THE PERSONAL DATA PROTECTION BILL,2019: AN OVERVEIW

Reading time : 12 minutes

• Introduction

In recent past, the question related to privacy of personal data became matter of concern, globally, whether it is in the field of law or political imagination. As held in the case of Puttuswamy v India (2017)[1], privacy is a fundamental right. When some landmark cases, such as MP Sharma v. Satish Chandra (1954)[2] and Kharak Singh v. Uttar Pradesh (1962)[3], came before the Supreme Court, there was no constitutional right to privacy in and of itself, the judges had declared that while in certain circumstances the privacy of individuals was to be protected. But, in this concern, certainly a Supreme Court ruling is not sufficient. In particular, the implementation of the Aadhar biometric programme and persistent development of global technology, have created the necessity to take a new approach towards the legal stance of privacy in India.

As illustrated in Aadhar case or many other landmark cases, today, the main area of concern of privacy, is data, an intangible product that carries staggering political capital and forms the basis of much of the world economy. The rise in the importance of data has pushed over 80 countries to pass national laws which protects the collection and use of their citizen’s data by the government, companies and many other. In coming times, India will also join the hand of other countries for this major concern as the Personal Data Protection Bill 2019 (DPB) is currently under consideration by a parliamentary committee. The PDP Bill was referred to a Joint Parliamentary Committee (“JPC”) on December 12, 2019 for recommendations.

The bill establishes a number of rules and regulation for companies to follow, and also for large international tech firms that wish to operate in territory of India. The current draft of the PDP Bill prescribes compliance requirements for all forms of personal data, broadens the rights given to individuals, introduces a central data protection regulator, as well as institutes data localization requirements for certain forms of sensitive data. The PDP Bill applies extra territorially to non-Indian organizations in the event certain nexus requirements are met, and also imposes hefty financial penalties in case of non-compliance.

 In coming future, bill will have great impact on commercial and political consequences. According to Ernst and Young, by the year 2025, emerging high technologies in India will create $1 trillion in economic value and much of this economic value will be founded on the use, sale, and creation of data, and here the bill will have great implications as hi-tech firms scramble to meet new privacy regulations.

The Bill also declares that users who provide data are, in effect, the owners of their own data. As European internet-users have “right to be forgotten”, so, this has major implications, suggesting that users in India also be able to control the data, and may request firms to delete it, just and have evidence of their online presence removed. But the bill does not protect citizen against the government as it stipulates that “sensitive” personal data, related to matters of national security, must be accessible to the government for the protection of national interest.

The bill outlines the establishment of a Data Protection Authority, which will be charged with controlling data collected by the Aadhaar programme. It will be led by a chairperson and six committee members, appointed by the central government on the recommendation of a selection committee. Unlike similar institutions, such as the Reserve Bank of India or the Securities and Exchange Board, the DPA will not have an independent expert or member of the judiciary on its governing committee. The UIDAI, for its part, has a chairperson appointed by the central government and reporting directly to the Centre.

After the Aadhaar programme controvercy, the most latest concern is Aarogya Setu contact-tracing app, developed to track the spread of the COVID-19 pandemic. Experts related to technology criticised the app due to lack of adequate data protection measures. Where are these data stored and who has access to them remain open questions.

• CHARACTERISTICS OF BILL

The characteristics of the PDP Bill:

1. It provides for storage of all SPD within Indian territorial limit. Data may be transferred outside India but subject to appropriate safeguards as are laid down. 
2. It provides for ‘consent managers’ who shall be responsible for bridging the gap between the the Data Fiduciary and the Data Principal.
3. It confers on the Data Principals, the right to data portability and the right to access, correction, the right to be forgotten and erasure of personal data. 
4. It provides for the establishment of a Authority for Data Protection which shall be a cross-sector regulatory authority for data protection. It shall be responsible for the implementation of the PDP Bill.
5. Their lays down obligation on a Data Fiduciary to send a data breach notification in any case of breach to the Data Principal.
6. PREAMBLE OF BILL

The preamble of Bill identifies three key points:

• “The right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy”
• “It is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion.”
• “The growth of the digital economy has expanded the use of data as a critical means of communication between person”

• Main Provisions of the Bill

The main purpose of bill is to regulate the processing of personal data of individuals which is processed by the Government, Companies registered in India and Foreign Companies according to Information Technology Act, 2000.

 Some key provisions under the bill are as follows –

1. Definition of Personal Data

Personal Data under the bill is defined[4] as the data relating to a natural person with regard to the characteristic, trait, attribute or any other feature which helps in the identification of that person. The bill also distinguishes between Sensitive Personal Data and Critical Personal Data.

2. Data Fiduciary

Data fiduciary is any entity or any individual which determines the purpose and means of processing personal data. The bill enumerates certain obligations relating to the Data fiduciary, some of them are as follows –

a. Personal Data should be processed only for clear and lawful purposes.

b. The privacy of Data Principal i.e. the person to whom the data belongs, should be ensured

c. The Data Fiduciary is required to furnish a notice of the Data Principal for the purposes of collecting personal data.

d. The bill imposes restrictionon the Data Fiduciary with respect to the retention of the personal data collected.

e. The Data Fiduciary is also made accountable⁸ to comply with the provisions of the bill in relation to the processing of data.

3. Rights of the Data Principal

The bill also provides for rights that can be exercised by a data principal such as the right to seek information regarding the manner or processing activities undertaken by the data fiduciary with respect of the personal data. The bill also gives an opportunity to the data principal to correct and erasure any personal data.

4. Social Media Intermediaries

The bill defines Social Media intermediaries as intermediaries which allow 2 or more users to share, upload, disseminate, create information using its services. This will allow the government to notify them as data fiduciary subjecting them to comply with the provisions of the Bill.

5.Transfer of Personal Data outside India

The bill imposes certain restrictions on the transfer of sensitive and critical personal data outside India. Sensitive personal data may be transferred outside India based on certain conditions such as –

a. The transfer is made pursuant to a contract or intra-group scheme which should be approved by the Data Protection Authority.

b. The transfer is allowed by Central Government after consultation with the Authority.

6. Offences and Penalties

The bill imposes hefty penalties. A fine of INR 15 crores or 4% of the annual turnover of the data fiduciary, whichever is higher is imposed for processing or transferring personal data which is in violation of the Bill. In case, the data fiduciary fails to conduct data audit a fine amounting to INR 5 crores or equivalent to 2% of the annual turnover of the data fiduciary, whichever is higher is imposed.

Data can be classified broadly into two types: personal and non-personal data.  Personal data pertains to traits, characteristics or attributes of identity, which can be used for identification of an individual. Non-personal data includes aggregated data through which individuals cannot be identified. Data protection refers to policies and procedures seeking for personal data to minimise intrusion into the privacy of an individual caused by collection and usage of the data. 

• OTHER PROVISIONS OF THE BILL

• The Bill cdemandsfr the creation of an independent regulator Data Protection Authority, which will oversee assessments and audits and definition making of personal data.
• Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for grievance redressal, recording maintenance, auditing and many more.
• The Bill proposes  “Collection limitation” and “Purpose limitation” clause, which limit the collection of data to what is needed for “clear, specific, and lawful” purposes.
• It also grants individuals the ability to access and transfer one’s own data and right to data portability. It also grants individuals the right to data portability, and the ability to access and transfer one’s own data.
• Finally, it legislates on the right to be forgotten. With historical roots in European Union law, General Data Protection Regulation (GDPR), this right allows an individual to remove consent for data collection and disclosure.
• The Bill stated the penalties as: Rs 5 crore or 2 percent of worldwide turnover for minor violations and Rs 15 crore or 4 percent of total worldwide turnover for more serious violations.
• The Bill includes exemptions for processing data without an individual’s consent for “reasonable purposes”, including security of the state, detection of any unlawful activity or fraud, whistleblowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.

• PROPOSED NON-PERSONAL DATA FRAMEWORK

Government of India constituted a committee (“NPD Committee”) to explore the governance of non-personal data (“NPD”). The terms of reference of the NPD Committee were to:

(a) study various issues relating to non-personal data; and

(b) to make specific suggestions for considerations of the Central Government on the regulation of non-personal data.

Currently, processing NPD is not regulated under law. Further, “anonymized data” is specifically excluded from the applicability of the current draft of the PDP Bill.

The NPD Committee released a revised version of their report in January 2021 for clarifying certain aspects. The revised NPD Committee report expands on the recommended NPD framework and PDP Bill would function, clarifying that it is only anonymised data that will fall under the NPD framework. Amongst other things, the revised version have details of  the types of NPD that may be collected, delves into public and private rights that may subsist in such data, as well as provides for a detailed data sharing mechanism that exempts transfers between private entities.

 The report provides separate guidelines for ‘Data Businesses’, or data collecting entities that meet certain thresholds, calls for the separate treatment of certain ‘High Value Datasets’, and also calls for the creation of a separate regulator that would function independently.

However, as discussed above, other reports indicate that the JPC may be looking to broaden the scope of the PDP Bill to include NPD as well. These reports run contrary to the NPD Committee’s recommendation for all NPD-related provisions in the PDP Bill to be removed.

• DATA EMPOWERMENT AND PROTECTION ARCHITECTURE (DEPA): OVERVEIW

 NITI Aayog released a draft framework on the Data Empowerment and Protection Architecture (“DEPA”) in August, 2020 with consultation with a few industry regulators, banks and tech players. Main aim of DEPA is to build over existing regulation by the RBI on ‘Account Aggregator’ models, through which citizen will be able to share their financial data across banks, insurers, lenders, mutual fund houses, investors, tax collectors, and pension funds in a secure manner. Through DEPA, NITI Aayog aims to institute a mechanism for secure consent-based data sharing in the tech sector, which they believe will be “a historic step towards empowering individuals with control over their personal data”.[5]  While this document released by NITI Aayog is totally focused on the implementation of DEPA in the sector of finance alone, now, DEPA is also proposed to be introduced as a similar framework beyond just financial data, and across all sectors, beginning with the health and telecom sectors.

For the full implementation of DEPA, the ministries and government regualtors would be required to release a detailed document that lays down the processes for the information flow in DEPA. DEPA was open for public comments until November 30, 2020, and there has been no further update till date.

• A POLICY FOR THE MANAGEMENT AND SHARING OF HEALTH DATA

The Central Government of India along with Ministry of Health and Family Welfare announced a National Digital Health Mission (“NDHM”) which was published in a blueprintin 2019 recommending the creation of a National Digital Health Ecosystem (“Ecosystem”) which allows for interoperability of digital health systems at the hospital, patient and ancillary healthcare provider level. On December 14, 2020 the ministry has given the approval to a Health Data Management Policy (“HDM Policy”)largely based on the PDP Bill which will  govern data in the Ecosystem. The HDM Policy recognises entities in the data processing space, i.e. data fiduciaries (similar to data controllers under GDPR) and data processors similar to the PDP Bill, and establishes a basic framework for processing personal data.

• TRANSACTIONS THAT ARE EXEMPTED UNDER THE PROVISIONS OF THE PDP BILL

Certain type of transactions are exempted from the applicability of the PDP Bill, ther are:

 (a) to small businesses or

 (b) data collected for purpose of domestic use.

 A small business shall be qualified as such by the Data Protection Authority depending on the the purpose of collection of the data, business turnover or the volume of data processed. The Central Government also exempted outsourcing agencie from certain obligations under this system. Additionally, the Central Government of India has wide powers with respect to its obligations, which may be relaxed on various grounds of public interest and may exempt agencies operating under it. This ground of discretion is fairly broad and gives the government significant discretionary power.

• LATEST GLANCE OF INDIAN JUDICIARY ON REGULATION OF PERSONAL DATA.
• Under Article – 21 of the Constitution, Right to privacy is a fundamental right. This was held by a nine-judge bench of the Supreme Court in Justice K.S. Puttaswamy vs Union of India[6] in its landmark judgment dated 24th August 2017 wherein they declared ‘the right to privacy’ as an integral part of Part III of the Constitution of Constitution of India. In 2017, a bench of five judges in the Supreme Court which was hearing the Aadhaar Card case and  the right to privacy, said that they wanted a nine-judge bench to first decide if privacy is a fundamental right, before deciding on the main Aadhaar case.

• In the case of Subhranshu Rout @ Gugul v. State of Odisha[7],The High Court of Odisha observed in its order on November 23, 2020 the requirement and importance of the right to be forgotten of an individual and how it remains unaddressed in legislation. The case involved objectionable content related to a girl that was posted online. While the victim of the case had not made any arguments regarding to the permanent removal of her data, the court encouraged the victim to seek appropriate orders for the protection of her fundamental right to privacy even in the absence of an explicit right to be forgotten. The court held that recognizing such a right by law would help in safeguarding woman’s rights online, thus highlighting the importance of strong individual privacy rights. The court was cognizant of the fact that the current draft of the PDP Bill if passed as law, would introduce a right to be forgotten in India.
• In case of Balu Gopalakrishnan v. State of Kerala ^[8]The High Court of Kerela passed an interim order on April 24, 2020 on the export of data related to COVID-19 by the State Government of Kerala to a US-based entity, Sprinklr, for data analytics.In this case the High Court held that certain measures were to be implemented by the State Government before granting Sprinklr access to the data. These measures include obtaining specific consent from citizens, ensuring the return of data once contractual obligations end and anonymizing the data. The High Court also barred the commercial exploitation and advertisement of the data by Sprinklr. This judgment emphasizes the accountability of the State in handling data of its citizens and established very essential benchmark for all public-private partnerships in the post COVID-19 era in the field of data protection.
• ADVANTAGES
• Various cases of cyberattacks and surveillance will be checked.
  
  • Recently, many WhatsApp accounts were hacked by an Israeli software called Pegasus.
• Social media is being used to spread fake news, which has resulted in national security threats and lynchings, which can now be monitored, checked and prevented in time.
• Data localisation can help law-enforcement agencies access data for investigations and enforcement.
  
  
  • As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties”.
  • Accessing data through this route is a cumbersome process.
• Data localisation will also increase the ability of the Indian government to tax Internet giants.
• A strong data protection legislation will also help to enforce data sovereignty.
• DISADVANTAGES
• Many contend that the physical location of the data is not relevant in the cyber world. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
• National security or reasonable purposes are an open-ended terms, this may lead to intrusion of state into the private lives of citizens.
• Technology giants like Facebook and Google have criticised protectionist policy on data protection (data localisation).
  
  
  • They fear that the domino effect of protectionist policy will lead to other countries following suit.
• Protectionist regime supress the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
• Also, it may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India.

• LOOK FORWARD IN 2021

The year 2020 has laid down the basic structure for enhancing focus on the privacy and data protection front. While we may see the main aim of the PDP Bill broadly before it is presented in the Parliament in 2021, we could also expect significant rules on the ownership aspect and  economic and commercial usage of non-personal data. The PDP Bill may also be made available for stakeholder comments and discussion after the revised version is released. The position on data localization and cross border sharing of data is yet not finalized, which is a policy decision that will directly impact most businesses operating in India. However, in the backdrop of the PDP Bill, we expect to continue to see industry-specific data policies and regulation by sectoral regulators such as drone-related policies which may give rise to new issues including cybersecurity and mandatory disclosure to the Government. It is also clearly visible that the Indian judiciary is more cognizant of privacy rights than ever before, which is a sign of a strong data protection regulation ahead

• CONCLUSION

The Personal Data Protection Bill, 2019 main purpose is to protect data relating to individuals. The bill categorizes personal data broadly into three parts which allows for greater accountability in relation to processing of data by data fiduciaries. The adaptation of a regulatory body will help automatically help technology driven startups in their starting stage since it will exempt them from the complex procedure and compliance of the provisions of the bill. When enacted, The Bill will have far reaching impact on the MNCs and business in India since they will have to ensure that the data processing done by them is in compliance with the provisions of the bill. According to the Supreme Court in the Puttaswamy judgement (2017), the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy, whereas the growth of the digital economy is also increasing for socio-economic growth. In context with this, the government policy on data protection must not deter from framing any policy for the growth of the digital era, till the extent that it doesn’t impinge on privacy of personal data.

---

[1] (2017) 10 SCC 1.

[2] 1954 AIR 300, 1954 SCR 1077.

[3] 1963 AIR 1295, 1964 SCR (1) 332.

[4] Clause 2(28) of the Bill.

[5] Ibid.

[6] ibid

[7] BLAPL NO.4592 OF 2020

[8] Writ Petition(Civil) no..of 2020

Author: SHAMBHAVI (AMITY LAW SCHOOL, AMITY UNIVERSITY)

Editor: Kanishka Vaish, Senior Editor, LexLife India.