.jpg)
23 October, 2018
In the context of the Supreme Court’s Puttaswamy judgement asserting the right to privacy to be a fundamental right and the overhaul of the European data protection regime, the need for a comprehensive personal data protection regime has never been so pressing in India.
Aadhaar, General Data Protection Regulation (“GDPR”), move towards a digital economy… adopting a data protection legislation has become a political imperative for India.
For the purpose of Aadhar, India’s national biometric ID project, India has proceeded to the largest data collection exercise in India history, without a data protection law being in place. This collection, relying on a quasi-compulsory scheme, has been termed as a cautionary tale. Further to several security breaches, Aadhaar’s implications for individual privacy have been, and are still being, legally challenged on several accounts leading to the landmark judgement K S Puttaswamy v Union of India (2017) in which the Supreme Court reaf rmed the fundamental right to privacy as a core constitutional value and asserted a positive obligation on the government to protect individuals from threats to privacy both from state and private actors.
The Puttaswamy judgement has forced a long overdue conversation on data protection, with GDPR in its background.
As a result, and less than a year after being constituted, the committee of experts entrusted with creating a data protection framework, the Srikrishna Committee, released, on 27th July 2018, the Personal Data Protection Bill, 2018 (“PDPB”), largely influenced by the GDPR now seen as an important benchmark for data protection legislation.
Below are the key features of the PDPB:
I. APPLICABILITY
The PDPB aims at dealing with the collection and process of data de ned as any representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means. The PDPB segregates personal data and sensitive data de ned comprehensively.
The PDPB introduces the concepts of:
- data fiduciary, being any person, including the State, a company, any juristic entity or any individual who, alone or in conjunction with others, determines the purpose and means of processing of personal data,
- data principal, being the natural person to whom the personal data is processed, and
- data processor, being any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data duciary, but does not include an employee of the data duciary.
The PDPB is extra-territorial and extends not only to data duciaries established in India, but also to data duciaries carrying out the systematic activity of offering goods and services to data principals in India or performing any activity that involves pro ling of data principals within India.
II. GROUNDS FOR DATA PROCESSING
Under the PDPB, collection of personal data must be justified under at least one of the ‘grounds for processing’ listed exhaustively by the PDPB. While consent is treated as the primary legal grounds for processing personal data by companies, the Government is given signi cant broader leeway as the State can collect data on the ground of collection ‘for the functions of the State’, under which all ‘necessary’ data processing may be justi ed (to be tested as per the constitutional limits set by the Puttaswamy judgement).
For the consent to be valid, it must be (a) free, (b) informed, (c) specific (limit on purpose), (d) clear and (e) capable of being withdrawn. Organisations will therefore have to refresh their notice and consent forms to comply with the PDPB.
Collection of children’s data require parental consent after age verification.
In addition, data duciaries should restrict data collection only to that necessary (collection limitation) for providing the service to the data principal or ful l the speci ed purpose (purpose limitation) and store the said data only as long as is necessary to fulfil the purpose (storage limitation). In pursuance of this data minimisation principle, data collected for one purpose cannot be repurposed without further consent.
III.DATA PRINCIPAL’S RIGHTS
Like the GDPR, data principals are granted several rights under the PDPB, including the right to con rmation and access, right to correction, right to data portability, right to be forgotten.
IV. DATA FIDUCIARY’S OBLIGATIONS
The PDPB casts several duties on data duciaries such as the duty to send clear, concise and comprehensible notice, duty to secure the data (by implementing security safeguards like encryption, de-identi cation, etc.) or obligations in accordance with the principles of purpose limitation, collection limitation, maintenance of data quality and storage information.
Data fiduciaries are expected to design data privacy framework and privacy controls to meet the requirements of the PDPB (privacy by design). For existing processes, organisations will have to perform a privacy assessment and update their processes.
Data fiduciaries deemed ‘significant data fiduciaries’ (categorised as such based on the volume and sensitivity of data processed) must register themselves with the Data Protection Authority of India (“DPAI”), appoint a data protection officer, perform a risk-based data protection impact assessment and perform annual independent audits of their policies and measures for protection of personal data.
The PDPB imposes stringent storage provisions by requiring data fiduciaries to segregate the data to which the PDPB applies and store such data in India either completely or in the form of mirror servers. Such mandatory data localisation in India might prove a burdensome and prohibitive barrier to SMEs, specially if identi ed by the Central Government as processing ‘critical personal data’ which can only be stored in India. In addition, the PDPB imposes several restrictions on cross-border transfers of data.
V. REGULATION, REPORTING AND EN- FORCEMENT
The PDPB mandates the creation of the DPAI which is granted adjudicatory, regulatory and policy making powers. However, the excessive delegation of legislative authority and lack of independence of the DPAI have been cited as concerns by the stakeholders.
The PDPB introduces a system of data breach notification under which an organisation has to notify the DPAI of any personal data breach relating to any personal data processed by the data duciary where such breach is likely to cause harm to any data principal, within the time frame prescribed by the DPAI.
The DPAI is empowered to levy substantial penalties on any offender, including the State, since the de nition of data duciary makes the PDPB enforceable against the State, resulting in the DPAI having jurisdiction over any government data duciaries. However, the vast exemptions (based on necessity and strategic interests of the State) mostly free them from their liabilities.
The PDPB prescribes steep penalties along the lines of the GDPR. This includes penalties which may extend to Rs. 50 millions or 2% of worldwide turnover of the preceding financial year for violations like failing to notify the DPAI in case of breach. The higher of Rs. 150 millions or 4% of the annual global turnover are prescribed for violations like processing personal data in
PROPOSED BY DS AVOCATS
contravention of the PDPB. Complaints can be filed by an aggrieved data principal before Adjudicating Of cers appointed under the PDPB. Appeal from their orders lies to an Appellate Tribunal and thereafter to the Supreme Court. The PDPB also prescribes a list of non-bailable and cognizable criminal offences. This includes processing of data in breach of the PDPB for which the PDAI can prescribe a maximum ne of Rs. 200,000 or imprisonment of 3 years.
V. CONCLUSION
India’s drive to adopt a personal data regime up to international standards is commendable. However, although substantially similar to the GDPR, the PDPB fails to address certain concerns raised by stakeholders regarding its impacts on right to privacy and right to information. Certain de ciencies will need to be addressed prior to the PDPB making its way to the Parliament.
For further information, please contact:
Lisbeth Lanvers-Shah, Partner, DS Avocats
lanversshah@dsavocats.com
