The Personal Data Protection Bill 2019: A Step in the Right Direction or a Wrong Start

The numerous critical issues left ambiguous greatly influence the architecture of processing and storage systems, especially on database levels, where most certainly there will be a large volume of work on identifying all types of different data...

On 11th December 2019, the Minister of Electronics and Information Technology, Ravi Shankar Prasad introduced the Personal Data Protection Bill, 2019 (hereinafter "Bill") in the Parliament. The Bill seeks to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same. Mr. Prasad announced that the Bill shall be examined by a Joint Parliamentary Committee for review, but it's unclear when that will happen.

Background

In 2012, a committee headed by Justice A P Shah had submitted a Report by Group of Experts on privacy, which proposed a conceptual framework for a privacy statute in India and how Indian Privacy law should take shape. This

was followed by a consultation paper on Privacy, Security and ownership of Data in the Telecom sector published by the Telecom Regulatory Authority of India (TRAI) on 9^th August 2017. This was another endeavor to effectively enforce the "fundamental right to privacy" recognized by the Supreme Court of India in the Justice K.S. Puttaswamy judgment earlier in 2017.

Subsequently, the Ministry of Electronics and Information Technology, vide its Notification No.3 (6)J2017-CLES (hereinafter referred to as "Notification") had constituted a "Committee of Experts" under the Chairmanship of former Supreme Court Justice 'Shri B N Srikrishna' on issues relating to data protection in India and drafting a bill on data protection.

The Committee of Experts under the Chairmanship of Justice B N Srikrishna on 27th of July 2018, submitted its Report to the Ministry of Electronics and Information Technology titled "A Free and Fair Digital Economy-Protecting Privacy, Empowering Indians", making recommendations on principles underlying data protection, identifying key data protection issues and recommending methods of addressing them. The Committee of Experts also submitted a draft Bill titled "The Personal Data Protection Bill, 2018".

Highlights of the Bill

The Bill is based on the concept of consent, purpose limitation, limited storage capabilities and minimization of data. It lays down obligations on the data fiduciary to only collect data which is required for that specific purpose, after obtaining express consent of the data principal. The Bill also confers rights on the data principal to obtain their personal data, correct, update and erase their data. The Bill further confers the right to port the data to other fiduciaries and restrict/prevent disclosure of personal data. Another important feature of the Bill is that an individual has a 'right of grievance' against the data fiduciary and can approach the Data Protection Authority of India, to be established under this Bill.

The Data Protection Authority of India (hereinafter "Authority") will consist of a Chairperson and up to six wholetime members to be appointed by the Central Government. The Bill also allows for the establishment of an Appellate Tribunal to dispose of any appeal from the Authority.

The Bill also has a provision for social media intermediary whose actions have a significant impact on electoral democracy, security of the state, public order, or the sovereignty and integrity of India and it empowers the Central Government to notify the intermediary as a significant data fiduciary. The Bill also has penal provisions for contraventions in the manner of personal data breach and failure to protect the data. Lastly, the Bill empowers the Authority to set up a 'code of practice' to promote good practices of data protection and facilitate compliance with the obligations under this legislation.

Referral to Standing Committee

Ravi Shankar Prasad, Minister in charge of MeitY referred the Personal Data Protection Bill, 2019 to a Joint Committee of the House comprising twenty members of the Lok Sabha and ten Members of the Rajya Sabha. The Joint Committee will submit its report to the House on the first date of the last week of the Budget Session, 2020.

Issues of Concern and Ambiguities

In its statement of objects and reasons, one of the salient features of the bill is that it provides for the Central government in consultation with the Data Protection Authority to notify a "social media intermediary" "whose actions have significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India" as a significant data fiduciary. This is a new aspect that has been added and will have significant regulatory implications on such entities as all provisions and obligations applicable to a "significant data fiduciary" shall now be applicable to entities like Facebook, Twitter or WhatsApp, should the Indian government decide to designate them as such.

The Bill creates a need for the data fiduciary to obtain certification of privacy by design policy from the Data Protection Authority; such provisions lead to unnecessary compliance burden on companies and hinder 'ease of doing business' which is much needed to boost the IT sector in the present economic climate.

Under the current draft, Section 92 lays down that no data fiduciary shall process such biometric data as may be notified by the Central Government, unless such processing is permitted by law. There appears to be some ambiguity with regard to the said provision of the draft of the Personal Data Protection Bill; it places a Bar on processing certain forms of biometric data, however, the provision lacks clarity on which type of biometric day cannot be processed and what can be processed as the Bill leaves it ambiguous and dependent on Notification by the Central Govt.

It could lead to regulatory confusion and complicate things for companies that are involved in dealing with biometric data or are manufacturing devices that are dependent on processing of biometrics like phones, voice recognition/operated devices and appliances, IoT technology based and also adversely impact the fintech and banking industry that uses biometric as a means of customer authentication. However, the provision permits processing of all biometric data that is specifically permitted by law such as the Aadhaar Act.

Hence, there are numerous crucial aspects of the actual working and implementation of the Legislation that have been left ambiguous and are to be decided by the Data Protection Authority, which will be established once the Bill is passed. As such under the current scheme, the enforcement of law will be mandated to the authority, which anyway would have a huge burden of drafting and implementing secondary legislation to set common ground rules for all data fiduciaries. As on date, there are still numerous crucial aspects that have been left undefined and unclarified, such as:

- Categories of critical personal data

- Standards regarding commercially accepted or certified standards

- Standards regarding privacy by design policy

- Guidelines regarding auditing

- Guidelines regarding data breach disclosure to the authority

Besides, as per the current draft of the Bill, there is no official timetable or any timeline regarding the setup and start of operations of the Authority. Even if the Bill passes, going by the existing standards, it can be safely concluded that it will be another one year until the required secondary legislation is drafted and enforced.

Some other questions that arise regarding storage and processing of personal data are:

1. What happens if a data principal will not give explicit consent for a data transfer outside India? What happens if the data principal is of foreign nationality?

2. If a company is operating on critical personal data of a data principal of other nationalities than Indian, how will the Government of India restrict processing and storage on Indian territory?

3. If an Indian company (say, a call centre) is processing exclusively European personal data, subject to GDPR compliance and such processing and the storage of personal data is performed through an European infrastructure; will these operations fall under the current Indian Bill?

In conclusion, it can be said that while we may perceive the present legislative endeavor of the Government as light finally at the end of a dark tunnel of regulatory flux concerning data protection and privacy in India, however, the numerous critical issues left ambiguous greatly influence the architecture of processing and storage systems, especially on database levels, where most certainly there will be a large volume of work on identifying all types of different data. It may be too little coming too late as anyway, already the Government has taken so much time to introduce this Bill that it has lost the initiative and technological developments have already changed the techno-legal landscape. And in a sense we can already see the early signs of acknowledgment of this fact with the Government announcing the constitution of a separate Committee of Experts Non-Personal Data (Community Data) under the Chairmanship of Shri Kris Gopalakrishna, to deliberate on a Data Governance Framework. By the time companies figure out ways to reconfigure systems to be compliant with the PDP law and the subsequent regulations published by the Data Protection Authority, we may already have a new legislation in place dealing with non personal data, which may be much wider in its applicability and scope and require a whole new set of regulations to be complied with.

Disclaimer – The views expressed in this article are the personal views of the author and are purely informative in nature.