November 21, 2018:
The Union also asserted that the proposed Data Protection Authority (DPA) needs to be allowed to function independently & impartially.
The European Union has expressed concerns over data localisation stipulations certain other provisions of India’s draft Personal Data Protection Bill, 2018.
The union also asserted that the proposed Data Protection Authority (DPA) needs to be allowed to function independently & impartially.
In its submission to the Indian IT Ministry, the delegation of the European Union to India & Bhutan said the law, if adopted, will contribute to facilitating data flows between the EU & India, & could open the way for a possible adequacy dialogue between the two sides.
However, it also made certain observations across various aspects of the Bill that was drafted by the committee led by Justice BN Srikrishna to develop a framework on data protection norms in India.
“In general, the draft law in a number of places leaves discretion to decide key matters in the hands of the Central Government or the DPA rather than dealing with them in the draft itself. This could create some uncertainties which could perhaps be avoided by providing further clarifications,” it noted.
The submission pointed out that having a data protection authority is important for both — citizens & businesses.
It emphasised that to effectively play its role, it is essential that the authority “acts with complete independence & impartiality in performing its duties & exercising its powers, free from any external influence”.
The Data Protection Bill identifies three parties who are the stakeholders in data protection. Firstly, Data Principal is the person whose data is being collected.
Secondly, Data Fiduciary is the one who determines how & why the data shall be collected.
Thirdly, Data Processor is the one which processes the data.
These roles are akin to those of Data Subject, Data Controller & Data Processor as given under GDPR. Inter alia, the Bill casts the following key obligations:
Ø Obtain consent of the data principal before collecting or processing data
Ø Provide access to the data principal of the data collected
Ø If the data breach is likely to harm the data principal, then the data fiduciary is required to notify such breach to the authorities.
Ø Conduct data impact assessment
Ø Locally store copy of data if data is being shared across borders.
Ø To obtain explicit consent where the data concerned is sensitive personal data
Ø Appoint a data protection officer
Ø Conduct a fair & reasonable processing of personal data only for the clear & specific purpose for which the data is collected.
Ø The right to be forgotten has been introduced by the Bill. However, the Bill does not talk about deleting the data once the purpose is fulfilled, however the data principal may ask the fiduciary to restrict its usage once the purpose of the data is fulfilled.
Ø To prevent any kind of misuse or allow any unauthorised access to personal data.
Analysis of the Personal Data Protection Bill, 2018
Prima facie, there are the following loopholes extant in the Bill:
Ø Localisation of Data
The Data Protection Bill while outlining the provision for transfer of personal data outside India has provided for localisation of such data. Localisation of data embodies two elements:
· Firstly, it mandates that at least one copy of the personal data so collected shall be saved on the local servers within the country.
· Secondly, it calls for classification of data into critical data. This critical data is permitted to be processed only in India & no transfer outside India of such data is permissible.
On the face of it, this provision appears to provide a stringent protection mechanism. However, in reality, the setting up of a local server to store a copy of the personal data so collected locally, would prove to be too expensive for companies. This step would prove detrimental for companies, especially start-ups, as any data shared across borders would be required to be stored locally.
Moreover, the second element of localisation which mandates that critical data be processed only in India is at best a vague provision. No definition of what constitutes critical data or what might constitute critical data is provided for in the Bill.
In the absence of any explicit definition or indicators, how are companies supposed to identify this critical data. To add to this confusion, the term sensitive data is used under section 40 in addition to critical data. This clearly leads to the conclusion that the two are different. Hence, the portion of the Bill pertaining to cross border sharing of personal data is vague, ambiguous & confusing.
Ø Difference between consent & explicit consent
The Data Protection Bill has given utmost importance to the principle of consent. It reiterates time & again that the consent so given should be free, informed & specific. However, it distinguishes between the degree of consent required for personal data & that required for sensitive personal data. It states that the consent required for the collection & processing of sensitive personal data should be explicit.
The definition of explicit consent again is not very clearly laid out. It touches upon the same elements which are included in the definition of consent. Moreover, sensitive personal data is a species of the broad genre of personal data & hence, the degree of consent required should not vary.
Ø Exceptions under the Data Protection Bill
Unlike its counterpart, the Data Protection Bill has carved out several exceptions to the obligations outlined under it. Various exceptions have been carved out for the State. Chapter IX of the Bill lays down a number of exceptions to the therein mentioned obligations.
Moreover, section 17 of the Data Protection Bill lays down a number of purposes classified as `reasonable purposes for which data processing may be undertaken. So many escape routes & exemptions, make the data protection bill a weak law.
Ø Data Breach Notification
Under the GDPR, the data controller is required to notify the authorities within a stipulated time period of data breach occurs. However, under the Indian data protection Bill, the data breach notification is required only when the data fiduciary thinks that the breach is likely to harm the data principal. Leaving such discretion in the hands of the data fiduciary is erroneous. Such provision has the effect of translating data breach notification into a hollow requirement devoid of any real consequences.
The Data Protection Bill despite being a shoddily drafted piece of legislation, at least shows the commitment of the government towards introducing data privacy in the country. It is heavily based after the EU GDPR Regulations. However, despite its shortcomings, as discussed above, it also has certain merits which should not be overlooked. It has introduced steep penalties for violation, hence, making data protection a priority in companies collecting such data’s list. It has laid down a framework which for data protection in the country.
The principles of `no means no’ & free & informed consent go a long way in establishing the supremacy of the data principal. Similarly the obligations introduced for data protection in cross-border sharing of personal data also show the commitment towards data privacy. With a little tweaking & amendments, the data protection Bill has the potential of becoming a phenomenal piece of legislation. Its drafting & implementation, if done properly, can help perpetuate efficient data protection standards in India.
However, in order to remain compliant with the Bill in its current form, the following practices may be adopted:
Ø Collect/process data only after obtaining consent from the data principal. If the data being collected is sensitive data then explicit consent needs to be collected.
Ø The data so collected should only be used for the purpose for which it is collected.
Ø The purpose of data collection should be lawful & in accordance with the Bill.
Ø Provide access to data principal of the personal data collected by them.