The PDP Bill, 2019 – Upcoming expectations for Biz India

The PDP Bill, 2019 – Upcoming expectations for Biz India

The PDP Bill prescribes a tiered obligation based framework for data protection where personal Information is categorized into three tiers i.e. normal, sensitive, and critical each carrying different obligations for a data fiduciary

India is abuzz with discussions surrounding the issue of privacy. Every recent development in the tech world is being scrutinized through the lens of privacy. This saga had started with the introduction of the Aadhaar card which was a government initiative and has now found its way to actions taken by large multinational companies like Facebook.

The requirement for a legislation which seeks to protect the informational privacy of an individual was also noted by the Hon'ble Supreme Court of India in the Puttaswamy decision which recognized an individual's right to privacy. As a consequence, the Srikrishna Committee proposed the draft Personal Data Protection Bill. The revised draft of the bill was tabled before the Parliament in December 2019 and has since been referred to a Joint Parliamentary Committee for deliberations. It is reported that the Joint Parliamentary Committee has completed its review of the draft Personal Data Protection Bill, 2019 Bill. Thus, this is an opportune time to recap the basic architecture of regulation proposed by the Bills and highlight the issues to check if the JPC has taken cognizance of the same.

The PDP Bill is the first cross-sectoral legal framework of India. Compliances prescribed under the Bill shall apply to all entities seeking to collect and process personal data. The PDP Bill prescribes a tiered obligation based framework for data protection. Personal Information is categorized into three tiers i.e. normal, sensitive, and critical each carrying different obligations for a data fiduciary. Further, anyone handling information could also be subject to a higher compliance threshold if categorized as a Significant Data Fiduciary. While the basic framework of the PDP Bill is borrowed from the GDPR, there are still many ingenious additions some of which may create challenges for the smooth implementation of prescribed measures.

The definition of personal data under the PDP Bill is wide. It extends itself to include any inferences drawn from personal information for the purposes of profiling. This over-extension of the definition of personal data creates multiple issues including management of privacy by design framework, notice conditions relating to purpose limitation, dilution of IPR, management of data principal rights like right to portability etc. The manner of making inferences is usually governed by proprietary methods devised by each data fiduciary and is derivative/worked upon data. Granting any data principal with control over such proprietary data could also slow investment and innovation.

Personal Data which is categorized as sensitive and critical data is also subject to restrictions on cross border movements. It has been highlighted vide various representations to the JPC that the categorizations for sensitive personal data are in itself broadly worded. This could lead to restrictions on cross border sharing and processing of data which could even remotely contain such elements. This shall restrict the free flow of data which is necessary for provision of services and continuation of various digital platforms. It has been suggested to the JPC that categories of sensitive data be made specific for coherence, and powers not be vested with the Data Protection Authority to notify newer categories. This shall ensure clarity to the Data Fiduciaries to design their data flows in compliance with the obligations under the PDP Bill. Any opportunity to frequently change the categorizations of sensitive personal data shall result in data fiduciaries to repeatedly re-examine their data flows for compliance. This is a cost intensive exercise for any data fiduciary. Further, critical personal data should be defined in the legislation itself. Powers of delegation without prescription of thresholds to a regulator could create unwarranted difficulties for any data fiduciary.

It is also pertinent to note at this junction that India is a favourable destination for various backend and business processing services. The PDP Bill currently seeks to bring data of persons collected and located outside India also under its purview till it is specifically exempted for each entity by the regulator. To cast such a wide net over all personal data which finds its way to India shall create red-tape issue for a flourishing services sector and could create an investment adverse environment.

Most importantly, certain provisions of the PDP Bill seek to regulate non-personal data held by a data fiduciary. The regulation of non-personal data cannot be the legitimate aim of a legislation designed for protection of personal data. This fact has also been noted by the Committee of Experts setup to look into the Regulation of Non-personal Data by MEITY.

Most importantly, the legislation should also look to provide time-lines for implementation and enforcement of the regulations to allow visibility to data fiduciaries and processors to re-work their data flows in accordance with law.

It is hoped that the draft to be released by the JPC in the budget session covers these preliminary issues to assuage the confusion that is likely to be faced in the implementation of the legislation.