On July 27, 2018, the committee of experts under the chairmanship of Justice B. N. Srikrishna (the “Committee”) released a report titled, “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians” (the “Report”), with its analysis and recommendations on a new data privacy regime for India. Along with the Report, the Committee has also submitted a draft of the Personal Data Protection Bill, 2018 (the “Bill”) to the Ministry of Electronics and Information Technology, Government of India.
The Committee was set up in August 2017 after a nine-judge bench of India’s Supreme Court ruled that the right to privacy is a fundamental right under the Indian Constitution.
Brief overview of the Bill
As the title of the Report suggests, the Bill has been drafted with an objective to usher India into the digital economy and make it a preferred outsourcing location, as service exports account for a significant part of the Indian economy. The Bill endeavours to cover all aspects of protection of personal data (“PD”) of individuals in course of data processing.
The Bill is applicable to processing of PD collected, disclosed, shared or otherwise processed within the territory of India, and also to processing of PD by the Indian government or any Indian person (individuals and entities). Further, the Bill is also applicable if the data processing is done in connection with any business conducted in India, or if goods or services are offered to individuals in India, or any activity involving profiling of data principals, i.e., individuals to whom the information relates to within India. As drafted currently, the Bill will cover foreign nationals not residing in India if their PD is processed in India, or by an Indian person. However, the Report recommends that in order to avoid duplicity of compliance requirements, the Indian government must exempt Indian companies dealing only with PD of persons residing outside India. If this recommendation is accepted, it will ease compliance requirements for India’s outsourcing industry, who deal only with data of foreign nationals.
The Bill distinguishes between PD and sensitive personal data (“SPD”) as is the case under the existing Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“IT SPDI Rules”). However, the scope of SPD has been expanded, and SPD now includes: (i) official identifiers; (ii) caste or tribe; and (iii) religious or political belief or affiliation. Further, terms like financial data, health data, biometric data and genetic data have been defined in the Bill. The standard for processing PD as opposed to SPD is also different.
At the onset, the data fiduciary, i.e., the person who determines the purpose and means of data processing, is required to make exhaustive disclosures at the time of collection of PD. If the data is not collected by the data fiduciary from the data principal directly, but through a third party, then the data fiduciary is required to make the foregoing disclosure as soon as reasonably practical. The Bill requires affirmative consent of the data principal and makes it unlawful for a data fiduciary to make conditional the provision of goods or services, performance of any contract, or the enjoyment of any legal right or claim by the data principal, upon receipt of the data principal’s consent unless necessary for provision of the goods or services, or for performance of the contract.
The Bill puts the onus to control PD and SPD on the data principal, and therefore, the right to withdraw consent, correct or update PD or SPD, seek information on processing activities, and to be forgotten have been given to the data principal. Data fiduciaries have several obligations, including, (i) to establish safety policies and procedures; (ii) to conduct data audits and data impact assessments; (iii) to notify about data breaches; and (iv) to appoint data protection officers.
The Bill also seeks to establish a data protection authority in India to regulate all matters relating to data protection. The Bill provides for both, penalties and compensation, if the Bill’s provisions are contravened.
Key concerns in the Bill
Extraterritorial applicability
The provisions of the Bill have been made applicable to any data fiduciary who offers goods or services to data principals located in India, and by virtue of this, processes the PD of data principals located in India. If this data fiduciary is considered as a “significant data fiduciary”, it will have to appoint a data protection officer based in India. The data protection authority to be established under this Bill will notify, based on factors such as volume and sensitivity of PD processed, turnover and risk of harm resulting from data processing, classes of data fiduciaries who will be “significant data fiduciaries.” Although well-intended, making the Bill applicable to any person offering goods or services in India will be difficult to monitor and regulate. From the perspective of the data fiduciary, even if the size of the business in India is insignificant (such as an e-commerce website delivering products in India), the data protection requirements under the Bill will have to be complied with.
Data localization
The Bill imposes several restrictions and conditions for cross-border transfer of PD and SPD. Every data fiduciary is required to maintain at least one (1) copy of the PD on a sever or data centre located in India. The only exemptions from this requirement are for certain categories of PD based on grounds of necessity or strategic state interests, which will be notified by the Indian government. Further, the Indian government will also make a list of critical PD, which can be processed only on a server or data centre located in India.
As per the Report, the data localization requirement emanates from the desire of the Indian government to have ready access to PD and to ensure that foreign surveillance on PD is reduced.
However, it is unclear if data localization in itself will guarantee a maximum level of security for the data. Further, there will be major financial implications on the data fiduciary in having to store PD in India for access by the Indian government. In our view, this requirement must be revisited as it has the potential of significantly impacting the outsourcing and cloud business in India.
Data protection impact assessment
The Bill requires a significant data fiduciary (to be notified by the data protection authority proposed to be established under the Bill) to conduct a data protection impact assessment if it proposes to process PD using new technologies, or in case of large scale profiling of SPD. The Indian government will notify who is a significant data fiduciary on the basis of volume, sensitivity of PD, business revenue and such other factors. With technology and processes changing rapidly, this rule can create roadblocks to the faster deployment of new data processing technology. This additional step will mean that software companies will have to plan well in advance before rolling out any new technology. The government should restrict itself to ensuring protection of PD and SPD of its citizens rather than concerning itself with reviewing data protection impact assessment reports.
Exemptions to the government for processing of PD
Public interest and functions of the state are well accepted carve-outs to the constitutional right to privacy. However, the Bill gives extensive exemptions enabling the Indian government: (i) to process PD to inter alia ensure the security of the state, (ii) to prevent, detect, investigate and prosecute violation of law, (iii) to issue any certification, license or permit for any activity to be undertaken by a data principal, or (iv) for provision of any service or benefit to the data principal by the state. In our view, these exemptions are very broad-based and essentially imply that the Indian government has an unfettered right to access personal information of its citizens without adhering to basic protective measures. Whether this is constitutionally valid is a matter of debate!
Conclusion
Ever since the outsourcing boom in the early 1990s, the Indian government has been trying to formulate a comprehensive data protection regime. As a quick fix, in the year 2011, the Information Technology Act, 2000 was amended to provide a penalty for failure to comply with data protection measures specified in the IT SPDI Rules. While the IT SPDI Rules covered key aspects on maintenance of a privacy policy, security standards, and transfer and disclosure of personal information, they did not provide a complete regulatory oversight on data protection issues. In fact, many of the provisions of the IT SPDI Rules could be diluted by contract between the data provider and the data recipient.
In light of multiple failed attempts to promulgate standalone data privacy laws, the Bill is a significant leap for the data protection regime in India. The Bill borrows from the European Union in its approach for extensive rights to the data principal, but also retains the state control over information as that in China. There are many positives in the Bill in terms of requirement for notification of sharing of information by the data fiduciary to a third party, and exemptions to small entities processing data manually. However, the Bill has failed to cover certain key issues like model security practices and procedures and the right to erase the information (a natural consequence of the right to be forgotten, which has been covered). These and the foregoing issues need to be addressed further in order for India to have a robust and well balanced data protection regime.