Declaring the ‘right to privacy’ a fundamental right, in the historical judgment of K. S. Puttaswamy & Anr. v. Union of India &Ors., the 9-judge Supreme Court bench held, “Privacy is the constitutional core of human dignity”.
The concept of Privacy, being comprehensive, includes, inter alia, informational privacy. In an aggressively digitizing phase, data privacy in India is still governed by Information Technology Act, 2000 vide Sections 43(A) & 72 (A) that provide for levy of compensation and punishment for failure to protect personal information. Further, Chapter VI of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016 incorporates provisions to protect biometric information.
In light of dearth of an appropriate legislation to govern the privacy and employability of personal data and the consequent surging concerns, the Indian legal system has introduced Personal Data Protection Bill, 2019 (“the Bill”). Inspired by the General Data Protection Regulation of the European Union, the Bill is the second attempt, after the 2018 Bill, towards concretizing the policies for data regulation. The intent is to protect the privacy relating to the personal data (“the data”) of individuals and its usage, and foster a fiduciary relationship between the individuals and the entities.
Personal Data and its Classification
Any data about or relating to the identity of an individual, for the purpose of processing, to analyze or predict his behavior or attributes, is personal data. For example – KYC maintained with financial institutions, personal information disclosed on Facebook, etc.
The Bill has classified Personal data as under:
- Sensitive personal data: It refers to the personal data carrying the expectation of confidentiality and the disclosure of which may cause harm to the data principal. For example – bank account statement, aadhaar data, medical records.
- Critical personal data: Undefined by the Bill, what can be inferred as critical personal data is a question mark and its determination has been delegated to be notified by the Central Government (“the Government”).
This classification has enabled inclusion of provisions enabling different vigilant actions for different categories of data (as discussed ahead in the article). But, the basis of such classification remains unknown. Under this circumstance, the delegation of determining what constitutes as critical data, without prescribing a standard guidance, may be construed as excessive delegation.
Processing and Parties Involved
According to the Bill, data processing shall comprise three parties – a data principal (“the principal”), i.e., the subject of the data; a data fiduciary (“the fiduciary”), i.e., the person who determines the purpose of the processing of the data; and a data processor (“the processor”), i.e., the personal who actually processes the data of the principal for the fiduciary.
The term “processing” has been given a wide interpretation and means operations, such as recording, storage, retrieval, usage, etc., or set of operations performed on the data. For example, A signs up at Gmail in the process of which he shall share his details such as name, mobile number, date of birth, etc. Gmail has hired SunTec India, a data processor, for recording and storing the data of its users. Here, A is the principal, Gmail is the fiduciary and SunTec India is the processor that performs the task of processing, i.e. recording and storing.
Obligations on Fiduciary
In order to protect the data, the Bill imposes comprehensive obligations on the fiduciary pertaining to collection and usage of data, such as its retention, deletion, accountability, etc. These provisions inculcate a very transparent practice of data processing. Tremendous stress has been placed on seeking prior consent of the principal when a fiduciary intends to have such individual’s data processed. Hence, the principal shall be well-informed about why and how his data is being processed. But, seeking prior consent of the principal every time a fiduciary has to process the former’s data, even though such processing is carried out for the same reason for which the processing has been done earlier, may make the process time-consuming and expensive at the fiduciary’s end. Regardless, the obligations shall be instrumental in countering serious issues such as non-consensual user data disclosures. The most appropriate example would be the USD 5 billion fine paid by Facebook for its failure to protect the data of the users from the third parties (2019) followed by adoption of improved privacy policies.
Fiduciary and Significant Data Fiduciary
For the purpose of data processing, a fiduciary may be an individual, a juristic entity or a government agency, meaning thereby any person. The fiduciary shall require a processor to process the principal’s data. It is expected to enhance the expense, delay and hassles, especially for small companies. Let’s take an example of pick2heal, a startup engaged in offering blood testing services. Since it deals with the health data of its clients, it will have to comply with the obligations pertaining to processing of the sensitive personal data imposed on fiduciary, thereby escalating the cost of the startup.
Further classification of a fiduciary as a significant data fiduciary, on the basis of volume or sensitivity of data, turnover of fiduciary etc., bounds it by further stringent provisions, such as performing data protect impact assessment (“DPIA”) before carrying out data processing, maintaining records of the data in the specified manner and auditing of its policies. These provisions provide an added layer of protection to the personal data of the principals. But, it must also be taken into consideration that they are applicable to all the entities, big or small. While the big entities may be capable of bearing the cost, the small entities, like the MSMEs, startups, etc. may find it difficult to finance. Taking the same example of pick2heal, it will be bound to incur expense with respect to independent data auditor, DPIA, etc. since it deals with the health data (classified as sensitive data under the Bill), which may ultimately discourage startups in such sectors. The legislators should, therefore, incorporate exemption clauses and come up with alternatives for small businesses as done in other statutes, for example exemptions granted to small companies under Companies Act, 2013 (such as lesser board meetings, no cash flow statement and lesser penalties) or composition scheme incorporated under Central Goods and Services Act, 2017 to provide for lower tax rates and reduce their tax burden.
Rights of the Principal
The Bill dedicates a complete Chapter to render due recognition to the rights of the principal. It includes, inter alia, the right to obtain information from the fiduciary about processing of his data, the right to correction and erasure and the right to be forgotten. Incorporating explicit rights in favor of the principal under a data protection framework gives concrete footing to the fundamental right of informational privacy of any individual.
Transfer of Data outside India
To check the processing, storage and transfer of sensitive and critical personal data outside India, the Bill imposes certain pre-conditions. While the sensitive personal data may be transferred outside India for processing upon fulfillment of specified pre-conditions, the critical personal data shall be processed in India only and may be transferred outside India only in few specified circumstances. Most importantly, the sensitive and critical personal data shall be stored in India only. Having the data of citizens of India stored and, except in certain situations, processed by processors in India, this provision is likely to make the fiduciaries responsible in the manner they handle the data. But, the lack of clarity on the classification of personal data as sensitive or critical may be a cause for trouble to the fiduciaries to determine whether they are bound by such conditions, and if so, which ones.
Data Protection Authority
For the effective regulation of the Bill, Data Protection Authority, comprising experts in the domain of information technology law, national security and public administration, shall be constituted and exercise powers as vested under the Bill. Considering that the Bill will impact all the sectors of the economy, it is essential to include experts with diverse practices, such as e-commerce, health and small business, as Members of the Authority, to ensure representation of all the impacted sectors and bring forth the cross-sectoral impact to enforce an accommodative law.
A grave loophole in the Bill comes in the form of exemption clauses. The exemption clause empowers the Government to exempt any of its agencies to comply with the provisions of the Bill if it is satisfied that it is necessary or expedient to do so in the interest of or for preventing incitement to the commission of cognizable offence relating to sovereignty and integrity of India, the security of the State, etc. Going a step further, the Government has been vested with the power to call for any non-personal or anonymized personal data for better rendering of services. While it is understandable that the Government may need to retain certain powers to create a congenial environment for its agencies, like Central Bureau of Investigation or Criminal Investigation Department, to perform their procedures unhindered and smoothly, adopting such an open language to confer such exemplary powers creates room for their misuse. To overcome this, the legislators should provide an indicative list of agencies for and clear and precise circumstances in which this Section may be invoked by the Government.
The landmark judgment was only the first step towards introduction of data protection regime in India. A committee, headed by Retd. Supreme Court Judge Justice B N Srikrishna, submitted its report on Data Protection Framework, which was prepared after a study of various data protection related issues in India. The report put forth specific suggestions for a data protection framework, which served as the guiding light while drafting the 2018 Bill. Due to its inadequacies, the Bill was proposed in Dec, 2019.
In the wake of COVID-19 pandemic, Ease of Doing Business and Digitization, where the digital platforms are being used more than ever, the Bill is the need of the hour and a welcoming change. While the present draft has certain loopholes and ambiguities, it is indispensible to overcome them and come up with a sound and effective legislation.