India’s upcoming data protection regime

India is on the cusp of enacting its first comprehensive legislation on data protection, a natural fallout of the nine-judge constitution bench of the Supreme Court recognising the right to privacy as a fundamental right in the historic judgment Justice KS Puttaswamy v Union of India (24 August 2017).

In light of this decision, the constitutionality of the biometrics-based Indian social security number ‘Aadhaar’ was challenged in a reference. The Aadhaar was originally meant only for availing of the benefits of subsidies and government schemes, but it has morphed into the only acceptable form of identification for a wide range of activities including availing of medical services, obtaining mobile phone connections and opening bank accounts. While the decision in the reference upheld the applicability of Aadhaar for all government subsidies, schemes and filing taxes, it struck down those provisions of laws and policies that made the disclosure of the Aadhaar number mandatory in circumstances where a private party would be responsible for storing and processing it, on the grounds of an individual citizen’s right to privacy (Justice KS Puttaswamy v Union of India (Supreme Court, 26 September 2018).

In the meantime, the government appointed an expert committee (a nine-member committee headed by Justice BN Srikrishna – known as the ‘Srikrishna Committee’), which submitted a report and draft legislation on data protection on 27 July 2018 (the Personal Data Protection Bill 2018).

While this is currently a bill and will possibly include several amendments before being enacted as statute, it serves as a blueprint for India’s upcoming data protection law.

Salient features and analysis

The bill is largely modelled on the EU General Data Protection Regulation (GDPR, effective as of 25 May 2018), but retains significant differences. The bill provides for a phase-wise implementation of its provisions over 18 months on enactment.

As opposed to data protection legislation in the European Union, China and the United States, which use the terminology ‘data subject’ and ‘data controller’, the bill uses the terms ‘data principal’ (natural person) and ‘data fiduciary’ (public and private sector entities that collect, process and store data).

The bill applies to both government and private entities and extends to data fiduciaries (both Indian and foreign entities) carrying out processing (ie, collecting, storing, disclosing, sharing or otherwise using) of personal data in connection with any business carried on in India, systematic offering of goods and services to data principals in India, or profiling of data principals within India.

The bill proposes that the Data Protection Authority of India oversee the enforcement and handling of complaints under the bill (once enacted). The authority may conduct inquiries into the workings of data fiduciaries. Further, it may issue warnings, or temporarily suspend or discontinue the business of a data fiduciary for contravention of the bill.

Data is categorised primarily as ‘personal data’ and ‘sensitive personal data’. Personal data relates to a natural person and their directly or indirectly identifiable characteristics or traits (ie, features of identity). Personal data may be processed:

• with the consent of the individual;
• for the functions of state and compliance with law and order; or
• where prompt action is required in case of emergency.

Further, it may be processed for reasonable purposes by the data fiduciary. However, the definition of ‘reasonable’ here is unclear and should be clarified in order to restrict broad interpretation. Sensitive personal data includes passwords, financial data, health data, sexual activity and orientation, biometrics, genetic data, caste or tribe, as well as religious and political beliefs or affiliations. This category of data may, among other things, be processed:

• pursuant to the explicit consent of the data principal;
• for certain functions of state and compliance with any law mandating the same; and
• in response to medical emergencies.

The bill does not provide for how the existing volume of data of the data principals is to be classified or processed in these categories. This adds another layer of compliance to be undertaken by the data fiduciaries. In addition, the bill mentions ‘critical personal data’, a subset of personal data which may be notified by the central government. However, no parameters for categorising some personal data as critical personal data have been provided and this is entirely at the discretion of the government.

The bill provides the data principal with the right to obtain confirmation on whether the data fiduciary has processed their personal data, a brief summary of the personal data so processed and the activities undertaken in respect of their personal data (eg, information regarding with whom the data is being shared and the period of its retention). Further, the data principal will have the right to correct or update any inaccurate or outdated data and transfer their personal data to another data fiduciary. The data fiduciary must ensure that personal data be retained only as long as is reasonably necessary, after which it must be deleted. The data fiduciary must provide a detailed notice to the data principal before or at the time of the personal data collection. The data fiduciary must notify the Data Protection Authority in case of any breach of personal data that is likely to cause harm to the data principal. However, the bill accords discretion to the data fiduciary to judge if the breach constitutes harm to the data principal, without laying down any specific guidelines for the same.

The bill requires that one copy of all personal data processed within India be stored on a server within India. This requirement seems elaborate and unfeasible, given that in our globalised world, several entities process data in numerous countries without any actual physical presence in those countries, and India is no exception. This requirement therefore imposes unnecessary and unrealistic obligations on organisations to maintain data servers in India. Therefore, if enacted, the provision will act as a huge barrier for entry into the Indian market and affect the ease of doing business in India. Moreover, cross-border data transfers are presently governed by mutual legal assistance treaties with other countries. Obligations under these treaties will continue to apply and instances of conflict might arise with the data localisation requirement envisaged under the bill.

While the bill applies to the processing of personal data by the state, it also creates an exception that sensitive personal data may be processed for state functions or acts of Parliament for any provision or benefit to the data principal, even without consent. This exception has seemingly been created for the Aadhaar, which itself has several privacy concerns. The exception is wide enough to include, among other things, several welfare programmes, income tax returns and healthcare benefits. In light of this, the scope of data which may be processed by the state without consent is very broad. This is problematic because the Data Protection Authority is not an independent body, being bound by the control and directions of the central government in policy matters. To ensure that the bill’s applicability to the state does not become meaningless, the exception should be better carved out and provide for further safeguards. The issues of mass surveillance and government interference have been left unaddressed by the bill. Intelligence agencies must be reasonable in their approach towards personal data; however, the bill is silent on the definition of ‘reasonableness’, making the provision ambiguous and its violation impossible to map. Further, law enforcement agencies are not required to inform Parliament about the nature and scale of their surveillance and interception activities.

The bill provides for exemptions from the obligations of data protection. Exemptions are created for, among other things, the purposes of:

• state security;
• prevention, detection, investigation and prosecution of contraventions of law;
• processing for the purpose of legal proceedings;
• research, archiving or statistical purposes;
• journalistic purposes; and
• manual processing by small entities.

The bill also provides for transparency and accountability measures, as well as specified grounds for processing personal and sensitive personal data.

Effectively, most of the bill is not applicable in respect of these exempted purposes, except for:

• the duty of processing data in a reasonable manner;
• respecting privacy; and
• implementing security safeguards to prevent any harm resulting from the processing of this data.

The bill also lays down penalties to be prescribed by the Data Protection Authority, ranging from Rs50 million or 2% of total worldwide turnover to Rs150 million or 4% of total worldwide turnover. Such penalties are applicable in case of, among other things:

• failure to take action in response to a data security breach;
• failure to undertake a data protection impact assessment and data audit; and
• failure to register with the Data Protection Authority.

The penalties collected from offenders are to be used by the Data Protection Authority for creating awareness regarding the functioning and the application of the bill. This is a potential conflict of interest, as the authority benefits monetarily from imposing higher penalties and may impede the fair adjudication of disputes.

Separately, the data principal has the remedy to claim compensation for harm suffered as a result of any violation of the bill from the data fiduciary.

Moreover, criminal penalties have been prescribed in cases where personal or sensitive personal data is knowingly or recklessly dealt with, causing significant harm to the data principal, with a prison term of up to three years (when pertaining to personal data) and five years (when pertaining to sensitive personal data). These punishments will be meted out by criminal courts. However, creating cognisable, non-bailable criminal offences on which the police can predicate the arrest of an executive is unhelpful and will only disadvantage Indian firms in the global digital economy. This liability is especially onerous, and differs from its GDPR counterpart, which provides only for civil liability and heavy fines.

Differential treatment has been envisaged under the bill for the data of foreign and Indian data principals. Therefore, data fiduciaries will be required to operationally segregate user data and differentially treat data belonging to Indian and foreign users and customers. Such a legal requirement is technically cumbersome and may become arbitrary during enforcement.

Comment

The bill has been crafted from provisions inspired by the GDPR, with little modification. However, the bill has numerous ambiguities and unaddressed issues, such as the timeline for the enforcement of its provisions, overarching powers of the government, burdensome compliance obligations and lack of specificity in various provisions. Given that the implementation of the GDPR is still at its nascent stage, India’s law makers should provide for flexibility in the bill to evolve from both global experience and the Indian context.

The government has taken the first step by placing the bill in the public domain and calling for recommendations on the same. It is hoped that, after public consultation, the bill in its final form will be more balanced and less compliance-heavy, thereby making it more effective and easier to implement.