Data Protection Regulations in India Recent Policy Initiatives by Govt. Growing into A Disparate Jungle of Conflicting Rules
Data Protection Regulations in India Recent Policy Initiatives by Govt. Growing into A Disparate Jungle of Conflicting Rules
One year since the Indian Government introduced the Personal Data Protection Bill, 2019 with an object to provide for protection of personal data of individuals and establish a Data Protection Authority to implement the same, the Indian rules surrounding data protection are still a legal quagmire
The Indian Government introduced the Personal Data Protection Bill, 2019 (hereinafter "Bill") in Parliament on 11 December 2019 but it's unclear by when the new law would be enacted and in what form, with numerous terms and concepts still undefined and new sectoral policies/draft regulations have been introduced to further complicate matters.
THE PERSONAL DATA PROTECTION BILL, 2019 (PDP BILL)
In an endeavor to effectively enforce the "fundamental right to privacy" recognized by the Supreme Court of India in the Justice K.S. Puttaswamy judgment1, in July 2017, the Ministry of Electronics and Information Technology ("MeitY") vide its Notification No.3 (6) J2017-CLES (hereinafter referred to as "Notification") constituted a "Committee of Experts" under the Chairmanship of former Supreme Court Justice 'Shri B N Srikrishna' on issues relating to data protection in India and to draft a bill on data protection.
The bill drafted by this Committee had been tabled in Parliament last December as the Personal Data Protection Bill, 2019 ("PDP Bill") but is yet to be enacted into a law. The PDP Bill proposes to put in place for the first time in India, a legal framework to provide for data autonomy, regulate the flow of data, to establish the right of the data providers, establishment of a framework for the processing of data, establishment of data protection authority, and to provide remedies and penalties for the violation or unauthorized processing or use of data. The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India. Personal data is data which pertains to the characteristics, traits or attributes of identity, which can be used to identify an individual. The Bill categorizes certain personal data as sensitive personal data. This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.
A data fiduciary is an entity or individual that decides the means and purpose of processing personal data. Such processing shall be subject to certain purpose, collection and storage limitations. For instance, personal data can be processed only for specific, clear and lawful purpose. Besides, as per the PDP Bill, all data fiduciaries must comply with certain transparency and accountability measures such as: (i) implementing security safeguards (such as data encryption and preventing misuse of data), and (ii) instituting grievance redressal mechanisms to address complaints of individuals. They must also, when processing sensitive personal data of children, institute mechanisms for age verification and parental consent.
The PDP Bill defines data fiduciaries to include intermediaries which enable online interactions and facilitate sharing of information. Intermediaries having users beyond the notified threshold, and whose actions can impact electoral democracy or public order, have certain obligations, which include providing a voluntary user verification mechanism for users in India.
The PDP Bill provides for setting up of a Data Protection Authority ("the Authority") which may: (i) take steps to protect the interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure compliance with the Bill. The Authority will consist of a chairperson and six members, with at least 10 years' expertise in the field of data protection and information technology. The orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.
The PDP Bill allows that Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Certain personal data notified as critical personal data by the government can only be processed in India.
While it is evident that the PDP Bill aims to introduce significant changes to the current generic data protection regime in India and also ensure that the data fiduciaries are also complying with global best practices on personal data, this would involve Indian companies that collect, process and generally deal with personal data to decide on the treatment of their legacy data, reassess the nature and quantum of personal data collected, stored and processed, and re-evaluate existing practices around consent and notice. Hence on the one hand, while some provisions and requirements laid down under the proposed legislation may prove business-friendly by providing for increased certainty, on the other hand, other requirements such as that of sharing anonymized and non-personal data with the Government, obligations relating to social media verification, etc. could be a cause for much concern and lead to implementation issues due to the existing ambiguities.
NON-PERSONAL DATA GOVERNANCE FRAMEWORK
On the other hand, in parallel to deliberations surrounding the regulation of personal data by the Joint Parliamentary Committee on PDP, efforts towards regulating non-personal data have been initiated by the government. The MeitY to regulate issues associated with Non-Personal Data ("NPD") constituted the NPD Committee which has, in July 2020, released a draft "Report" on "Non-Personal Data Governance Framework" ("Report"). The Report envisages the protection and governance of NPD and aims to tackle the challenges associated with processing and usage of NPD in India. The NPD Committee has submitted certain recommendations, which are currently under consideration by the MeitY.
The Committee proposed that 'Non-personal data' should comprise - any data which is not personal data (data pertaining to characteristics, traits or attributes of identity, which can be used to identify an individual) is categorized as non-personal data. This is proposed to be further classified as:
(i) Public non-personal data,
(ii) Community non-personal data,
(iii) Private non-personal data.
The NPD Report has recommended setting up of a regulatory authority consisting of experts in fields such as data governance and technology for putting in place the framework for governance of non-personal data. The Authority will be responsible for framing guidelines with respect to data sharing and risks associated with non-personal data. However, there are certain serious issues that subsist within the proposed framework specially with respect to its interplay with the upcoming Personal Data Protection Law in India and other established regulations with respect to intellectual property rights and competition. In this regard it may be noted that the scope of sensitivity of NPD under the said Report is quite broad and is dependent on dynamic factors that lead to uncertainty around the classification and treatment of NPD data such as national / security or strategic interest and risk of collective harm.
Besides, NPD borrowing of the concept 'sensitivity' from the PDP Bill complicates issues as it brings with it a huge and ambiguous compliance burden as the same provides the government the flexibility to expand the scope of sensitive and critical personal data. Besides, inherently it is neither necessary to categorize NPD data as 'sensitive' or 'critical NPD nor to regulate it as such given the fact that NPD' implies that such data is already no longer relatable to the data subject, as the same would lead to much ambiguities regarding the treatment of any given data set, given that any data set is bound to include several data points.
Further, the proposed compulsory sharing of NPD without introducing sufficient safeguards to protect Data Businesses from the liability arising out of such sharing can be problematic and ignores the significant cost incurred by businesses to collect such large amounts of data and may possibly erode the value of such data and also could lead to adverse business and cost consequences to established businesses operating in India.
Furthermore, legal obligation for compulsory sharing under NPD is as such indirectly creating compulsory licensing provisions for copyright through a new legislation and could conflict and overlap with the existing provisions of the Copyright Act, 1957, besides the powers of NPDA to mandate data sharing can be misused in ways to undermine the confidentiality and integrity of NPD.
The Report introduces the concept of a data custodian, whose role is similar to that of a data fiduciary under the PDP Bill. It is imperative that such categorization should not include data processors as defined under the PDP Bill. In most instances, data processors process data (personal data and NPD) based on contractual arrangements with their clients (data fiduciaries/data collectors) who provide access to such data for limited purposes defined therein. Data processors are contractually restricted from accessing or processing data for purposes beyond the scope of such arrangements.
NATIONAL HEALTH STACK
NITI Aayog unveiled the blueprint of the National Health Stack (NHS) in 2018. It is a shared digital healthcare infrastructure built with a deep understanding of the incentive structures prevalent in the Indian healthcare ecosystem. The NHS, a set of building blocks which are essential in implementing digital health initiatives, would be "built as a common public good" to avoid duplication of efforts and successfully achieve convergence. Also, the NHS will be "built for NHPS but designed beyond NHPS" as an enabler for rapid development of diverse solutions in health and their adoption by states. It envisages a centralized health record for all citizens. The key components of the National Health Stack are -
• National Health Electronic Registries: to create a single source of truth for and manage master health data of the nation;
• A Coverage and Claims platform: building blocks to support large health protection schemes, enable horizontal and vertical expansion of RSSM by states and robust fraud detection;
• A Federated Personal Health Records (PHR) Framework: to solve the twin challenges of access to their own health data by patients and availability of health data for medical research, critical for advancing our understanding of human health;
• A National Health Analytics Platform: to bring a holistic view combining information on multiple health initiatives and feed into smart policy making, for instance, through improved predictive analytics;
• Other horizontal Components: including unique Digital Health ID, Health Data Dictionaries and Supply Chain Management for Drugs, payment gateways etc. shared across all health programs.
While it is claimed that the National Digital Health Ecosystem (NDHE) will be governed by the PDP Bill, when passed into law, there exist several issues surrounding the National Digital Health Blueprint's (NDHB's) mandates and the PDP Bill. There could be several possible issues with NDHB that could lead to much confusion and unnecessary complexities, like in terms of the fact that data protection law requires data minimization, however, obligating data minimization could actually impede the wide-ranging future possibilities offered by AI and ML to influence health, habits and lifestyles.
Besides, the transparency and accountability necessary to make NDHM a success is best supported by an accompanying regulatory framework that promotes enforceability. Hence in this regard the NDHB falls short of proposing a code of practice in line with the PDP that caters with some of these challenges while dealing with health data and this could lead to regulatory overlap and cause confusions in the implementation of NDHB.
The NDHB states that all registries and databases of the NDHB shall be built as a 'Single Source of Truth', however, health data needs to be examined in light of the PDP Bill, not as one subject to the concept of ownership, but subject to control and access. Also, NDHB recommends use of the H-Cloud for building layers 2 & 3, but this architecture must be revisited in the light of data localization requirements in the PDP. Localization of critical personal data with mirroring or free transfer of non-critical data to hybrid entities may be desirable, to allow domestic and international cloud storage, as would be necessitated to avail the global ecosystem of digital health services (apps, wearables etc.). Further, since the Security and Privacy operation centres centralise most of the responsibility to secure data, and act on consent and privacy breaches, it's necessary to lay out the state's capacity to manage, maintain and update such operations, said the institute. The Operations Centre must go beyond the traditional means of intrusion detection to monitor and respond to breaches and attacks and it can do so by using AI and ML. Further, it is still unclear how the POC (privacy operations center) will interact with the data controller under the Data Protection laws. There appears to be overlapping subject-matter jurisdiction with respect to data protection and privacy.
DIGITAL INFORMATION SECURITY IN HEALTHCARE ACT
The government has in the recent past released a draft of the Digital Information Security in Healthcare Act or DISHA, which recognizes that people have the right to privacy, confidentiality, and security of their digital health data. They also have the right to give or refuse consent for generation and collection of such data. The draft Act allows clinical establishments to generate, collect and store health data. Such establishments include hospitals, laboratories and medical professionals but not medical technology companies.
The draft Act specifies that "digital health data, whether identifiable or anonymized, shall not be accessed, used or disclosed to any person for a commercial purpose and in no circumstances be accessed, used or disclosed to insurance companies, employers, human resource consultants and pharmaceutical companies, or any other entity as may be specified by the Central Government".
While both DISHA and PDP take a consent-based approach to data protection and create a trust-based relationship between an individual and the entity taking his data, there is a stark difference in the position of an individual under each. DISHA imposes significant restrictions on the use of health data and places an individual squarely in control of his data, while the PDP Bill takes a more relaxed approach. All kinds of health-related data come under the ambit of Sensitive personal data under the PDP Bill, which requires explicit consent on the data principal for processing.
Both DISHA and the PDP Bill create such a comprehensive data protection system, and will both be a significant step toward the holistic protection of health data. Each adopts a different approach, with DISHA clearly offering stronger protection to an individual vis-à-vis his data.
DATA EMPOWERMENT AND PROTECTION ARCHITECTURE
NITI Aayog has recently, released a framework on Data Empowerment and Protection Architecture (DEPA) which it calls a "consent-based data-sharing framework to accelerate financial inclusion" with the aim to allow people to access their data and securely share it with third-party institutions. The DEPA essentially proposes the implementation of a RBI Account Aggregator system in all sectors as a way to manage users' consent. The DEPA identifies three key building blocks to "empower individuals with their data" namely:
– Enabling regulations
– Cutting edge technology standards
– "New types of public and private organizations with incentives closely aligned to those of individuals"
The framework envisions a "new type of private Consent Manager institution" that will allow individuals to give access to give consent as per MeitY defined standards that use standard application programming interfaces (APIs) such as the ones used in RBI's Account Aggregator ecosystem. Within this system, any new private players will be allowed to use public digital infrastructure to "plug into a network of information providers and users without setting up expensive, duplicative, and exclusive bilateral data sharing rails".
In this regard, it maybe pertinent to note that the PDP Bill has introduced the concept of consent managers who are data fiduciaries registered with the Data Protection Authority that provide interoperable platforms that aggregate consent from a data principal. Data principals may provide their consent to these consent managers for the purpose of sharing their information to various data fiduciaries and may even withdraw their consent through these consent managers. This is a unique construct and appears to have been introduced to support the Data Empowerment and Protection Architecture (DEPA) for financial and telecom data that currently powers the Account Aggregators licensed by the RBI. Until rules are framed by the PDP Bill, the exact mechanism under which these consent managers would operate shall not be clear. It seems likely that the data principals would have to pay or compensate the consent managers for the management of their consent.
It is not inconceivable that at some point in the future, the payment or flow of consideration could be the other way round, whereby the data principals grant consent managers, for a consideration, the right to give consent on their behalf to third-party data fiduciaries under clear-cut parameters. In such a case, the consent managers would be entitled to and able to monetize the consent received from the data principals by selling or transferring the consent to third-party data fiduciaries.
While one year on since the Indian Government introduced the Personal Data Protection Bill, 2019 with an object to provide for protection of personal data of individuals, and establish a Data Protection Authority to implement the same, the Indian rules surrounding data protection are still a legal quagmire and the law seems to be still stuck in Parliamentary procedure and formalities currently in final stages of parliamentary review -being examined by a Joint Parliamentary Committee, the various parallel initiatives by different Govt. Departments increasing create a possibility of growing into a disparate jungle of conflicting rules rather than promoting innovation and facilitating new businesses.
Disclaimer – The views expressed in this article are the personal views of the author and are purely informative in nature.