Aug 03, 2018

The Personal Data Protection Bill, 2018

Background

In July 2017, the Government of India constituted a committee of experts under the chairmanship of former Justice B. N. Srikrishna (‘Committee’) to: (a) study various issues relating to data protection in India; (b) make suggestions on the principles for data protection in India; and (c) suggest a draft data protection bill.

The Committee invited public comments on the proposed data protection framework. Based on the feedback received, the Committee published a report on July 27, 2018 titled ‘A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’. The Committee also submitted a draft bill titled ‘Personal Data Protection Bill, 2018’ (‘Bill’) to the Government of India.

The Bill, once enacted, is intended to replace the existing data protection framework as contained under Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (‘SPDI Rules’) framed thereunder.

 

Key Highlights of the Bill

1.           Fiduciary Relationship: The Bill introduces a unique concept of a fiduciary relationship between data subjects (natural persons to whom the personal data relates) and data controllers (persons who determine the purpose and means of processing of personal data) and classifies them as ‘data principals’ and ‘data fiduciaries’ respectively.

2.           Jurisdiction and Applicability: The Bill applies to the processing of personal data:

(a)         where such data has been collected, disclosed, shared or processed within India;

(b)         by the State (which has been given the meaning ascribed to this term under Article 12 of the Constitution of India), any Indian citizens, any Indian company, or any person or body or persons incorporated or created under Indian law; and

(c)         by data fiduciaries located outside India in connection with:

i.        any business carried out in India; or

ii.        any systematic activity of offering goods or services to data principals in India; or

iii.        any activity that involves profiling of data principals in India.

3.           Extends to public entities: The Bill covers processing of personal data by both public as well as private entities. This is a significant departure from the SPDI Rules, which do not contemplate processing of sensitive personal data or information by the State.

4.           Enlarged scope of Sensitive Personal Data: The terms “Sensitive Personal Data or Information” under the SDPI Rules include password, financial data, health data, sexual orientation, medical data and biometric data. The definition of ‘sensitive personal data’ (‘SPD’) under the Bill has been expanded to include Government issued identifiers (which includes Aadhaar number), sex life, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation, etc.

5.           Differential Consent Requirements: The Bill proposes a differential approach to processing of personal data as compared to processing of SPD. For the processing of personal data, the consent of the data principal needs to be free, informed, specific, clear and capable of being withdrawn. However, for the processing of SPD, explicit consent of the data principal is required.

6.           Data Protection Principles: Some of the key data protection principles envisioned under the Bill include:

(a)         Fair and reasonable processing: The Bill seeks to recognize duty owed by persons processing personal data to the data principal for processing their data in a fair and reasonable manner that respects the privacy of such data principal;

(b)         Purpose limitation: The Bill expressly recognizes the purpose limitation principle, i.e. personal data should be processed only for the purpose specified by the data fiduciary or for any other incidental purpose reasonably expected by the data principal to be connected to such specified purpose; and

(c)         Storage limitation: The Bill requires the data fiduciary to retain personal data of the data principal only as long as may be necessary to satisfy the purpose for which it is processed. Such fiduciaries are proposed to also conduct periodic reviews to determine whether retention of personal data is necessary or not.

7.           Data Principal Rights: The Bill expressly recognises certain rights of data principals, such as:

(a)         Right to confirmation, which includes the right to receive from the data fiduciary a brief summary of the personal data being processed;

(b)         Right to correction, completion and updation of personal data;

(c)         Right to receive own personal data, which the data fiduciary has: (i) received directly from such data principal, or (ii) generated while providing goods or services, or (iii) obtained from any third party;

(d)         Right of portability of personal data from one data fiduciary to another;

(e)         Right to be forgotten (i.e. prevention of continued disclosure of personal data of the data principal), which right may be exercised by filing an application with the concerned officer within the DPA (as defined below); and

(f)          Right to receive compensation in case of breach of obligations by the data fiduciary.

8.           Cross-Border Data Transfer: The SPDI Rules allow free transferability of personal data including SPD subject to the consent of the data principal being obtained regarding such transfer and the transferee maintaining the same level of protection as maintained by the transferor. However, the Bill proposes certain incremental requirements for cross-border transfer of personal data including SPD, such as:

(a)         Such transfer being made in accordance with model contract clauses or intra group schemes approved by the DPA (defined below);

(b)         A copy of such personal data being stored by the data fiduciary on a server or data centre located in India; and

(c)         ‘Critical personal data’ (which would be a sub-category of personal data, as may be notified by the Government of India) being processed only in a server or data centre located in India.

9.           Data Protection Authority of India: The Bill contemplates the establishment of a Data Protection Authority (‘DPA’) which would be responsible for, inter alia, the enforcement and effective implementation of the data protection law, taking action in response to a data security breach, monitoring cross-border transfer of personal data, etc.

10.        Privacy by Design & Security Safeguards: The Bill requires the data fiduciary to implement policies & measures to ensure that the technology used in processing personal data is in accordance with commercially accepted or certified standards. They are also required to implement managerial, organizational, business practices & technical systems to anticipate, identify & avoid harm to the data principal. Both, the data fiduciary & the data processor are also required to implement appropriate security standards having regard to the nature of the personal data being processed, including the severity of harm that may result from such processing.

11.        Notification of Data Breach Incidents: The Bill also proposes to impose an obligation on data fiduciaries to notify the DPA of personal data breach, where such breach is likely to cause harm to any data principal. The DPA may then determine whether such breach should be reported to the data principal, taking into account the severity of the harm that may be caused to such data principal.

12.        Significant Data Fiduciaries: The Bill empowers the DPA to categorise data fiduciaries as ‘significant data fiduciaries’, based on inter alia the volume and sensitivity of personal data processed by and turnover of such data fiduciaries. Such significant data fiduciaries would be required to register themselves with the DPA in order to process personal data. Some of the key obligations of significant data fiduciaries include:

(a)         Data audits: The obligation to undergo annual data audit by independent auditors in respect of processing of personal data;

(b)         Data protection officer (‘DPO’): The requirement to appoint a DPO (including in case of offshore significant data fiduciaries who would need to appoint a DPO who is based in India); and

(c)         Data protection impact assessment (‘DPIA’): Significant data fiduciaries using new technologies of processing data at a large scale would be required to perform DPIA before commencement of data processing.

13.        Processing of Personal Data of Children: For data principals below the age of 18 years, the Bill introduces special provisions requiring data fiduciaries to incorporate appropriate mechanisms for age verification and parental consents. Data fiduciaries who provide services directed at children or who process large volumes of personal data of children may be notified by the DPA as guardian data fiduciaries. Such fiduciaries would be, inter alia, barred from profiling, behavioural monitoring and targeted advertising directed at children.

14.        Penalties & Offences: Depending upon the nature of contravention by data fiduciaries (such as violation of provisions governing processing of personal data, SPD, personal data of children, etc.), the Bill proposes penalties up to INR 150 million (approx. USD 2.1 million) or 4% of the total worldwide turnover of the preceding financial year of the data fiduciary, whichever is higher. The Bill also proposes imprisonment and/or fine on persons who intentionally, knowingly or recklessly obtain, disclose, transfer or sell personal data or SPD.

 

Concluding Remarks

The Bill, which has been submitted by the Committee, is currently under consideration by the Ministry of Electronics and Information Technology and other relevant Government stakeholders, before it gets tabled with the Houses of the Parliament.

Further, specific sectoral laws and guidelines would need to be aligned with the data protection laws, such that the data protection law sets the baseline for processing of personal data and any sector specific law will be able to cover specific concerns over and above these requirements. In case of conflict, it is proposed that the data protection law will prevail.

Until the Bill is finally passed by the Parliament, receives Presidential assent and is notified in accordance with the provisions thereof, the present regulatory framework under the Information Technology Act, 2000 and the SDPI Rules will continue to govern the collection, storage and processing of personal data and SPD or information.

TAGS

SHARE

DISCLAIMER

These are the views and opinions of the author(s) and do not necessarily reflect the views of the Firm. This article is intended for general information only and does not constitute legal or other advice and you acknowledge that there is no relationship (implied, legal or fiduciary) between you and the author/AZB. AZB does not claim that the article's content or information is accurate, correct or complete, and disclaims all liability for any loss or damage caused through error or omission.