A draft of the Personal Data Protection Bill, 2019 (“Bill”) has been introduced before the Lok Sabha on December 11, 2019.
The Bill is based, in large part, on the proposed draft of the Personal Data Protection Bill, 2018 (“Draft Bill”) which was attached to the report submitted to the Government by the Committee of Experts constituted under the Chairmanship of Justice Srikrishna (Retd.) (for details see our analysis[1] of the Draft Bill and its comparison with the European Union’s General Data Protection Regulation[2] (“GDPR”)[3] ).
That being said, the Bill also includes several modifications and changes in scope and intent.
At its core, the Bill continues to require that Personal Data[4] be processed fairly and reasonably while ensuring the privacy of the Data Principal[5], for purposes that are consented to by the Data Principal, or purposes incidental or connected thereto[6].
The following is a summary of the key changes relevant to private Data Fiduciaries[7]. The Bill has also made certain changes to the provisions relating to the processing[8] of Personal Data by Central and State Governments. The aforementioned provisions are not the focus of this summary and will be examined separately. It is intended to be read with our earlier updates on the Draft Bill here:
Application of the Provisions of the Bill:
The Bill has clarified that its application is dependent on the processing of Personal Data and not territorial boundaries[9]. Further, while anonymized data, as proposed by the Draft Bill, continues to be out of the purview of the Bill, an exception has been carved out for anonymized data which may need to be shared with the Government in order enable it to better target delivery of services or formulate evidence-based policies[10]. Further, certain provisions of the Bill will not apply to manual processing by ‘small entities’, which are now to be defined by the Data Protection Authority (“Authority”)[11]. Furthermore, Section 96 of the Bill specifies that the provisions of the Bill will prevail over any inconsistent laws.
- Consent: Consent has been emphasised as the key basis for processing Personal Data in Section 11, however, other bases for processing continue to be defined in Sections 12, 13 and 14.
- Anonymization: The definition of Anonymization has been amended to include all data which meets the anonymization standard prescribed by the Authority[12]. This will help serve as a bright line standard for anonymization.
- Data Retention: The Bill includes language requiring deletion of data after the conclusion of the period of its purpose of processing[13] and also includes a provision for explicit consent to be obtained for longer retention[14]. It is unclear whether such retention under consent will override the purpose requirement under Section 4 of the Bill.
- Evidence of Compliance: The Draft Bill proposed requiring that Data Fiduciaries demonstrate that all processing of Personal Data by them was in compliance with its provisions. This broad requirement has been done away with, but has been retained for demonstrating consent under Section 28.
- Age Verification and Privacy by Design Policies: Mechanisms for verification of age of minors will now be prescribed under the regulations[15] rather than be determined by Data Fiduciaries[16]. Similarly, Privacy by Design Policies will, subject to any contrary regulations, now be certified by the Authority rather than left to the discretion of the Data Fiduciary and will be required to be published on the website of the Data Fiduciary.[17] Certification by the Authority is another measure that may provide for some certainty in what is likely to be a rapidly evolving regime. The period for their review will now be prescribed under regulations.
- Recommended Exception for Search Engines: A potential “reasonable purpose” which will permit processing of data has been included for the operation of search engines[18]. This was a change sought by multiple stakeholders.
- Processing of Sensitive Personal Data: Under the Bill, ‘passwords’ have been removed from the definition of Sensitive Personal Data.[19] The Draft Bill required informed consent for the processing of Sensitive Personal Data after having knowledge of all significant consequences[20]. Under the Bill, Data Fiduciaries are only required to satisfy the lower standard of informing Data Principals of significant harm[21].
- Sectoral Regulator: The role of the sectoral regulator has been strengthened requiring their inputs for codes of practice, and requiring consultation with them before notifying categories of Sensitive Personal Data[22]. This will likely mean that existing categories of sensitive personal data such as payment data and policyholder data will be defined as Sensitive Personal Data.
- Expanded Information Rights of the Data Principal: An expanded right has been provided to Data Principals to obtain from the Data Fiduciaries all their Personal Data and summaries thereof[23]. Also included is the right to access a comprehensive overview of the identities of Data Fiduciaries who have access to Personal Data and the category of Personal Data shared. The manner of such access will be specified in the regulations[24].
- Erasure: Under Section 18 of the Bill, a direct right to seek erasure of irrelevant Personal Data has been included[25]. Data Principals now have the ability to require such erasure directly, rather than after adjudication[26]. This may require more robust erasure mechanisms to be put in place. The previous mechanism restricting or preventing the continuing disclosure of the personal data by a data fiduciary after adjudication Section 20 has still been retained[27] with modifications.
- Consent Managers: A new category of Data Fiduciaries called consent managers has been defined under the Bill.[28] These entities are to enable Data Principals to manage their consents across multiple fiduciaries through an accessible, transparent and interoperable platform. The conditions for being classified as a Consent Manager and the requirements for registration with the Authority will be notified under the regulations.[29]
- Social Media Intermediaries: Section 26 of the Bill defines Social Media Intermediaries as a new and separate category of Data Fiduciaries. These are entities which primarily or solely connect users enabling them to create, modify, upload, share, disseminate or access information. Search engines, e-commerce entities, internet service providers, email and storage services, and online encyclopaedias are expressly excluded from this definition[30]. Social Media Intermediaries which have more than a specified number of users, and whose actions are likely to impact electoral democracy, security of the state, public order, sovereignty or integrity of India will be notified by the Central Government as Significant Data Fiduciaries[31]. All such notified Social Media Intermediaries are required to enable users who register for, or use, their services from India to voluntarily verify their accounts, and thereafter mark verified accounts with a specified mark which will be visible to all users[32].
- Localization and Cross Border Data Transfers: The data localization requirement, which formed the basis for much of the discussion and the debate around the Draft Bill has been narrowed substantially:
- No requirement of localization (or indeed transfer restrictions) will apply for Personal Data;
- A requirement remains to store Sensitive Personal Data in India but such data may be transferred outside India for processing[33]. The ambiguous concept of “serving copy”[34] has been done away with[35];
- Critical Personal Information may be processed only in India. Some exceptions to transferring critical personal data outside India have been specified[36].
Further clarity has been provided on the contents of contracts or intra-group schemes for the transfer and processing of sensitive personal data outside India[37]. A higher threshold (explicit consent) has been specified for transferring sensitive personal data outside India[38].
- Regulatory Sandbox: A provisions for a regulatory sandbox (between 12 (twelve) and 36 (thirty six) months in duration) has been created to encourage the development of new technologies in the nature of artificial intelligence and machine learning, pursuant to which entities will be exempted from purpose, storage and consent requirements under the Bill.[39] It will be interesting to see how this exclusion operates in view of the tests outlined under the Aadhaar Judgement[40].
- Selection Committee: Several changes have been made in relation to the composition of the selection committee which is tasked with recommending the members of the Authority.[41]
- Authority: The Authority will, to the extent possible, be allowed to express its views before the Central Government prior to the Central Government prescribing any directions or questions of policy in relation to the Authority’s exercise of its powers or the performance of its functions.[42] Further, the Authority has been obligated to publish its annual report which will provide a summary of the activities of the Authority in the relevant year.[43]
- Data Sharing with the Government: Section 91 of the Bill enables the Central Government to require Data Processors or Data Fiduciaries to provide it with anonymized Personal Data, or other non-personal information (which was expressly excluded from the scope of the Draft Bill) to enable the targeting or delivery of services, or the formulation of evidence-based policies. The provision does not provide for any form of compensation or remuneration for such data. It also reaffirms the right of the Central Government to formulate policies for the digital economy to the extent that such policies do not govern personal data. This is particularly relevant in view of the proposed E-Commerce Policy.[44]
On the one hand, certain changes made to the Draft Bill may prove to business friendly by providing for increased certainty, on the other hand, other changes detailed above (e.g. the deletion of the implementation timeline[45], requirement to share anonymised and non-personal data with the Government[46], obligations relating to social media verification[47], etc.) may prove to be a source of concern.
[1] “The Personal Data Protection Bill, 2018: A Summary” dated July 30, 2018 Available at: http://www.cyrilshroff.com/wp-content/uploads/2018/07/Personal-Data-Protection-Bill-2018.pdf
[2] European Union’s General Data Protection Regulation (Regulation (EU) 2016/679).
[3] “India: Comparing the Personal Data Protection Bill 2018 with the GDPR” dated December, 2018 Available at: https://platform.dataguidance.com/opinion/india-comparing-personal-data-protection-bill-2018-gdpr
[4] Section 3(28), Bill.
[5] Section 5(a), Bill.
[6] Section 5(b), Bill.
[7] Section 3(13), Bill.
[8] Section 3(31), Bill.
[9] Section 2, Bill.
[10] Section 91(2), Bill.
[11] Section 39, Bill.
[12] Section 3(2), Bill.
[13] Section 9(1), Bill.
[14] Section 9(2), Bill.
[15] Section 3(33), Bill.
[16] Section 16(3), Bill.
[17] Section 22, Bill.
[18] Section 14(2)(h), Bill.
[19] Section 3(36), Bill.
[20] Section 18(2), Draft Bill.
[21] Section 11(3)(a), Bill.
[22] Section 50(2), Bill.
[23] Section 17(1), Bill.
[24] Section 17(3), Bill.
[25] Section 18, Bill.
[26] Section 18, Bill.
[27] Section 20(2), Bill.
[28] Section 23(5), Bill.
[29] Section 23(5), Bill.
[30] Section 26(4), Bill.
[31] Section 26(4), Bill.
[32] Section 28 (3) and 28(4), Bill.
[33] Section 33(1), Bill.
[34] Section 41,Draft Bill.
[35] Section 33, Bill.
[36] Section 34(2), Bill.
[37] Section 34(1), Bill.
[38] Section 34(1), Bill.
[39] Section 40, Bill.
[40] Justice K.S. Puttaswamy and Ors.Vs.Respondent: Union of India (UOI) and Ors., (2019) 1 SCC 1.
[41] Section 42, Bill.
[42] Section 86(2), Bill.
[43] Section 81(2), Bill.
[44] Department of Industrial Policy and Promotion, Draft National E-Commerce Policy, February 23, 2019.
[45] Section 97, Draft Bill.
[46] Section 91(2), Bill.
[47] Section 26(4), Bill.