In July 2017, the Ministry of Electronics and Information Technology (MeitY), Government of India (GoI), constituted a committee of experts under the chairmanship of the retired Supreme Court judge Justice B. N. Srikrishna. The committee was entrusted with the responsibility of identifying lapses in the present data protection regulations and preparing more robust and comprehensive data protection laws. The normative foundation of the Bill is the judgement of the Supreme Court in Justice K. S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors. (W.P. (Civil) No. 494 of 2012) (Puttaswamy) upholding the ‘right to privacy’ as a fundamental right under the Constitution of India. After working for nearly a year, the committee submitted the draft Personal Data Protection (PDP) Bill, 2018, in July 2018.
Since its introduction last year, MeitY has solicited comments and suggestions on the PDP Bill from the public, various stakeholders, ministers and consultants. Based on these suggestions, a revised Personal Data Protection Bill, 2019 (Draft Bill), was cleared by the Union Cabinet on December 4 2019.
The PDP Bill has been referred to a joint select committee of both the houses of the Indian Parliament, which is expected to submit its report in early 2020. Accordingly, there may be changes to the PDP Bill based on the recommendations of the joint select committee. Once enacted, the PDP Bill will replace Section 43 of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and prevail over any other inconsistent laws in this regard.
This bill applies to:
Personal Data: means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.
Sensitive Personal Data: a subset of personal data which may reveal, relate to or constitute financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation. Additionally, the Central Government in consultation with the Data Protection Authority and the sectoral regulators, notify other categories of personal data as sensitive personal data.
Critical Personal Data: means such personal data as may be notified by the Central Government to be the critical personal data.
The PDP Bill does not apply to the processing of anonymized data, i.e., personal data that has been irreversibly transformed or converted to a form in which a data principal cannot be identified in a manner that meets the standards prescribed by the Data Protection Authority.
The PDP Bill in section 7 sets out certain rights of a "data principal", i.e., the individual whose personal data is collected, including to correct incomplete or inaccurate personal data, erase personal data that is no longer required for the consented purpose and the right to be forgotten.
A "data fiduciary", i.e., an entity or individual who decides the means and purpose of processing personal data, is permitted to collect personal data subject to the consent of data principles and such personal data can be processed only for the purpose consented to by the data principal or which is incidental to or connected with such purpose, and which the data principal would reasonably expect the use of such personal data. Further, explicit consent will be required for collecting sensitive personal data.
In section 11, the data principal may give or withdraw her consent to the data fiduciary through a consent manager (an entity registered with the DPA which a data principal may use to gain, withdraw, review and manage her consent). Regulations in relation to the registration and other obligations of a consent manager are proposed to be issued by the DPA.
The consent requirement has been allocated within certain specified cases, for e.g., the performance of any lawful function of the State, compliance with any order/judgment of any court, etc. Additional grounds for exemption from the consent requirement are under the category of "reasonable purpose" (which includes mergers and acquisitions, recovery of debt, operation of search engines and whistle-blowers) and may be notified by the DPA.
In section 12 to 15, a data fiduciary is required to give notice to the data principal at the time of collection of personal data or as soon as reasonably practicable where the data is not collected from the data principal with certain prescribed details, including the purpose of the collection; identity and contact details of the data fiduciary and data protection officer, if applicable; procedure for withdrawal of consent; basis for such processing and consequences of failure to provide personal data; source of the collection (if not collected from the data principal); persons with whom the personal data may be shared; information regarding any cross-border transfer of personal data; a period for which the personal data will be retained and procedure for grievance redressal.
The PDP Bill clarifies that provision of any goods or services to the data principal cannot be made conditional on the consent of such data principal to the processing of any personal data that is not necessary for such purpose.
The Bill maintains a similar structure of the 2018 Bill, but would significantly reduce the scope of localization and data transfer restrictions by applying such requirements only to sensitive and critical personal data. In effect, the Bill would establish a three-tiered structure:
A notable feature of the 2018 draft is that it did not include a ground for processing based on contractual necessity. The Bill does not change this position, but adjustments to the “reasonable purposes” legal ground may provide greater convenience for processing in certain situations where it is required to perform a contract.
In the employment context, however, the PDP Bill’s grounds for processing are narrower than those set out in the 2018 draft as data fiduciaries would no longer be permitted to process sensitive personal data for employment purposes.
While “privacy by design” featured in the 2018 draft, the Bill would formalize the requirement — and effectively outlaw “privacy by accident” — by requiring data fiduciaries to “prepare privacy by design policy.” The Bill also creates a mechanism by which, subject to future regulations, the DPA could certify privacy by design policies, in which case the policy would be published on both the data fiduciary’s and the DPA’s website.
Clause 40 states that the authority is entrusted with the responsibility of creating a sandbox for the purposes of encouraging innovation in artificial intelligence (AI), machine learning (ML) or any other emerging technology of public interest. In this regard, certain information is required to be furnished by the data fiduciary, if such fiduciary intends to apply for inclusion in the sandbox.
In line with the growing interest in India around creating rules for non-personal data, the Bill would add a new definition for “anonymized data” that would allow the DPA to establish standards of anonymization through which data could furnish no longer personal data. However, the Bill also grants the government the power to “direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government.”
Clause 91 states that the Central Government may, in consultation with the authority, direct any data fiduciary or data processor to provide any anonymised personal data or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies, in such manner as may be prescribed. For the purposes of this sub-section, the expression ‘non-personal data’ means data other than personal data. This categorisation was not provided in the previous bill.
The penalty provisions of the 2018 draft attracted significant attention due to the number of criminal offences that would have been created, such as for obtaining, transferring or selling personal data in violation of the bill or for re-identifying de-identified data.
The Bill would eliminate most forms of criminal liability, except where a person “knowingly or intentionally re-identifies personal data which has been de-identified by a data fiduciary or a data processor” without the consent of the data principal or the party that de-identified the data. Violation of this provision could still carry stiff penalties, including the up to three years of imprisonment. Where the offence is committed by a company, the Bill would permit penalties to be imposed on any person who “was in charge of, and was responsible to, the company for the conduct of the business of the company.”
The Bill has made several changes from the draft Bill. For instance, the Bill has added a new class of significant data fiduciaries, as social media intermediaries. These will include intermediaries (with users above a notified threshold) which enable online interaction between users. Further, the Bill has expanded the scope of exemptions for the government and additionally provided that the government may direct data fiduciaries to provide it with any non-personal or anonymised data for better targeting of services.