The draft Personal Data Protection Bill 2019 (“Bill”) was introduced before the Lok Sabha on December 11th, 2019. The current bill has mostly taken provisions from the draft Personal Data Protection Bill 2018, however, certain new provisions were inserted to provide better clarity to the elements of data protection. The main essence of the bill is to fairly and securely process the personal data ensuring greater privacy of the data of the users.
The key highlights of the Bill are
Application: Cl. 2 of the Bill states that the application of the bill is restricted to the data that is processed within the territory of India or under Indian law. Any data processed outside the territory of India will be included under the purview of the current bill only if it has a connection with a business carried in India or is in connection which requires any profiling of data of the data principals who belong to the territory of India.
Classification of Data: Under the ambit of the Bill, data can be classified into- Sensitive Personal Data, Critical Personal Data and General Data. Financial data falls under the ambit of Sensitive Personal Data and it refers to any number or other personal data used to identify an account opened by, or card or payment instrument issued by a financial institution to a data principal. It further includes any personal data regarding the relationship between financial institutions and data principal including the financial status and the credit history. According to the Bill, “passwords” has been removed from the definition of sensitive personal data, however, the same can be derived from the definition of financial information.
Consent: According to the provisions of Cl. 11 of the Bill, a free, clear, informed, specific consent is required from the data principals to process the personal data. However, processing of personal data under the provisions of Cl. 13,14,15 does not require the consent of the data principals. Furthermore, to process the Sensitive Personal Data consent is to be obtained after informing the data principal about the probable harm that could be caused.
Data Retention: As per Cl. 9 of the Bill, the data of the data principal is only retained for a particular period of time or for the time being up-till which the data is required. However, if the period of retention is required to be extended, explicit consent of the data principal is required.
Erasure: As per Cl. 18 of the Bill, it provides the data principals the right to erasure. Right to erasure refers to removal or deleting any data which is no longer required by the data fiduciary without adjudication.
Social Media Intermediaries: Cl. 26 of the Bill defines Social Media Intermediaries as a new and separate category of Data Fiduciaries. These are entities which primarily or solely connect users enabling them to create, modify, upload, share, disseminate or access information. Social Media Intermediaries which have more than a specified number of users, and whose actions are likely to impact electoral democracy, security of the state, public order, sovereignty or integrity of India will be notified by the Central Government as Significant Data Fiduciaries. All such notified Social Media Intermediaries are required to enable users who register for, or use, their services from India to voluntarily verify their accounts, and thereafter mark verified accounts with a specified mark which will be visible to all users. Search engines, e-commerce entities, internet service providers, email and storage services, and online encyclopedias are expressly excluded from this definition.
Data Sharing with the Government: Cl. 91 of the Bill enables the Central Government to require Data Processors or Data Fiduciaries to provide it with anonymized Personal Data, or other non-personal information (which was expressly excluded from the scope of the Draft Bill) to enable the targeting or delivery of services, or the formulation of evidence-based policies. It also reaffirms the right of the Central Government to formulate policies for the digital economy to the extent that such policies do not govern personal data. This is particularly relevant given the proposed E-Commerce Policy.
Exemption of any authority from the Bill: Cl. 35 of the Bill states that the Central Government upon a written justification can exempt any state agency from the provisions of the Bill concerning personal data.
Dilution of data localization requirement: The earlier bill required to store a mirror copy of all personal data in India, however, according to the current Bill as per Cl. 33 of the Bill, no requirement of localization will apply for Personal Data. However, a requirement remains to store Sensitive Personal Data in India, but such data may be transferred outside India for processing. The ambiguous concept of “serving copy” has been done away with as per the current Bill. Furthermore, Critical Personal Information may be processed only in India, however, some exceptions have been specified. Sensitive personal data may be transferred outside India based on explicit consent and a) if the transfer is made per a contract or intra-group scheme or the Central Government allows transfer to a country, or if the data protection authority may allow a transfer of Sensitive Personal Data for specific purposes.
Regulatory Sandbox: As per Cl. 40 of the Bill, a provision for regulatory sandbox has been created to encourage the development of new technologies in nature of artificial intelligence and machine learning. The term of the sandbox is 12 months and it may be extended twice i.e. for a maximum period of 36 months.
Right to be forgotten: As per Cl. 20 of the Bill, a data principal has the right to remove or withdraw its consent for disclosure of its personal information.
Criticism of the Bill
1. While the new Bill has not expressly excluded “password” from its definition of Sensitive Personal Data, however, it can be derived that the essence of password is still present in the definition of financial data.
2. While there exists provisions wherein, consent will be required to access a certain kind of data, provisions under which consent is not required should have the mode of obtaining a judicial warrant before obtaining such data or any other legal mechanism preventing it from abuse of the provision.
3. Furthermore, the concept of meta data is absent in the present Bill, as without a meta data of a data, a data or an information is useless. The pertinent question lies here is as to whether Meta Data is included under the ambit of Sensitive Personal Information or not?
4. Furthermore, principal of right to be forgotten has been incorporated under the new Bill which will ensure the safety of the data principals and will allow them to start on a fresh record.
5. Though, removing the mandatory mirroring requirement is an appropriate change, however, data principals should be given rights over where they wish to store their personal data and the State should not impose restrictions on transfer of such data, especially after explicit consent.
6. Furthermore, the Bill which provides a right to the Government to obtain any anonymized personal data or non-personal data of the data principals for formulation of policies in the present case should be compensated i.e. any form of compensation or remuneration should be provided by the Government to the data fiduciaries and the data principals.
Therefore, the current Personal Data Protection Bill has been drafted in order to give a broad framework to the Personal Data protection regime in India, however, there requires more clarity on certain points of law.
Symbiosis Law School, Hyderabad
(Images used for representation purpose only)