Despite the limitations posed by the COVID-19 pandemic, 66 sittings and more than 160 hours later, the Joint Parliamentary Committee (“JPC”) (constituted to examine the Personal Data Protection Bill (hereinafter ‘PDPB’) which was introduced in Lok Sabha by the Minister of Electronics and Information Technology, on December 11, 2019) concluded its examination and contours of the PDPB with 89 amendments and introduction of a new clause to the PDPB. The PDPB is expected to be tabled before the Parliament during the budget session which is to resume in March 2021.
The passage of India’s first comprehensive data protection legislation shall come in the wake of the government’s attempts to develop and regulate its national tech-ecosystem. The PDPB, inter alia, prescribes the manner in which personal data is to be collected, processed, used, disclosed, stored and transferred. It is applicable to the processing of personal data and covers: (i) the government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India.[1]
The PDPB envisages the creation of a Data Protection Authority (hereinafter ‘DPA’)[2] which shall function as a regulator and ensure compliance with the Act, as and when it is passed. The DPA is endowed with legislative, executive, adjudicatory as well as advisory powers. It DPA may be understood as an overarching market regulator primarily regulating companies and laying down industry standards.
The Bill also classifies data controllers into two categories, namely: data fiduciaries and data processors. Companies which determine the purpose and means of data processing shall be data fiduciaries[3] whereas companies which process data on behalf of such data fiduciaries shall be data processors[4] under the bill.
Privacy Principles embodied in the Bill
A cursory perusal of the Statement of Objects and Reasons of the Bill indicates that protecting individual privacy is one of the primary concerns of the bill. As held by the Supreme Court in K.S. Puttaswamy v. Union of India (2017)[5], informational privacy is a crucial facet of the right to privacy of an individual. The Bill primarily embodies five privacy principles in this regard:
- Purpose Limitation: Personal data must be processed only for a specific, clear and lawful purpose.[6]
- Necessity Limitation: Personal data must be collected only to an extent that is necessary for its processing purpose.[7]
- Storage/Time Limitation: Personal data must not be retained beyond the period necessary to satisfy the purpose for which it is processed and must be deleted at the end of the processing.[8]
- Consent: Personal data shall only be processed for the purpose consented to by the data principal or which is incidental to or connected with such purpose, and which the data principal would reasonably expect that such personal data shall be used for, having regard to the purpose, and in the context and circumstances in which the personal data was collected.[9]
- Data Localization: Certain categories of personal data shall be processed and stored only within India.[10] This has been elaborated further later in this article.
Through its provisions providing for notice to the data principal of the personal data being processed[11], and his/her right to seek for modification and deletion of data[12], the Bill recognizes the agency of a data principal in matters concerning his/her informational privacy.
Types of Data and Segregation Concerns
The Bill broadly classifies data into two categories: personal data and non-personal data. With the former being under its purview, it is still further classified into three types: Sensitive Personal Data, Critical Personal Data and personal data which is not either of the two, which we can call General Personal Data. While Personal Data and Sensitive Personal Data have been defined in the Bill in Section 3(28) and 3(36) respectively, the determination as to what constitutes Critical Personal Data has been deferred to the Central Government.
Segregating personal data from non personal data and then further identifying sensitive and critical personal data shall be the first task of the compliance process undertaken by companies. This may prove to be an extremely cumbersome and difficult task. Caste-status and religious affiliation have been defined as sensitive personal data under the Bill. Almost all Indian names indicate both of these about a person. Thus names of all data principals (customers) shall most likely have to be considered sensitive personal data and accordingly localized.
Section 91 of the Bill directs data fiduciaries to deliver any such anoymized and non-personal data to the Central Government which shall aid the latter in targeted delivery of services. No provision for compensation or remuneration to the data fiduciaries in this regard has been provided for. Since, the collection of non-personal data is not merely a mechanical exercise, and involves deployment of technology and innovation on part of companies, this provision raises serious concerns about the intellectual property rights of data fiduciaries.[13]
Additionally, processing of data in exercises such as pattern generation often involves the use of algorithms on part of companies, which are a part of their intellectual property. The Bill does not provide for protecting the IP rights of companies in this regard, and only extends its protection to trade secrets.[14]
PERSONAL DATA PROTECTION | THE WAY AHEAD
A major overhaul of data-related processes in almost all companies can be expected in order to make them PDBA-compliant. This shall especially be true for companies which are not already GDPR-compliant. Thus, compliance may be relatively easier, with consequent low compliance-costs, for companies which operate globally, especially in the EU and are already GDPR-compliant, as compared to exclusively local companies, and especially start-ups which usually store all their data on servers hosted outside India. Secondly, antitrust regulation shall be a natural consequence of this move to regulate and codify data governance through the PDPA, with the government expected to check data sharing amongst large companies, to the exclusion of local competitors. However, as a red herring, it must be clarified that there are differences between the laws and regulations under the PDPB and GDPR. In fact, the PDPB, imposes stricter control on the processing of Sensitive Personal Data and processing of such data by the Significant Data Fiduciaries. Also, considering the term Critical Personal Data” has been left to be defined by the Central Government, norms pertaining to such data may be more stringent.
Creation of Data Maps and Data Inventories
Though there is no explicit requirement in the PDPB to create data inventories and data maps, doing so would greatly assist companies in complying with PDPB.
Data Maps shall help companies to identify the source of data, its storage location and whether it is transferred abroad. These data maps can then assist companies in extracting relevant data as and when requested by data principals, identifying sensitive and critical personal data which is stored on servers abroad, identifying people in the company who have access to various data-sets, conducting risk assessments, among other things.
Data inventories shall help companies to identify the data principals who own data, the time for which the data is stored, the purpose for which it is stored and enable them to assign tasks to update and delete data. Thus, data inventories can be crucial in ensuring that a company’s data management practices as in accordance with the purpose and storage limitation requirements of the PDPB.
PDPB AND COMPLIANCES THEREIN
While the PDPB is yet to become the law, and even when it does, it expected that will get, based on the assessment of the industry opinion, companies may expect to get around 2 years to comply with the provisions of the new law, as and when such various provisions come into force. The compliance under the law is stringent in light of the prescribed penalties under the PDPB are severe, and may include 4% of the company’s turnover as well.
The following the compliance requirement for Data Fiduciaries and Data Processors under the PDPB:
PDPB applies to processing of personal data, subject to certain exemptions.
Identification of the nature of data and its segregation will have to begin from the collection stage itself in the manner prescribed below:
Identify all data possessed by the company and determine whether the entirety/any part of it qualifies as personal data, that is, if it is about a natural person who is directly or indirectly identifiable or pertains to any inference drawn from such data for the purpose of profiling (Section 2).
Identify whether the processing of the entirety/any part of its personal data falls under the exemptions granted by clause (b), (d) and (e) of Section 36 of the Bill.
Review third-party and outsourcing contracts to insert clauses for PDPA-compliance and penalties for non-compliance.
Identify whether the company is a small entity engaged in manual processing of data as per Section 39(2) of the Bill, thereby granting you exemption from the purview of the Bill.
While anonymized and non personal data are out of the purview of the Bill, a company may be required to provide them to the Central government for targeted delivery of services or policy reasons [Section 91(2)].
Maintain a separate data inventory for all non – personal and anonymized data.
Develop mechanisms to share it with the Central government as and when required.
Understand when the government’s claims can be resisted by the company as per Section 91(2) of the Bill.
Data Localization Requirements
Sensitive Personal Data: Must be stored in India, can be transferred outside for processing [Section 33(1)], subject to explicit consent of data principal for the same and pursuant to a contract or intra-group scheme approved by the DPA [Section 34(1)].
Critical Personal Data: Must be stored and processed only within India, cannot be transferred [Section 33(2)], subject to provisions of Section 36. The company must, first, classify its personal data into three types: sensitive personal data, critical personal data[15] and general personal data. It must then comply with processing, transfer and storage requirements as applicable. IT service providers, especially, must soon revamp their data transfer mechanisms as they frequently engage in intra-company transfer outside India.
If the company is dealing with sensitive personal data which it has stored on servers abroad, it must then ensure that it has first obtained explicit consent from the relevant data principals for the data transfer.
- It must draft transfer contracts or intra-group schemes (if it is an MNC) in accordance with the requirements enumerated in Section 34(1) (a).
- It must ensure that the consent obtaining process and contract drafting and approval do not ideally take more than two years after the relevant provisions for them are enforced. Advance preparations may be made by companies in this regard.
After obtaining the said consent, companies may have to further classify their sensitive personal data into two categories: data for which consent for transfer has been given and data for which it has been not. More data storage servers may have to be installed by companies as a consequence, and they must account for the logistical and infrastructure costs which may arise due to this in advance.
Elaborate consent mechanisms will especially have to be devised by data processors since they do not have any direct contact with data principals. For instance, a company processing data for Big Data Analytics or pattern generation for another company may have to devise ways to obtain consent of the said company’s data principals before taking their data out of India and comparing it with other data-sets.
Impact on foreign service-providers: Foreign companies based out of India providing services to Indian customers, especially in the fin-tech and fitness sector will have to invest in developing data servers in India for localization of sensitive and critical personal data.
All data fiduciaries must formulate a ‘Privacy by Design’ Policy and get it approved from the DPA [Section 22].
Develop the policy in accordance with the requirements enumerated in Section 22(1) of the Act. The policy must ensure that the data privacy principles, enumerated earlier in this article, are embedded in data processing activities at every stage in the data cycle. Thus, all stages of the data cycle such as collection, storage, modification, anonymization, encryption, etc. must embody the privacy principles of consent, purpose limitation and storage limitation, as well as data localization, where applicable.
Develop procedures to identify risk of harm to data principles and periodically deploy such procedures on data inventories to ensure compliance. Develop mitigation strategies to be deployed in the event of any harm being caused.
The technology used in this respect must ideally be as per industry recognized practices or other certified standards to ensure approval by the DPA.
Publish the approved policy on the company website. Ensure that the same can be easily accessed by visitors.
Data fiduciaries must have adequate grievance redressal mechanisms [Section 32].
Create mechanisms for data principals to raise grievances with the company, such as through email, phone call, text message or an online application.
Ensure that the details for approaching the company are clearly accessible through its website.
Allocate the task of grievance redressal, right from the stage of acknowledging receipts to allaying concerns to qualified personnel.
Notification of breach must be given by the data fiduciary to the DPA where any harm to the data principal is likely [Section 25].
Develop data breach response procedures to notify the DPA as soon as possible in case of a breach.
Review contracts with third parties and processors to ensure that they inform the company of any breach on their part on time, which it then may duly relay to the DPA.
Review liability provisions in third party contracts for breaches caused by third parties. Companies may consider amending these provisions to ensure greater liability, monetary or otherwise, to incentivize such third parties for diligent compliance with the PDPB.
As per Chapter III of the Bill, data may be processed only after obtaining consent on the data principal or for state action, legal obligation, compliance with court order, emergencies, employment and reasonable purposes (to be specified by the DPA)
Identify the various legal bases under which the company processes data. Obtain consent accordingly, as and when it is appropriate.
Ensure that the ground for data processing is reflected in the company’s privacy policy/ any notice thereof.
For data processing that has to be on the ground of consent of the data principal, the said consent must be informed, free, clear and specific [Section 11]. For processing of sensitive personal data, the consent must be explicit
Ensure that there are mechanisms in place to obtain consent before data collection. To this extent, existing standard form contracts or consent agreements may be revised. Fresh consent forms may also be drafted.
Maintain clear records of consent obtained from data principals as evidence for compliance.
Ensure that provision of goods or services or performance of a contract is not conditional on consent to processing any personal data that is not necessary for that purpose.
Review existing consents to ensure compliance with the new requirements and where non-compliant, draft new consent forms to seek fresh consent. Thus, for instance, specific consent entails that terms and conditions of various standard form contracts must be re-drafted to clearly enumerate the data being collected, the purpose for its collection and well as the time period for which it is being collected. Consent of data principals for every processing activity must be separately sought. Wide data-sharing clauses must also be done away with and data must be collected strictly to the extent that is necessary for its purpose.
Create mechanisms to allow data principals to withdraw consent.
After the collection of personal data, data fiduciaries must notify data principals of the following: type of data collected, manner of collection, purpose of collection, likelihood of significant harm and procedure for exercise of data principal rights [Sections 7 and 23].
Draft privacy notices or update existing ones to incorporate this information.
Ensure that the notices so drafted contain this information in a clearly identifiable and easily comprehensible manner.
If the data principal is below eighteen years of age, data fiduciaries shall verify their age, in a manner prescribed by the DPA and process their data only after obtaining the consent of their parent/guardian [Section 16].
Identify all personal data which pertains to minors (below 18 years of age).
Ensure that their age verification process is compliant with DPA’s regulations, when the same are enforced.
Ensure a speedy mechanism for compliance with the regulations which preferably does not extend beyond 2 years from the date of enforcement.
Develop mechanisms to obtain parental/guardian’s consent for all data collected henceforth.
Revisit all previous data pertaining to minors and ensure that parental consent for processing is taken, if the same data is to be processed for a new purpose.
All personal data collected shall be permanently deleted once the period necessary for fulfilling the purpose of its collection is over [Section 9(1)] and may be retained for longer only if the data principal ‘explicitly’ consents to it [Section 9(2)].
Periodically review data inventory to check if the data stored is within the time limit prescribed by the Bill. Develop mechanisms to obtain express consent of data principals for longer retention. The same might involve:
- Maintaining a detailed repository of all data principals of the company.
- Developing means to reach out to them for obtaining their explicit consent.
- Designing templates for the above-mentioned express consent agreements. These agreements shall function as evidence before the Data Protection Authority, if the need to demonstrate compliance ever so arises.
Data fiduciaries must provide the personal data collected from Data Principals or any summaries thereof to such data principals on demand [Section 17(1)].
Maintain a complete data inventory of all personal data collected.
Develop mechanisms to make relevant data available to the data principal on demand.
Data principals have the right to access a comprehensive overview of the identities of Data Fiduciaries who have access to Personal Data and the category of Personal Data shared [Section 17(3)].
Ensure that the above mentioned data inventory also has up-to-date records of the identities of all such data fiduciaries corresponding to the personal data they have access to.
Ensure that the manner of providing access to data principals shall be in compliance with the regulations issued by the DPA in this respect, as and when they are enforced.
Data principals have the right to seek erasure or modification of all the irrelevant personal data that has been collected from them [Section 18(1)]. The same can be sought directly from the data fiduciary without approaching an adjudicating authority first
Develop mechanisms to ensure timely erasure or modification of data, as requested.
Develop mechanisms and ensure that the said erasure or modification is duly conveyed to all entities with whom the relevant data has been shared.
Regulatory Sandbox: Data fiduciaries collecting personal data for developing new technologies in the fields of AI and machine learning shall be exempted from the consent, storage limitation and purpose limitation requirements under the Act for about 12 months [Section 40(1)].
In case of the above, the Data Fiduciaries must, firstly, have a ‘Privacy by Design’ policy in place before applying for inclusion in the sandbox. It must, secondly, ensure that its application is compliant with the conditions enumerated in Section 40(3) of the Bill.
In addition to the above compliances, if the DPA notifies any data fiduciary or class of data fiduciary as significant data fiduciary[16], the following compliances shall be applicable as well:
A company designated as a significant data fiduciary must register itself with the DPA [Section 26(2)].
Appointment of a Data Officer to ensure compliance with the PDPB and serve as the point of contact for a data principal and the DPA [Section 30].
Ensure that the DPA so appointed has the requisite qualifications, and is residing in India.
Conducting Data Protection Impact Assessment (DPIA) before certain processing activities, such as processing involving new technologies, large scale profiling, use of sensitive personal data or any processing activity which may otherwise run the risk of significantly harming data principals [Section 27].
With respect to DPIA, the company must ensure that its various teams are aware of the processing activities enumerated in Section 27 and that they conduct a DPIA prior to collecting data for such processing purposes. Companies may also consider drafting templates for DPIA reports.
Independent and annual third-party audits [Section 28].
Develop procedures to engage third parties for annual audits. Ensure that its data trust score assigned to it by the said independent auditor is reflected in the company’s privacy policy. Develop internal processes to demonstrate compliance with the Bill, such as through records and consent agreements.
Records of important operations in the data life cycle must be maintained.
PENALTIES UNDER THE BILL FOR NON-COMPLIANCE
Chapter X of the Bill enumerates various penalties which shall be levied on data fiduciaries and data processors for non-compliance with various provisions of the Bill.
It provides for three main types of penalties which are applicable only to data fiduciaries:
- A penalty of five crore rupees or two percent of the company’s total worldwide turnover of the preceding financial year, whichever is higher. This penalty shall be levied in cases in which the company fails to:
- take prompt and appropriate action in response to a data security breach
- register with the DPA, if it is a significant data fiduciary
- undertake a data protection impact assessment if it is a significant data fiduciary
- conduct a data audit if it is a significant data fiduciary
- appoint a data protection officer if it is a significant data fiduciary
- A penalty of Rs 15 crores (approx. USD 2 million) or four percent of the company’s total worldwide turnover of the preceding financial year, whichever is higher. This penalty shall be levied in cases in which the company fails to:
- Process its personal data in accordance with the provisions of Chapter II and III of the Bill.
- Process its personal data of children in accordance with the provisions of Chapter IV of the Bill.
- Adhere to the security safeguards
- Transfer personal data outside India in accordance with the provisions of Chapter VII.
- Pursuant to Section 58, if a data fiduciary, without any reasonable explanation, fails to comply with any request made by a data principal under Chapter V, such data fiduciary shall be liable to a penalty of Rs 5,000 for each day during which such default continues, subject to a maximum of Rs 10,00,000 (approx USD 13,333) in case of significant data fiduciaries and five lakh rupees in other cases.
- Additionally, pursuant to Section 64 of the Bill, data fiduciaries and data processors shall be liable to pay compensation to the data principal in event of any harm suffered by the latter due to any non-compliance on part of the data controllers.
- As per Section 84 of the Bill, any person responsible for conducting the business of a company shall be deemed guilty of any offence committed by the company under the Bill.
In the interim – “Bill” until the “Act” ….
Even though a lot of significant concerns of companies pertaining to compliance processes for data collecting, processing, storing, etc, will be allayed only when the DPA enacts regulations to that effect, assessment of legal opinion indicates that companies can anticipate the said regulations in some aspects and to a certain extent and might want to consider triggering compliance-preparation in advance. For instance, a regulation on encryption or anonymisation should ideally say ‘do best available’, or do ‘best-in-industry standards’ as opposed to prescriptive directives from the DPA.[17]
Additionally, for compliance measures such as those pertaining to formulating a ‘Privacy by Design’ policy, companies in the same sector may come together and, through a consultative process, arrive at codes of practice to be followed in operational, managerial and technical aspects which work best for them.
Supriya Shekhar & Anupam Prasad
anupam@aplawchambers.in
[1] Personal Data Protection Bill, s 4.
[2] ibid s 41.
[3] ibid s 3(13).
[4] ibid s 3(15).
[5] K.S. Puttaswamy v Union of India (2017) 10 SCC 1.
[6] (n 1) s 4.
[7] ibid s 6.
[8] ibid s 9(1).
[9] ibid s 5(b).
[10] ibid s 33, 34.
[11] ibid s 7.
[12] ibid s 18.
[13] Akhil Deo, ‘The Personal Data Protection Bill 2019: Recommendations To The Joint Parliamentary Committee | ORF’ (ORF, 2021) <https://www.orfonline.org/research/the-personal-data-protection-bill-2019-61915/> accessed 4 January 2021.
[14] ibid s 19(2)(b).
[15] Critical Personal Data shall be as notified by the Central Government
[16] As per Section 26 of the Bill, “the Authority (DPA) shall, having regard to the following factors, notify any data fiduciary or class of data fiduciary as significant data fiduciary, namely:—
(a) Volume of personal data processed;
(b) Sensitivity of personal data processed;
(c) Turnover of the data fiduciary;
(d) Risk of harm by processing by the data fiduciary;
(e) Use of new technologies for processing; and
(f) Any other factor causing harm from such processing.”
[17] Trisha Jalan and Soumyarendra Barik, ‘Impact Of Personal Data Protection Bill, 2019, On Companies – Medianama’ (MediaNama, 2021) <https://www.medianama.com/2020/01/223-nama-impact-personal-data-protection-bill-2019-companies/> accessed 4 January 2021.
