifically stated in the Bill that the data of a data principal cannot be processed without his consent given no later than at the commencement of the processing. Such consent has to be free, informed, specific, clear and capable of withdrawn. Also, once the data principal wishes to withdraw his consent, the Bill hasn't specified about what needs to be done with data thatwas collected prior for processing.Children's data if collected has to have a parental consent after age verification as per the Bill. However, this has to be looked at as most of the social media sites have profiles of children created by them. The Bill is also silent about any retrospective action in such cases.

16.7 Data Auditors The Bill gives the freedom to the data fiduciaries to have their own policies and conducts of their audits for compliance. The data auditor will evaluate the compliance. But, at the same time, the Bill also lays down that where the Authority is of the view that data processing is 40

Maansi Verma,Personal Data Protection Bill: Looking At Loopholes In Sections Of The Bill Pertaining To

Data Ownership, RTI

And More( October 3,2018,4:25 PM) https://www.firstpost.com/tech/news

analysis/personal-data-protection-bill-looking-at-loopholes-in-sections-of-the-bill-pertaining-to-data-ownershiprti-and-more-2-5197791.html.

30 | P a g e

carried out by any data fiduciary in a way that it could cause harm to the data principal, order can be passed to conduct an audit by appointing an Auditor. As the new data privacy and protection regime plays out, timely planning/action will help organizations continue their business as usual and enhance their business reputation-NASSCOM. How mandatory the auditing process is, under what conditions do the companies need to get it done suo-moto, periodicity thereof, and what all would be checked/evaluated as part of the auditing process is not clearly laid out which we hope the final Act would.

16.8 Collection limitation and Purpose limitation The data collected should be limited as per the requirement and used only for the purpose for which it was required. The data fiduciary is under an obligation as per the Bill to state the purposes for which the data is being collected. However, this is never the scene. Even if the companies do mention the purpose, the same is very high level and can include multiple actions, part of which may be allowed by the data principal and other may not be. Therefore, it should be mandated that the data fiduciary has to give in specific purpose for which the data would be used. Albeit, the Bill talks about periodical review of the data it is silent about the usage of data that would be considered to be redundant.

16.9 Security Safeguards The data fiduciary and the data processor shall have to implement security safeguards like encryption, de-identification or the steps to protect personal data they are processing. End-to end encryption is one of the strong ways to avoid data breach and for risk management in companies where the data at the source gets encoded with a key. This data when transferred to the destination can be decoded only with its correct/decryption key. De-identification, which is stated as another security safeguard, may not be as effective as encryption. One of the widely used social application, Whatsapp now claims end-to-end encryption which means no one in between can read the messages when transferred to the person we are communicating with, not even Whatsapp.

16.10 Data Localizing/Mirroring As per the Bill, personal data to which the Act applies also has to be stored on a server or data centre in India. An obligation has been laid down on the Central Government to notify certain 31 | P a g e

categories data as critical personal data which can only be processed and stored in a server or data centre in India. Thus, there is still confusion as to which categories of data would fall under this clause. If location of a data principal is considered to be a critical personal data, then companies like Uber, Ola would probably not be able to operate in India or the data stays only in their servers or data centres in India.41 Data mirroring is an added responsibility and would lead to extra expense and doubling-up the volume of data to be stored by the data fiduciaries. These data which is stored in servers or data centresin India along with the places out would have to be regularly backed up in tapes to prevent its safety and storage in India. The Report of the Committee tries to provide its reasons as to why at least one serving copy has to be stored in India. This is at variance with the global character of digitalization and connecting globally through technology. One reason that attracts attention is data mirroring being required for the development of artificial intelligence (AI) which again would raise wide concerns over data privacy.

16.11 Government bodies exempted The Bill seems to be in favor of the State and the Central Government. Wide exceptions are being given to them in terms of data collection, storage and processing. Though it has held the Government also accountable being one of the biggest stakeholders, the vast exemption frees them from their liability at the same time. The Bill lays down that the Government can process any personal data for any functions of the Government and can notify certain categories of personal data for which no data mirroring is required purely on the grounds of necessity and strategic interests of the State.

16.12 Accountability The Bill as per Sec. 11 holds only the data fiduciary accountable for complying with all its obligations and be able to demonstrate that all of its data processing is in accordance, whereas

41

Maansi Verma,Personal Data Protection Bill: Looking At Loopholes In Sections Of The Bill Pertaining To

Data Ownership, RTI

And More( October 3,2018,4:25 PM) https://www.firstpost.com/tech/news-

analysis/personal-data-protection-bill-looking-at-loopholes-in-sections-of-the-bill-pertaining-to-data-ownershiprti-and-more-2-5197791.html.

32 | P a g e

not much accountability has been put on the data processors who would be equally or more involved in the process of handling mass data volume of the data principal.

17. SUGGESTIONS

i)

Collection of data should be limited to such data that is strictly necessary for the specific purpose of processing, and not just mere “purpose” (Section 6).

ii)

In Section 8, where data is not collected from data principal, instead of‘reasonably practicable’ time period for giving notice, a time frame should be provided – 3 months perhaps.

iii)

Section 12(1) should be improved such that consent is taken prior to processing of information.

iv)

Any exception to consent needs to be narrowly tailored. The carveout under 14(a) is broad and either should list existing laws and also indicate any future legislation should make a specific reference to the existing statute.

v)

Under section 17, the Authority is provided over-broad powers of determining “reasonable purposes” as grounds for processing of personal data. Consent of the data principal is not required to be taken where the purpose of processing falls within such reasonable purposes. Provision of such wide powers to the Authority is unnecessary, and may lead to unjustified, opaque and potentially illegal processing of information, which go against the right to privacy of an individual. This section and the accompanying powers must be deleted.

vi)

The right to correction (Section 25) is currently unclear and not strong enough for protecting the interests of data principals. The prefatory language of “where necessary, having regard to the purposes for which the personal data is being processed” should be omitted. An express and limited ground for rejection of a request for correction by the data fiduciary should instead be added, for when it proves impossible or if it involves disproportionate effort.

vii)

The exceptions on the applicability of a right to data portability to personal data processed [Section 26(2)]. There must not be any blanket exception to the right to 33 | P a g e

data portability applying to personal data processed under the “functions of the State ground”. The burden to demonstrate that the portability would reveal a trade secret or would be technically infeasible must be on the data fiduciary. viii)

The exercise of the rights granted under the Draft Bill may be limited by the data fiduciary, wherein a data fiduciary may refuse the data principal, in cases where the exercise of the right would harm the right of any other data principal (Section 28). This criteria for rejection is over-broad and liable to misuse. Limitations to rights of users should be narrow and specific with clear avenues for redress.

ix)

Under section 41, the Authority is provided the power to approve a particular transfer or set of transfers as permissible due to a “situation of necessity”. The use of such words brings in ambiguity and render such provisions to misuse, which may result in the rights of users being violated.There is no guidance provided regarding such situations of necessity. Such situations of necessity must be based on narrow, and specific standards which must be explicitly mentioned under the Act.

x)

The Draft Bill troublingly seeks to establish a data localisation / mirroring regime in India. Section 40 of the Draft Bill makes it mandatory for every data fiduciary to store one serving copy of every personal data on a server or data centre located in India. This section dilutes India’s connection to the global internet and betrays a governmental interest in desiring more control over the data of Indian citizens. The report submitted by the expert committee enlists enforcement and access as the primary motives behind this requirement. However, data localisation is not - and should not - be a prerequisite for enforcement of data protection rules. What is more, such a requirement may facilitate third party abuses of personal data and infringe on users’ right to privacy as actors would know where data is located.

xi)

Amendments which seek to dilute the RTI Act must not be made .

34 | P a g e

18. CONCLUSION The Draft Bill, in its current state, has many hits and misses. It is important to pay attention to the deeper details involved in many of these issues, in order to ensure that Parliament considers and passes a strong, effective privacy and data protection law aimed at protecting Indian citizens. In my analysis, I found that the provisions of the Draft Bill defining the scope of application of the law, along with data security measures proposed for entities, seem to be strong. While multiple important rights entitled to the users have been codified under the Draft Bill, many gaps persist under the proposed regime. Rights such as the right to access and rectify data have been diluted and must be strengthened, and certain key rights such as right to object and the right to explanation are not provided under the Draft Bill. The steps taken toward data integrity and data protection impact assessment are encouraging and so are the provisions aimed at ensuring proper consent and standards thereof. However, the provisions on obtaining prior explicit consent have been diluted by the over-broad criteria of “exercise of functions of the state”. I found the proposals for data localisation quite concerning, especially given such measures serve a surveillance and law enforcement purpose, at the cost of privacy and protecting user data. In the absence of adequate regulation of governmental access to citizen data in India, these data localisation measures may make user data in India liable to indiscriminate access by the government. And that there is a severe need for reforming the surveillance regime in India is a fact noted by the expert committee itself in its report. However, despite this acknowledgement, neither the Draft Bill nor the report contain legislative language to reform and tighten Indian surveillance and investigatory powers. This is exacerbated by the several exemptions currently proposed by the Srikrishna Committee to be provided to government departments and other public agencies from data protection requirements in the name of “security of state” and “exercise of state functions”. This approach undermines confidence in the Indian government’s publicly stated resolve to truly protect the rights of its citizens and signal a surveillance creep in the data protection regime in India.

35 | P a g e

19. BIBLIOGRAPHY Articles Referredi)

Amba Kak,The Emergence of the Personal Data Protection Bill, 2018 ,53 EPW 12,16 (2018)

ii)

Nirvaan

Gupta,Data

Protection

In

India(available

at

http://www.mondaq.com/article.asp?article_id=744160&signup=true)

iii)

Anuja Nair,Observations/Recommendations On Personal Data Protection Bill, 2018(available

at

http://www.mondaq.com/india/x/734422/data+protection/ObservationsRecommen dations+on+Personal+Data+Protection+Bill+2018)

iv)

Aniket Aga& Chitrangada Choudhury,Opacity in the name of privacy (available at https://www.thehindu.com/opinion/op-ed/opacity-in-the-name-ofprivacy/article25051410.ece)

v)

Maansi Verma,Personal Data Protection Bill: Looking At Loopholes In Sections Of The Bill Pertaining To Data Ownership, RTI

And More (available at

https://www.firstpost.com/tech/news-analysis/personal-data-protection-billlooking-at-loopholes-in-sections-of-the-bill-pertaining-to-data-ownership-rti-andmore-2-5197791.html) vi)

Amber

Sinha,Draft

Privacy

Bill

and

its

Loopholes,

(available

at

https://www.livemint.com/Opinion/zY8NPWoWWZw8AfI5JQhjmL/Draftprivacy-bill-and-its-loopholes.html) vii)

Krishnadas

Rajagopal,Drafting

a

Data

Protection

Bill

(available

at

https://www.thehindu.com/opinion/op-ed/drafting-a-data-protectionbill/article24584467.ece)

36 | P a g e

Websites referredi)

www.scconline.com

ii)

www.manupatra.com

iii)

www.jstor.com

iv)

http://lawmin.nic.in

v)

http://meity.gov.in/

37 | P a g e