1. The Personal Data Protection Bill, 2018
The Personal Data Protection Bill, 2018 (“Bill”) is a draft law submitted in July 2018 by a committee of experts
on data protection constituted by the government of India (“Committee”). The bill has not yet been
implemented and has drawn significant criticism and praise. Its similarities with the European Union’s General
Data Protection Regulation (“GDPR”) can be seen in the language and direction of provisions such as the rights
of data principals, quantum of penalties, categories of personal data, and transparency obligations.
Applicability
If the Bill becomes law, its provisions would apply to the processing of personal data:
(a) that has been collected, disclosed, shared, or otherwise processed within India;
(b) by any Indian entity, citizen, or the State (as defined under Article 12 of the Constitution of India); and
(c) by data fiduciaries or data processors not present within India, if the processing is in connection with either
(i) any business carried on in India or any offering of goods of services to data principals within India or (ii)
profiling data principals within India.
The provisions of the Bill, however, do not apply to the processing of anonymised data.
The Bill applies to “personal data” and “sensitive personal data”. It treats identifiable data, with respect to any
characteristic, attribute, trait, or other feature of a person’s identity, as personal data. Sensitive personal data
includes some categories of personal data such as passwords, health or financial data, biometric data, and data
about sex life, sexual orientation, and religious or political beliefs, which carry enhanced requirements of
processing. The Bill also confers power on a data protection authority to specify other such categories.
Actors
A “data principal” is the natural person to whom some personal data relates to. A “data fiduciary” is any person
– including the State, a company, or a juristic entity – who, either alone or with others, determines the purpose
and means of processing the personal data. A “data processor” is any person who processes data on behalf of a
data fiduciary; however, it does not include an employee of a data fiduciary.
A data principal is conceptually similar to a data subject and a data fiduciary to a data controller under the
GDPR.
The Bill also seeks to establish the Data Protection Authority to oversee and regulate processing activities
covered by the Bill.
Obligations of data fiduciaries
Data fiduciaries must comply with the following obligations and also be able to demonstrate that they have
complied with them.
(a) Personal data should be processed in a fair and reasonable manner that respects the privacy of the data
principal;
2. (b) Processing should only be for the purposes specified, or other incidental purposes that the data principal
would reasonably expect the personal data to be used for;
(c) Collection of personal data should be limited to the data that is necessary for processing;
(d) Data should be processed only on the grounds detailed in the Bill;
(e) The data fiduciary should provide the data principal with adequate notice of processing of personal data;
(f) The data fiduciary should ensure that the personal data being processed is complete, accurate, not
misleading, and updated; and
(g) Personal data should only be retained for as long as is necessary to satisfy the purpose for which it is
processed.
While it provides for a consent-based approach to processing data, the Bill allows some other grounds for
lawfully processing personal data.
Grounds for Processing
These include processing (a) that is necessary for the functioning of the Parliament or state legislatures, (b) to
comply with orders or judgments of courts or tribunals, (c) for purposes related to employment, (d) for “prompt”
action during circumstances such as medical emergencies, disasters, and breakdowns of law and order, and (e)
for “reasonable” purposes, such as whistleblowing, mergers and acquisitions, credit scoring, and debt recovery.
Without more guidance, each of these grounds of processing remain subject to governmental and judicial
interpretation.
The grounds for lawfully processing sensitive personal data, are slightly different. One of them for example,
requires explicit consent. While the Bill provides some factors that can validate explicit consent — for example,
it must be informed, clear, and specific – it does not provide guidance on how explicit consent has to be sought,
and how it varies substantially from regular consent.
Data Localisation
At least one copy of personal data should be stored on servers located in India. The government may exempt
some categories of personal data from this requirement on the grounds of necessity or strategic interests of the
State. While more guidance may provide clarity on this exemption, it cannot extend to sensitive personal data.
The government can also prescribe categories of “critical personal data” which must necessarily only be
processed on servers located in India. So far no criteria have been developed to determine this set of personal
data and so its scope is not clear.
Cross Border Transfer of Personal Data
Subject to the localisation requirements, there are some cases where personal data may be transferred out of
India. Transfer is permissible for example, if (a) it complies with contractual clauses or intra-group schemes
authorised by the Data Protection Authority; (b) it is made to a country, sector within the country, or an
international organisation approved by the government; (c) in addition to either of the two preceding points,
the data principal has consented to such transfer; (d) the transfer is necessary, provided the Data Protection
Authority has approved such necessity; or (e) the data principal has explicitly consented to such transfer. As
noted previously, it is not yet clear how such explicit consent will be sought in practice.
3. Data Breaches
The Bill has adopted a harm-based standard for responding to breaches of personal data. For example, in the
event of a breach, a data fiduciary has to report it within specified timelines to the Data Protection Authority.
The authority will then determine, depending on the severity of harm that may be caused, whether such breach
should be reported to data principals. Harm includes injury, whether bodily or mental, identity theft, loss of
employment, discrimination, and loss of reputation or humiliation, amongst others. The precise methods to
gauge extent of harm are not clear. The Data Protection Authority shall also have the powers to direct the data
fiduciary to take remedial action in the event of breaches.
Data Protection Officer
Data fiduciaries have to appoint data protection officers. A data fiduciary situated outside India must appoint
one based in India. The Data Protection Authority may specify eligibility criteria for data protection officers.
In addition to their other functions, these officers must monitor the data fiduciaries’ processing activities to
ensure compliance with the Bill, provide advice, assist and cooperate with the Data Protection Authority, and
act as points of contact between data principals and data fiduciaries.
Transparency and Accountability Measures
While the Bill does not prescribe any specific standards, by making “privacy by design” mandatory, it will require
that the business practices and technical systems of data fiduciaries be designed to anticipate and avoid harm
to data principals. Other transparency and accountability obligations it places on data fiduciaries include
adequate security safeguards, accurate and up-to-date record keeping, annual data audits, and data protection
impact assessments.
Rights of Data Principals
The Bill imagines a statutory framework to access some of the fundamental rights guaranteed by the
Puttaswamy verdict. Data principals have the right to access the personal data that is collected, confirm, correct
or update it, and receive it in commonly used forms. The “right to be forgotten” will allows data principals to
prevent the disclosure of personal data if that disclosure is no longer necessary or has served the purpose for
which it was made, or if the consent that permitted such disclosure has been withdrawn, or if the disclosure is
made contrary to applicable laws. The balance it has tried to strike between these rights and the freedom of
speech and expression, will need to be tested in practice.
Penalties
Contravention of its provisions by a data fiduciary of a category of obligations may attract a penalty of up to INR
50,000,000 or 2% of the data fiduciary’s total worldwide turnover of the preceding financial year, whichever is
higher. Even higher penalties have been prescribed for contravention of obligations in respect of processing of
personal data or sensitive personal data, cross-border transfer of personal data, and the security safeguards
detailed in the Bill.
Conclusion
4. Data protection law in India is in a period of transition. The impact of the Puttaswamy decision on the Data
Protection Rules and the IT Act cannot be overstated. Several Indian high courts dealing with data protection
issues such as the export of data, transfer of data among group companies, and the adequacy of consent, now
have to consider the Supreme Court’s view that the privacy of personal information is part of the fundamental
right to life and personal liberty. While no judicial trend can be discerned yet, it is clear that data collection and
processing efforts in India must evaluate and anticipate the impact of this historic judgment.
The decision has also provided the impetus and the founding principles for a new data protection law. While we
do not yet know the extent to which the draft bill that is now in circulation will be part of that law, the principles
laid down in Puttaswamy and the experience of Europe’s GDPR will indeed be influential. Data fiduciaries and
processors may have to comply with a new set of obligations enforced by a new regulator through severe
penalties.
Do reach out to us if you have any comments or question.
Mathew Chacko Ankita Hariramani
mathew@spiceroutelegal.com ankita.hariramani@spiceroutelegal.com
Aadya Misra Aishwarya Todalbagi
aadya.misra@spiceroutelegal.com aishwarya.todalbagi@spiceroutelegal.c
om