2018 is a big year in the field of data privacy and records processing regulation in India. On July 27, 2018, India published a draft law for a brand new, comprehensive facts protection law to “be known as the Personal Data Protection Act, 2018,” just a few weeks after the European Union General Data Protection Regulation (GDPR) took impact on May 25, 2018 and California enacted the California Consumer Privacy Act of 2018 at the stop of June.
Brazil already accompanied with a brand-new General Data Protection Law (Law No. Thirteen,709/2018) only a few weeks later, on August 14, 2018. With the new law, the Indian government responds to a mandate from the Indian Supreme Court, which had directed the authorities of India in August 2017 to enact complete records safety rules. Before the Personal Data Protection Act becomes powerful in India, there may be no omnibus records protection regulation as in Europe, nor are there designated sectoral privacy legal guidelines as inside the United States.
The new Indian Personal Data Protection Act adopts and in addition develops many present concepts of EU-style statistics processing regulation and a few elements of U.S.-fashion facts privacy legal guidelines. Global agencies can, and must try and, address the requirements of the brand-new Indian Data Protection Law, the GDPR, the California Consumer Privacy Act and other privacy regimes concurrently and holistically, within the interest of performance.
But, it’s also clear that organizations can’t simply increase the coverage of their GDPR-centred compliance measures to India without addressing the nuances of the new Indian Personal Data Protection Act, and the various differences as compared to other jurisdictions’ information processing rules and information privacy legal guidelines.
It is noteworthy that India is not maintaining its status quo, pursing lighter regulation, or following the U.S. Method of sectoral, harm-precise protections for person privacy, in which the Silicon Valley rose to international management in facts technologies and the broader U.S. Technology quarter flourished. Instead, India is leaning closely towards the European model of restrictive statistics processing law. This shift could properly affect India’s globally leading records generation area. In our article, we review the current practices in India on data protection, new proposed law, what it offers and challenges that an still be seen in the draft bill.
Keywords: Data Privacy, Data Protection, Indian Personal Data Protection Act, Constitution
The world has progressed from the Industrial Revolution, which came about with the advent of rapid industrialisation, to the age of the Information Revolution, which is distinguished by an economy based on information, computerisation and digitalisation. However, increasing globalisation and digitalisation have brought a lot of challenges.
There has been an alarming rise in cybercrimes at a global scale. With India also moving towards a digital economy with the adoption of Aadhaar, huge focus on digital payments even by masses and an ever-increasing dependency on information, the concerns over cybersecurity, data protection and privacy are justified. Further, in the wake of the Supreme Court ruling that privacy is a fundamental right, there is a growing sense of urgency in India to have in place a proper legislative framework to address the concerns over cyber security, data protection and privacy.
Given the growing concerns, the Central Government of India had set up a Committee of Experts, headed by Justice B. N. Srikrishna, to study the challenges surrounding data protection in India and agree set of principles and provide their valuable suggestions on which to base the data privacy legislative framework. The objective is to ‘ensure growth of the digital economy while keeping personal data of citizens secured and protected’.
The 21st century has witnessed such an explosive upward push inside the range of approaches wherein we use records, that it is widely known as ‘the statistics age’. It is believed that via 2020, the worldwide volume of virtual records we create is predicted to attain 44 zettabytes. Much of that new statistics will include personal info relating to people, which includes information referring to the goods they have bought, the locations they have travelled to and facts that’s constructed from ‘clever gadgets’ linked to the Internet.
There are a huge variety of benefits to be gained by way of collecting and analysing personal records from people. Both the public and the private area are accumulating and the use of private information at an unprecedented scale and for multifarious functions. While data may be put to beneficial use, the unregulated and arbitrary use of facts, in particular personal information, has raised issues concerning the privacy and autonomy of a character. This change led to a situation where landmark judgement of the Supreme Court in Puttaswamy case was taken, which regarded the right to privacy as an essential right. In this light, so one can harness the benefits of the digital economy and mitigate the harms consequent to it, formulating an information safety law is the need of the hour for India.
Objective of this paper is to:
- Review current data protection framework in India and present change in approach is being undertaken.
- Compare with global data protection framework and
- Assess its impact on the Indian business environment.
Data protection law research Details:
With the advancement in IT and ITES sectors, Indian companies handle and have access to almost all kind of sensitive details of individuals across the world. It includes personal information, Credit card details, financial information and even medical history of individuals. These data are stored in electronic medium and is vulnerable in the hands of their employees and also through potential cyber-attacks by fraudsters. There have been many instances where these data are stolen, lost or mismanaged. These recent trends in the Indian IT sector has raised concerns about data privacy. Now, dealing with the law, there is no express legislation within India dealing with the data protection. Although a bill was introduced in the parliament in 2006 and again reintroduced in an amended form in 2018 and again in December 2019, it is yet to see the light of the day. That bill seems to be on the framework of European Union Data Privacy Directive 1996 and GDPR of 2018.
The Bill aims to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the fundamental rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected there with or incidental thereto.
The Personal Data Protection Bill 2019 (PDP Bill 2019) was tabled in December 2019 but could not be passed and in view of objections was referred to a Joint Parliamentary Committee (JPC) in consultation with various groups. The Bill covers mechanisms for protection of personal data and proposes the setting up of a Data Protection Authority of India, Some key provisions the 2019 Bill provides for which the 2018 draft Bill did not such as that the central government can exempt any government agency from the Bill and the Right to Be Forgotten has been included.
In July 2017, the Ministry of Electronics and Information Technology set up a committee to study issues related to data protection. The committee was chaired by retired Supreme Court judge Justice B. N. Srikrishna and it submitted the draft Personal Data Protection Bill, 2018 in July 2018. After further deliberations the Bill was approved by the cabinet ministry of India on 4 December 2019 as the Personal Data Protection Bill 2019 and tabled in the Lok Sabha in December 2019. The bills provide for both government as well as private enterprises engaged in data collection.
It also provides for the appointment of, “Data Controllers”, who have general superintendence and adjudicatory jurisdiction over subjects covered by the bill. It also says that penal sanctions may be imposed on offenders in addition to compensation for damages to victims. The bill is clearly a step in the right direction. However due to the paucity of information, the bill is still pending.
In India, to cover cybercrimes we do have Indian Information Technology Act, commonly referred as IT act, to cover IT related laws in India and delineates the scope of access that a party may have to on data stored on a computer, computer system or computer network, the provisions of the IT Act do not address the need for a stringent data protection law being in place. This act has been amended in 2008 to meet the growing challenges of the cybercrime. However, these amendments are still insufficient to deal with the present scenario. This amendment has added two important provisions that have a strong bearing on data protection laws.
These are section 43A and 72A. But the provisions pertaining to data security and confidentiality are grossly inadequate. In recent years the incidents of data theft in IT/ITES companies have raised concern over the data safety in Indian Companies. In one of the data theft cases, the confidential data of some foreign nationals were stolen. This gave rise to a debate over the safety of data of foreign nationals in Indian Companies. Now the question is being a major Superpower in IT sector, can India afford to deal with an important issue such as this in the manner in which it has dealt with in the amendments to the IT Act?
IT Act Article 300A of Indian constitution – a constitutional right to data exclusivity, provides that no person shall be deprived from his right to property except by the authority of law. But the main thing is that it can only be claimed against the state or against the entity of the state, so to avail this section one has to prove that the entity (if that is a person then he cannot be counted as an entity, it is only if the violation is done by some company or bank and that too if government owed) is one of government entities.
By the Copyright Act of 1957, the intellectual Property Rights are protected in the literary, dramatic, musical, artistic, and cinematographic works. Computer database is also included in the term literary work. There it the copy of or interference with a computer database. That will be a violation of the copyrights and for that civil and criminal both type of punishment is provided. Although, there is one difficulty that is how to differentiate between the data protection and database protection, and the issues of privacy of an individual are generally related to the data protection of the creativity and investment put into the compilation, verification and presentation of databases.
Ever since the Indian Supreme Court ruled in favour of the right to privacy being deemed a fundamental right, India’s IT industry is more inclined than ever to respect and monitor data usage and storage. Microsoft India recently launched free online courses that will allow students, businesses, and legal professionals to understand data compliance, basics of GDPR and other best practices in security. Indian banks and insurance companies are among the early movers in building blockchain infrastructure, which can safeguard customer data. And digital financial lenders are not too far behind either, especially since the majority of their customers are online.
BankBazaar, an online lending marketplace, is prepared to implement necessary data protection standards whenever the law is implemented. Parag Mathur, General Counsel and Head of Compliance, says, “The average BankBazaar customer is mobile-centric with the inclination towards a digital format. Currently, we are seeing 90 million visitors in a quarter from more than 1,300 cities across India. Stakeholders must come together to enact a law which places the customer in charge of his data, and companies should provide value-added services in exchange for that data.”
For greater accountability, companies processing large amounts of data might have to register themselves as significant data fiduciaries to the Data Protection Authority–a key recommendation made by the Srikrishna Committee. Even though there is little clarity on how this will be implemented, it will increase compliance costs that include periodic company audits and the need for data protection specialists among others.
The Information Technology Act, 2000 has recently been amended to meet challenges in cybercrime. It has introduced two important provisions that have a strong bearing on the legal regime for data protection. These are sections 43A and 72A, inserted into the IT Act by the amendment Act. But the provisions pertaining to data security and confidentiality are grossly inadequate. In recent years the incidents of data theft in ITES has raised concern about the data privacy when one of its employees sold personal data belonging to a large number of British nationals to an undercover reporter from the British tabloid The Sun’. The incident sparked off a debate among the offshore industry circles, media and the legal world as to how safe foreign data is in Indian hands. Hence, the amendments, are more of a knee-jerk reaction from the Government to the recent data thefts and other incidents, India has more to do with issues related to cybercrimes and e-commerce transactions than data protection.
The European Union has enforced a comprehensive Directive on Protection of personal Data to all its member countries. The US has also complied with the EU directive through the Safe Harbour Agreement to facilitate business from the EU countries. It would be wise for India to comply with the EU directive as well, as it has a lot at stake. In fact, the Information Technology Act, 2000 deals with the issue of data protection and privacy in a piecemeal fashion. There is no actual legal framework in the form of Data Protection Authority, data quality and proportionality, data transparency etc. which properly addresses and covers data protection issues in accordance with the principles of the EU Directive, OECD Guidelines or Safe Harbor Principles. Accordingly, even if the new proposed amendments to the Information Technology Act, 2000 were adopted, India would still lack a real legal framework for data protection and privacy.
Absence of the Data protection law is huge blow to outsourcing industry in India. The US, European Union customers are protected by a comprehensive privacy directive, and part of that privacy protection is the requirement, placed on companies, not to transfer personal data to countries which do not offer an adequate level of protection. The result is that European Trade Unions have cited data protection as an issue which should be taken into account in many international out-sourcing deals. Stop the flow of personal data, which in turn will affect our outsourcing industry very badly.
Data privacy in India
The present legal framework on data privacy in India is limited in nature. It consists of the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI rules) issued under Section 43A of the IT Act. Norms relevant to data protection and privacy are also dispersed across statutes pertaining to diverse sectors such as taxation and health, leading to the lack of a coherent regulatory framework.
In August 2017, the requirement for a law on the protection of personal data was first recognized by the Supreme Court of India in Justice KS Puttaswamy v Union of India. It explicitly recognized an individual’s fundamental right to privacy and paved the path for a foundational legislation on the protection of personal data. It was closely followed by the release of the report and draft law by the Committee of Experts, chaired by Justice B N Srikrishna.
On 27 July 2018, the committee submitted the draft Personal Data Protection Bill, 2018, along with its report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians” to the central Government. The passage of the bill will lead to a shift in the legal framework and replace section 43A of the IT Act and the SPDI rules issued under it.
The need for a comprehensive data protection regime that entrenches informational and data privacy within our legal system was subsequently reiterated by the Supreme Court in the Aadhaar judgment on digital identity (Justice K S Puttaswamy v Union of India (2019)). Both the bill and the report thus represent a critical development. At the time of writing this article, the parliament of India is in session and the Ministry of Electronics and Information Technology (MeitY) has indicated that the passage of the bill is a priority for the new government in its second term. It is likely that the bill will soon be introduced in the parliament to be made into law, and it is possible the final version will be at variance from the draft. The authors have based the present article on the draft bill released in July 2018.
Data privacy: Legal framework
The coming into force of the EU General Data Protection Regulation (GDPR) in May 2018 established a global norm in personal data protection. The draft bill reflects principles contained in the GDPR, while simultaneously attempting to tailor the law to Indian needs. Some of the principles that are visible in both frameworks are purpose limitation, data minimization, limited grounds of processing, data quality and security, and privacy by design.
However, the bill differs in certain fundamental ways, which is indicative of the unique Indian nuances the Expert Committee had to grapple with while drafting the law. The relationship between data principals and data fiduciaries is viewed through the lens of an expectation of trust. Data fiduciaries have a duty of care to handle data in a fair and responsible manner for purposes that are reasonably expected by the data principals. This is an interesting construct that has not been seen in any other privacy framework so far.
Key Principles of a Data Protection Law considered as below:
· Technology agnosticism – The law ought to be technology agnostic. It ought to be flexible to keep in mind changing technology and standards of compliance.
· Holistic utility – The regulation has to observe to both non-public zone entities and authorities. Differential responsibilities may be carved out within the law for sure legitimate kingdom objectives.
· Informed consent – Consent is an expression of human autonomy. For such expression to be genuine, it has to be knowledgeable and significant. The law should ensure that consent meets the aforementioned standards.
· Data minimisation – Data that is processed should be minimal and necessary for the functions for which such statistics is sought and other well-suited purposes beneficial for the records subject.
· Controller duty – The facts controller shall be held chargeable for any processing of statistics, whether through itself or entities with whom it could have shared the facts for processing.
· Structured enforcement – Enforcement of the records protection framework ought to be via an excessive-powered statutory authority with enough ability. This should coexist with accurately decentralised enforcement mechanisms.
· Deterrent consequences – Penalties on wrongful processing need to be good enough to make certain deterrence.
In order to construct a meaningful notice and consent mechanism, the bill has set out conditions for the validity of ordinary consent, namely that it should be free, informed, specific, clear and capable of being withdrawn. The burden of proving that the data principal has given valid consent lies with the data fiduciary. Further, sensitive personal data are subject to heightened consent requirements. Such sensitive personal data refer to personal data that reveal, relate to or constitute passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation, or any other category specified by the Data Protection Authority.
Apart from consent, the bill recognizes other grounds of processing such as functions of the state, compliance with law or any order of any court or tribunal, prompt action, employment and reasonable purposes. While the bill is applicable to the state, it has given the state-wide room for non-consensual processing of personal data.
Personal data may be processed by the state for any function of parliament or any state legislature, or if such processing is necessary for the exercise of any function of the state authorized by law for the provision of a service or benefit, or the issuance of a certification, licence or permit. Further, the bill does not provide for contractual necessity as a ground for processing. The report states that this is due to the scope of the ground to be easily misused, where data fiduciaries may unilaterally insert obligations into the contract. The ground of “reasonable purpose” appears to be an improvement to the comparatively broader ground of “legitimate purpose” in the GDPR.
The bill imposes restrictions on the cross-border transfer of personal data. This is achieved by a non-exclusive localization mandate where a data fiduciary is to ensure the storage of one serving copy of all personal data. Additionally, an exclusive localization mandate requires that critical personal data shall only be processed in a server or data centre located in India.
What constitutes critical personal data shall be notified by the central government. Localization requirements are an attempt to assert data sovereignty and have also been seen in the Reserve Bank of India’s directive on storage of payment system data (2018) and the Department of Industrial Policy and Promotion’s draft national e-commerce policy (2019). It is worth considering whether the benefits of localization may be achieved through potentially less restrictive means. Additionally, the bill highlights conditions for cross-border transfer of personal data that are not sensitive personal data, including the transfer being made subject to standard contractual clauses or intra-group schemes approved by the authority, the authority’s approval due to necessity, consent of the data principal, etc.
The bill seeks to establish a regulatory authority for monitoring and enforcing the provisions of the act. It is the duty of the authority to protect the interests of the data principals, prevent misuse of personal data, ensure compliance of data fiduciaries with the provisions of the law and promote awareness of data protection. The functions of the authority include specifying additional categories of sensitive personal data, specifying the circumstances where a data protection impact assessment may be required, specifying the criteria for assigning a rating in the form of a data trust score by a data auditor, examination of data audit reports and issuing codes of practice.
Graded penalties commensurate to the conduct of the data fiduciary have been set out. For instance, if obligations concerning taking prompt and appropriate action in the event of a data security breach, undertaking a data protection impact assessment for significant data fiduciaries, or conducting a data audit by a significant data fiduciary are contravened, the data fiduciary or significant data fiduciary is liable to a penalty of up to ₹50 million (US$721,000) or 2% of its total worldwide turnover in the preceding financial year, whichever is higher. Harsher penalties are imposed for unlawful processing of personal data or sensitive personal data, unlawful processing of children’s personal data, failure to adhere to security safeguards, and unlawful cross-border transfer of personal data.
The enactment of the bill will effectuate a shift in the data protection framework in India. It will also impose substantial compliance requirements on entities processing personal data of individuals. These include organizational obligations such as a data trust score, data protection impact assessment, annual data audits, appointment of a Data Protection Officer and a transparent mechanism for data processing to enable access by data principals.
The participatory process followed by MeitY and the Committee of Experts in the formulation of the bill and its companion report on a free and fair digital economy is uncommon in the making of law and policy in India. While the bill is a milestone in the evolution of data privacy norms in India, certain provisions imposing data localization and restricting cross-border data flows stand out as onerous and may act as deterrents to the growth of data-intensive products and services in India. It is hoped that the final version of the law is able to secure a free and fair digital economy that empowers Indian citizens.
Conclusion and Recommendations:
The revised 2019 Bill was criticized by Justice B. N. Srikrishna, the drafter of the original Bill himself, as having the ability to turn India into an “Orwellian State”. In an interview with Economic Times, Srikrishna said that, “The government can at any time access private data or government agency data on grounds of sovereignty or public order. This has dangerous implications and this view is shared by several experts. Apar Gupta of Internet Freedom Foundation notes that “Privacy is mentioned just once in this voluminous document — 49 times mentions of ‘security’ and 56 times of ‘technology’” implying that the Bill doesn’t do enough to protect an individual’s privacy.
Fresh criticism on the international level comes from an advisor to a group proposing an alternative text and moderately critical summary. Role of social media intermediaries is being regulated more tightly on several fronts. However, It is hoped PDP bill will prove the lesser evil compared with the Draft Information Technology [Intermediary Guidelines (Amendment) Rules] 2018.
The US-India Business Council (US-IBC) and internet and mobile players’ body IAMAI have flagged concerns about certain provisions in the Personal Data Protection Bill, In its current form bill “compromises” on privacy of Indian citizens as “it has built in far too many exceptions for government agencies to access personal information of the citizens” and create challenges for businesses. IAMAI also pointed out that the provision for the Centre to seek anonymised and non-personal data from any data fiduciary via the Data Protection Authority (DPA) – along with the fact that insights derived from personal data are also considered as personal data – raises issues of undermining Intellectual Property Rights of businesses engaged in data services. The association also raised concerns over the fact that the government itself today offers many services in competition to private service providers. The right of the government over data assets of private businesses risks creating unlevel playing field for private businesses, it said.
IAMAI highlighted that the requirement to get a certification from the DPA in order to do business in India, would create a “restrictive Certification and Licensing regime” for organisations to operate in India. “IAMAI highlighted that the world wide web (www) is borderless with many services originating in other countries and still being accessible to a global audience including India. Such a provision risks isolating India as service providers who do not get certification from the DPA cannot offer their services in India,” it said.
The Bill also states that the Centre can direct any data processor to “provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the central government”. However, one of the provisions of the Bill will “empower the central government to exempt any agency of the government from application of the proposed legislation” — which experts say will give sweeping powers to government agencies to collect data of citizens.
There is general concern that bill contains several new provisions outside the core issue of data privacy that raises serious concerns for the private sector, particularly the inclusion of requirements around non-personal data and social media intermediary liabilities. “These two issues are distinct from personal data issues and are complex in their own right. IT/ITES Industry body NASSCOM has also sought more clarification on certain provisions of the bill. “The central government has the power to exempt data processors, that process personal data of data principals who are outside the territory of India. While this was included in the earlier draft of the Bill as a miscellaneous provision, this has now been included under the chapter on exemptions under the Bill,” NASSCOM said. Given the need for additional discussion, various groups have urged the government to remain focused on essential data privacy issues and to take up these matters as part of existing policy efforts taking place in parallel.
The USIBC recommended that the Bill be revised to provide ample time for establishing a new DPA and strengthening the DPA’s independence and effectiveness. “We remain committed to working closely with the government as the Bill moves through the parliamentary process. We will continue to seek opportunities for industry and India’s leading trading partners to share their views.
The industry, in particular the IT-BPM and GCC industries, will need greater certainty on the scope and issuance of the exemption, it added. NASSCOM flagged that “financial data” continues to be defined broadly under the Bill. “This is an area of concern, especially with reference to employee data processing for operations such as payroll services, that requires processing of financial data. Given that explicit consent is the only ground for processing sensitive personal data, the classification of ‘financial data’ as sensitive personal data, the classification of ‘financial data’ as sensitive personal data poses potential problems for other business operations such as risk management, fraud detection, among others,” it noted. It also sought clarity in areas such as classification of significant data fiduciaries and of certain personal data as critical data, and cross-border transfer of sensitive personal data.
Some of the suggestions to improve the Indian data protection law 2019 and its implementation are shared below:
- Set up Data protection authority with staff having expertise of the industry with data usage such as IT/ITES, Health, Banking etc so that they can appreciate the business drivers and business aspect of data usage thereby setting up level playing field, understanding practical aspect of business, reducing onerous impacts and appreciating improvements suggested by industry.
- DPA law provision in alignment with global laws in US/EU: Given global nature of business and expanse of Indian companies in the personal client space such as IT/ITES for Financial and Health services, it is critical that overall country’s business competitiveness is kept in mind especially fact that these companies may have to comply variety of such laws in various countries making it an onerous and costly affair.
- Cost of compliance and simplification in reporting: Overall cost of compliance should be assessed, and dialogue be held with business to arrive at a ground which ensures compliance but does not increase cost too much including simplification of reporting. It should not bring back inspector raj.
- Penalty process to be made less onerous: Given challenges of dealing with DPA provisions which may also come under other laws, specific effort be made to have provisions to consolidate and consider penalty provisions in a simplified manner. This is especially important for information controllers in the SME sector.
- DPA law be reviewed to bring more focus on privacy: Given law is focussed on personal data protection, it is important to asset privacy term in the law at least in similar order as security and technology. To bring more focus on Cyber, IT law may be amended and/or aligned with DPA law for consistent interpretation and implementation.
- Government agencies to be made more responsible in handling data: Sweeping powers given to government agencies should be reviewed and such situations be defined more closely with country’s security needs and government agencies be given responsibility so that they deal with personal data with more care and do not take shelter of the law provisions to hide inefficiencies.
- Education of masses whose data is going to be used: It is critical that awareness drive be run India wide including in regional languages on understanding key provisions and their rights in line with learnings of similar programme by RBI/SEBI/IRDA etc.
Author details: Nandini Tripathy and Sanjiv K Tripathy
The views of the author are personal only.