August 3, 2018:
The Author, Bhumesh Verma, is a Corporate Lawyer with over 2 decades of experience in advising domestic and international clients, with a place in “The A-List – India’s Top 100 Lawyers” by India Business Law Journal. He keeps writing frequently on FDI, M&A and other corporate matters. With research and inputs by Soumya Shekhar.
Personal data and security thereof have become the buzzwords of today. Following the GDPR model, India too is itching and inching towards providing data privacy for its citizens.
The recently framed Personal Data Protection Bill, 2018 under Justice B. N. Srikrishna forms the foundation for data protection in India. It provides the basic regulatory framework of data collection and processing. Prior to this India, did not have a dedicated data protection legislation. The Sensitive Data Protection rules, 2011 governed data security in India.
This step of formulating a draft Bill solely dedicated towards creation of a data security framework in India is laudable. However, the Bill is not blemish-free. Through this article, we shall dissect the Bill and discuss the areas which require more deliberation.
The Data Protection Bill identifies three parties who are the stakeholders in data protection. Firstly, Data Principal is the person whose data is being collected.
Secondly, Data Fiduciary is the one who determines how and why the data shall be collected.
Thirdly, Data Processor is the one which processes the data.
These roles are akin to those of Data Subject, Data Controller and Data Processor as given under GDPR. Inter alia, the Bill casts the following key obligations:
Ø Obtain consent of the data principal before collecting or processing data
Ø Provide access to the data principal of the data collected
Ø If the data breach is likely to harm the data principal, then the data fiduciary is required to notify such breach to the authorities.
Ø Conduct data impact assessment
Ø Locally store copy of data if data is being shared across borders.
Ø To obtain explicit consent where the data concerned is sensitive personal data
Ø Appoint a data protection officer
Ø Conduct a fair and reasonable processing of personal data only for the clear and specific purpose for which the data is collected.
Ø The right to be forgotten has been introduced by the Bill. However, the Bill does not talk about deleting the data once the purpose is fulfilled, however the data principal may ask the fiduciary to restrict its usage once the purpose of the data is fulfilled.
Ø To prevent any kind of misuse or allow any unauthorised access to personal data.
Analysis of the Personal Data Protection Bill, 2018
Prima facie, there are the following loopholes extant in the Bill:
Ø Localisation of Data
The Data Protection Bill while outlining the provision for transfer of personal data outside India has provided for localisation of such data. Localisation of data embodies two elements:
· Firstly, it mandates that at least one copy of the personal data so collected shall be saved on the local servers within the country.
· Secondly, it calls for classification of data into critical data. This critical data is permitted to be processed only in India and no transfer outside India of such data is permissible.
On the face of it, this provision appears to provide a stringent protection mechanism. However, in reality, the setting up of a local server to store a copy of the personal data so collected locally, would prove to be too expensive for companies. This step would prove detrimental for companies, especially start-ups, as any data shared across borders would be required to be stored locally.
Moreover, the second element of localisation which mandates that critical data be processed only in India is at best a vague provision. No definition of what constitutes critical data or what might constitute critical data is provided for in the Bill. In the absence of any explicit definition or indicators, how are companies supposed to identify this critical data. To add to this confusion, the term sensitive data is used under section 40 in addition to critical data. This clearly leads to the conclusion that the two are different. Hence, the portion of the Bill pertaining to cross border sharing of personal data is vague, ambiguous and confusing.
Ø Difference between consent and explicit consent
The Data Protection Bill has given utmost importance to the principle of consent. It reiterates time and again that the consent so given should be free, informed and specific. However, it distinguishes between the degree of consent required for personal data and that required for sensitive personal data. It states that the consent required for the collection and processing of sensitive personal data should be explicit. The definition of explicit consent again is not very clearly laid out. It touches upon the same elements which are included in the definition of consent. Moreover, sensitive personal data is a species of the broad genre of personal data and hence, the degree of consent required should not vary.
Ø Exceptions under the Data Protection Bill
Unlike its counterpart, the Data Protection Bill has carved out several exceptions to the obligations outlined under it. Various exceptions have been carved out for the State. Chapter IX of the Bill lays down a number of exceptions to the therein mentioned obligations. Moreover, section 17 of the Data Protection Bill lays down a number of purposes classified as `reasonable purposes for which data processing may be undertaken. So many escape routes and exemptions, make the data protection bill a weak law.
Ø Data Breach Notification
Under the GDPR, the data controller is required to notify the authorities within a stipulated time period of data breach occurs. However, under the Indian data protection Bill, the data breach notification is required only when the data fiduciary thinks that the breach is likely to harm the data principal. Leaving such discretion in the hands of the data fiduciary is erroneous. Such provision has the effect of translating data breach notification into a hollow requirement devoid of any real consequences.
The Data Protection Bill despite being a shoddily drafted piece of legislation, at least shows the commitment of the government towards introducing data privacy in the country. It is heavily based after the EU GDPR Regulations. However, despite its shortcomings, as discussed above, it also has certain merits which should not be overlooked. It has introduced steep penalties for violation, hence, making data protection a priority in companies collecting such data’s list. It has laid down a framework which for data protection in the country. The principles of `no means no’ and free and informed consent go a long way in establishing the supremacy of the data principal. Similarly the obligations introduced for data protection in cross-border sharing of personal data also show the commitment towards data privacy. With a little tweaking and amendments, the data protection Bill has the potential of becoming a phenomenal piece of legislation. Its drafting and implementation, if done properly, can help perpetuate efficient data protection standards in India.
However, in order to remain compliant with the Bill in its current form, the following practices may be adopted:
Ø Collect/process data only after obtaining consent from the data principal. If the data being collected is sensitive data then explicit consent needs to be collected.
Ø The data so collected should only be used for the purpose for which it is collected.
Ø The purpose of data collection should be lawful and in accordance with the Bill.
Ø Provide access to data principal of the personal data collected by them.