Data has emerged as a critical element of a digital economy. Digital applications collect and process personal data in their day-to-day operations. Further, a number of companies are processing data to gain insights into customer behaviour patterns and formulate business plans. This widespread online and offline sharing of data has made it crucial to secure personal data given the rising instances of data security breaches.

To address this concern, the government has introduced a data protection bill, which is expected to equip and empower citizens to manage their personal data. The process began in November 2017, when a committee led by Justice B.N. Srikrishna released a consultation paper on data protection. In July 2018, the committee submitted the draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology (MeitY), which released it for public consultation. The draft bill was largely in line with the European Union’s General Data Protection Regulation (GDPR).

After public consultation, MeitY came out with the Personal Data Protection Bill, 2019 and sought the union cabinet’s approval. The cabinet has recently approved the bill. The new bill aims to create a framework for both public and private organisations to receive, handle, and process individuals’ personal data in India. It is largely based on the draft bill, but includes some modifications as well.

A look at the key features of the bill and its likely impact on the digital ecosystem…

Segregation of personal data

The bill seeks to regulate data, which is categorised as personal, sensitive personal and critical personal data. As per the bill, personal data refers to both online and offline data relating to any characteristic, trait, attribute or any combination of features that help identify a person. Sensitive personal data may reveal financial, health-related, biometric, sexual, genetic, religious, political and caste or tribe-related information about an individual. The government and the Data Protection Authority (DPA) together can also notify other kinds of data as sensitive personal data. Meanwhile, critical personal data has not been defined in the bill and will be notified by the government.

Sensitive personal data may be transferred outside India for processing with the user’s explicit consent and the DPA or the central government’s permission, but it needs to be stored only in India. However, critical personal data can be processed only in India.

Establishment of DPA

The bill mandates the establishment of a DPA. The DPA will protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions and promote awareness about data protection.

Right to be forgotten

To protect users’ interest, the bill provides them right to be forgotten. Under this, users have the right to restrict or stop the continued disclosure of their personal data. The right can be exercised if the purpose of data collection has been served, if the user has withdrawn consent, or if the data was disclosed illegally. The user can make a complaint to the DPA, which will then order the data fiduciary to remove the user’s data. Here, the data fiduciary refers to any entity including the state that will determine the purpose and means of processing personal data, either alone or in conjunction with other entities.

Provisions regarding consent

The bill introduces the concept of a consent manager. This can be used to give or withdraw consent to the data fiduciary. However, personal data may be processed without consent for performance of a state function, provision of state services, medical emergency and other reasonable purposes such as prevention of illegal activities, whistle-blowing, credit scoring and debt recovery.

Classification of data fiduciaries

The DPA can notify any data fiduciary as a significant data fiduciary on the basis of the volume and sensitivity of personal data being processed, the fiduciary’s turnover, or the risk of harm being posed by the fiduciary. The fiduciary will have to carry out a data protection impact assessment and undergo compliance evaluation by a data auditor appointed by the DPA.

Verification by social media intermediaries

The bill defines a social media intermediary as one that enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify and access information. If any social media intermediary has a certain number of users, and can impact India’s electoral democracy, security, sovereignty or public order, it can be notified as a significant data fiduciary by the government and the DPA. These intermediaries will have to give account verification options to willing users, and such users will be given a visible mark of verification. However, this will be a voluntary decision of users.

Powers granted to the centre

The bill empowers the central government to direct any data fiduciary or processor to provide anonymised personal data or other non-personal data to enable better targeting of services or formulate evidence-based policies. Further, the government can exempt any government agency from the provisions of the bill for reasons of national security, integrity and sovereignty, public order, friendly relations with foreign states, and for preventing any cognisable offence. Apart from these exemptions, the bill states that certain rights of users will be suspended if personal data is processed for law enforcement, judicial reasons, journalism and personal reasons.

Issues concerning stakeholders

The bill has become a cause for concern among stakeholders. They believe that allowing the government to exempt its agencies from some or all provisions could have dangerous implications as it would give them access to private and public data. Further, the provision for verification of users by social media intermediaries is flawed. Not only will it increase compliance costs for companies such as Facebook and Twitter, but it will also allow the government to access the identity of people with verified profiles and track them effectively. Moreover, the bill mandates that the data fiduciary obtain consent from the data principal during each step of the processing activity. This will create a problem when data collection and processing will be done by different agencies and each fiduciary will have to take consent at every step. Such ambiguities will put an unnecessary compliance burden on companies and hamper ease of doing business.

Since the bill is based on the GDPR, large multinational organisations may not have to modify their systems much to comply with the proposed data protection law. However, domestic companies and start-ups may have to completely overhaul their systems to meet these regulations. They may have to significantly restructure the way they capture and store data, and set up a consent mechanism. Further, foreign firms operating in India might be impacted due to data localisation requirements and cross-border data transfer restrictions.

The way forward

Net, net, the Personal Data Protection Bill only lists the broad principles, which could serve as a first step towards ensuring data privacy in the country. It neither offers a clear roadmap for governance nor details regarding the rights and obligations of data principals and fiduciaries. The real picture of India’s new data protection regime will emerge only after the bill is passed and it becomes a law.

At present, it has been referred to a joint select committee, which will submit its report before the end of the Budget Session in 2020. All eyes are now on the committee’s report. Stakeholders can only hope that their concerns are addressed before the bill is made a law on which rests the future of India’s personal data privacy.

By Kuhu Singh Abbhi