The Personal Data Protection Bill 2018: An Answer To India’s Data Protection Issues?
The need for a comprehensive data protection regime has been finally recognized by the Government of India and the Bill has been able to capture most of the concerns and discussions around data privacy and data protection in India
Photo Credit :
“The right of privacy is a fundamental right. It is a right which protects the inner sphere of the individual from interference from both State, and non-State actors and allows the individuals to make autonomous life choices.” -Justice Sanjay Kishan Kaul
India’s approach to privacy and data protection related issues have undergone a sea change in the past few years with the advent of rapid digitisation of the economic infrastructure. Data has now been recognized as a critical asset that is playing a fundamental role in the advancement of Indian economy. Protection of personal data has been recognized to be instrumental for empowerment, progress and innovation.
India, till date, lacks a dedicated data protection law that addresses its concerns as a burgeoning data-based economy. The protection to data provided under the present Indian laws such as the Information Technology Act 2000 (“IT Act”) and the rules framed thereunder, the Indian Penal Code 1860 and other sectoral regulations are insufficient. With the Supreme Court upholding “right to privacy” as a fundamental right under the Constitution of India in KS Puttaswamy v Union of India, the need to address the shortcomings of the present data protection regime and formulation of an omnibus data protection law came to the forefront. Government of India appointed a committee of experts under the chairmanship of Justice BN Srikrishna (“Expert Committee”) and entrusted it with the task of identifying the lapses in the present-day Indian data protection laws and drafting a new comprehensive data protection law for India.
The Draft Personal Data Protection Bill 2018: Concepts and Issues
On 27 July 2018, the Expert Committee published its report along with the draft Personal Data Protection Bill 2018 (“Bill”). The Bill, for the first time, sought to provide an overarching data protection legislation that introduced concepts such as purpose limitation, collection limitation, data storage limitation, privacy by design, transparency, security safeguards, centralized Data Protection Authority of India, etc. Further, the Bill has attempted to define certain critical terms such as “personal data” and has expanded the scope of the definition of sensitive personal data or information” to include personal data such as “official identifier” (e.g. Aadhaar number, PAN), “caste or tribe”, “transgender status”, “religious or political belief or affiliation” etc.
The protections offered under Section 43-A of the IT Act to sensitive personal data are available to an individual only when a “body corporate” is negligent in implementing and maintaining reasonable security practices and procedures, thus, leaving negligence in relation to sensitive personal data by an individual and State outside its scope. The Bill, on the other hand, has expanded the scope of protection rendered to sensitive personal data and has attempted to hold individuals as well as State accountable for complying with the provisions thereunder. However, the Bill also provides various exemptions to the State that allows it the leeway to bypass the need to follow the requirements under the Bill. While the Bill provides for explicit “consent” as a ground for processing sensitive personal data, it allows passwords, financial data, health data, official identifiers, genetic data and biometric data to be processed without consent if necessary, inter alia, to undertake any measure to ensure safety of any individual during any breakdown of public order.
The Bill has recognized the need to provide special protection to the personal data of children below the age of 18 years in a manner “that protects and advances the rights and best interests of the child”. However, though it mandates that “appropriate mechanisms” should be implemented for age verification and parental consent, it has not prescribed any quantifiable threshold for defining such “appropriate mechanisms”. Further, while “consent” which is free, informed, specific, clear and capable of being withdrawn has been recognized as a ground for processing personal data, the manner of obtaining such specific consent has not been elucidated upon in the Bill. The Bill recognises the need for having a reporting mechanism for breach of personal data but has not prescribed a comprehensive mechanism for reporting such breach.
One of the most debated issues with the Bill is the introduction of data localisation requirements. Such a requirement may prove to be counter-productive for entities such as those relying on cloud-based technologies to sustain their businesses. Further, while the Bill has identified the need of deterrent penalties and has prescribed fines of upto Rs 15 crores or 4% of the total worldwide turnover of the entity for breach of certain provisions of the Bill, the calculation of such worldwide-turnover-based penalties for functionaries of State may pose practical challenges.
The Bill: A page out of the European Union’s General Data Protection Regulation?
The European Union’s General Data Protection Regulation (“EU GDPR”) has been extensively referred to and discussed by the Expert Committee in its white paper. While concepts from the EU GDPR such as “privacy by design”, “right to be forgotten”, “extra-territorial applicability” etc., have been reflected in the Bill, the Bill has been drafted in a manner such that these concepts are moulded to fit Indian data protection requirements. Akin to EU GDPR, the Bill has subjected sensitive personal data to greater protection. While the concept of “data fiduciary” in the Bill is similar to EU GDPR’s data controller concept, the use of the term “fiduciary” instead of “controller” is intentional as the Bill intends to impose fiduciary responsibility on “any person” handling personal data.
As under the EU GDPR, the Bill also has extra-territorial applicability and would apply to the processing of personal data by data fiduciaries/processors outside India if the data processing occurs in connection with (i) any business carried on in India; (ii) any systematic activity of offering of goods and services to data principals within the territory of India; or (iii) the profiling of data principals within the territory of India. Further, while the Bill recognizes the “right to be forgotten” of a data principal, unlike the EU GDPR, it does not entitle the data principal to seek right to deletion of personal data but only provides for a limited right to restrict or prevent “continuing disclosure” of personal data subject to fulfilment of certain criteria. Similar to EU GDPR, the Bill prescribes hefty penalties for violation of its provisions based on the total worldwide turnover of the entity of the previous financial year.
While the Bill has been drafted along the lines of EU GDPR, the two are not identical. The Bill has taken cognizance of India’s unique data protection requirements and has attempted to address the same.
Data Protection in India: The way ahead
The need for a comprehensive data protection regime has been finally recognized by the Government of India and the Bill has been able to capture most of the concerns and discussions around data privacy and data protection in India. Further, through the Bill, the Expert Committee has attempted to plug the loopholes of the existing data protection regime in India and formulate a data protection law that will cater to the dynamic needs of the digitized Indian society. While efforts for formulating the Bill have to be lauded, it must be noted that the Bill has to be refined further to clarify certain provisions, remove wide discretionary powers of the State and specify “appropriate mechanisms” for obtaining consent. With data being one of the core assets of the digitised economy, the Bill has to be fine-tuned to maintain the delicate balance between an individual’s right to privacy and the ease of doing business in India. Last, but not the least, the success of the new law will depend on its effective implementation.
Disclaimer: The views expressed in the article above are those of the authors' and do not necessarily represent or reflect the views of this publishing house. Unless otherwise noted, the author is writing in his/her personal capacity. They are not intended and should not be thought to represent official ideas, attitudes, or policies of any agency or institution.