The evolution of India’s personal data protection bill is influenced by the need to protect the interests of businesses, the government and the individual, writes Yukti Sharma
India’s journey to a personal data protection law has its roots in the Aadhaar case, which ultimately led to the formation of the nine-judge bench in the case of KS Puttaswamy and Anr v Union of India, where the right to privacy was declared as a fundamental right.
It was during this case, in 2017, that a committee of experts led by Justice BN Krishna was constituted to propose the data protection framework for India. Cognizant of the economic benefits of innovation and the need for protection of the personal data of individuals, the mandate given by the government to the committee was to unlock the digital economy while keeping the data of citizens secure.
In July 2018, the committee released its draft Data Protection Bill, 2018. At its core, the bill handed the right to informational privacy to the individual. In line with the belief that the individual should be in control of their data, the committee was keen to make this legislation a model for the developing world. The bill proposed by the committee incorporated key concepts from the General Data Protection Regulation (GDPR) to provide Indians with a similar level of protection and rights as in Europe.
Protection from harm
In terms of personal data privacy, the Facebook/Cambridge Analytica scandal was the biggest eye opener for individuals’ lack of control over their data. Of the 87 million users affected worldwide, 500,000 were Indians. The committee recognized the potential for discrimination, exclusion, breach of privacy and harm due to the misuse of personal data. The 2018 bill takes into consideration the quantum of harm that may be caused to an individual while prescribing compliance requirements, protection measures and the manner of taking consent.
The bill strengthens the rights of individuals to give them control over their personal data based on principles of autonomy, self-determination, transparency and accountability. It provides for meaningful, informed and explicit consent from the individual. This includes critical issues such as a child’s consent and heightened safeguards for sensitive personal data processing. The bill also incorporates advanced rights such as the right to data portability, right to confirmation and access, right to correction, and right to be forgotten, in line with the GDPR.
The bill provides for different levels of compliance requirements depending on the quantum of personal data accessed by corporations. These include detailed record-keeping requirements, data audits, appointment of data protection officers and the undertaking of Data Protection Impact Assessments (the assessment of potential harm from a proposed data processing activity involving new technologies or large-scale profiling).
For instance, corporations qualifying as “Significant Data Fiduciary”, which have access to a large quantum of data, are required to adhere to comprehensive compliance requirements. On the other hand, the bill also protects small and medium-sized enterprises by exempting them from these requirements for manual processing of personal data.
The bill is applicable to both the government and the private sector, as it endeavours to achieve an individual’s protection of privacy from both state and non-state actors. However, exemptions may be provided to the state under special circumstances, such as national security.
In Justice KS Puttaswamy and Anr v Union of India, the Supreme Court expanded on the above-mentioned aspect and held that data protection is a complex exercise that needs to be undertaken by balancing privacy and other values, which sub-serve legitimate concerns of the state.
The court outlined the scenarios in which the state can exercise powers to curtail an individual’s right to privacy as: (1) a legitimate state interest in restricting the right; (2) restriction is necessary and proportionate to achieve the state interest; and (3) the restriction is by a statute. The committee has attempted to provide teeth to the legislation by prescribing substantial penalties along the lines of the GDPR. Organizations in breach will need to cough up up to 4% of their global turnover.
Unfortunately, the positives of the bill got buried in the severe criticism of the restrictions on international transfers, popularly known as “data localization” requirements. This was a deviation from the GDPR approach, leaning towards a protectionist regime. The tech giants were outraged by this requirement, since it would have considerable financial implications on their operations in India. The committee’s rationale emanated from its concern for privacy breaches due to cross-border transfers, where it is difficult to exercise control by Indian regulators.
Many deliberations on such aspects, and lobbying with the government after the release of the 2018 bill, were chiefly led by foreign technology and international financial services corporations, which have led to relaxations in the 2019 bill. The global approach on this aspect could be impacted by the manner in which the US responds to Chinese applications like TikTok possessing data of their citizens.
2018 bill v 2019 bill
On 11 December 2019, a new version of the bill was introduced in the Lok Sabha (the 2019 bill) with significant modifications to the 2018 draft by the BN Krishna Committee, including:
Indian regulators are recognizing the pace of technological innovation. Both the Securities and Exchange Board of India (SEBI) and Reserve Bank of India (RBI) have provided a framework for an “innovation sandbox”, and the concept has also been incorporated in the bill. Eligible entities can seek exemptions from certain obligations under the bill up to a maximum period of three years. This is a progressive and mature provision that takes a balanced and realistic view to on ground realities;
The data localization requirements were relaxed and brought in line with the GDPR. The 2019 bill only requires data notified as “critical data” to be stored in India. It still remains to be seen, however, what will be categorized as “critical data”, which are still restricted from international transfers;
Passwords were removed from the definition of sensitive data, which would be a huge relief to the tech industry since passwords are used for authentication for nearly all applications;
The individual’s right to erasure was added in the 2019 bill, in addition to the individual’s right to requests of correction, stipulated under the 2018 bill; and
An individual’s right to access has been further strengthened to allow for access in one place to all entities with whom their data have been shared, together with categories of personal data.
The 2019 bill recognizes the role of consent managers – intermediaries who could play a crucial role in managing consent for individuals and corporations – which is already in place in the financial services sector in the form of account aggregators regulated by the RBI. If utilized, this would be beneficial for strengthening individual rights, since it provides a single platform where the individual would be able to provide, review, manage and withdraw consent to different entities.
Criticisms of the 2019 bill
A concerning deviation from the 2018 bill is the removal of a judicial member from the selection committee, which appoints members of a data regulator, i.e. the Data Protection Authority (DPA). This impacts the independence of the DPA, which will regulate government bodies as well.
The 2019 bill also has some worrying exemptions for the government and its agencies. The central government is empowered to exempt, by an order in writing, any government agency from the application of all or any provisions of the bill with respect to processing personal data on grounds such as public order, prevention and incitement to the commission of any cognizable offence relating to the sovereignty and integrity of India, and the security of the state.
This strikes at the very core of the guidance provided by the Supreme Court in the Puttaswamy judgment and the 2018 bill, where exemptions may be provided in accordance to the law passed by the parliament. It is unfortunate that comprehensive protection provided under the 2018 bill has been diluted so severely in the 2019 bill in light of exemptions to the government.
The bill in its current form is likely to result in litigation as prior to 2018, when consumers were made to link their Aadhaar identity card with bank accounts and mobile numbers. The Puttaswamy judgment struck down section 57 of the Aadhaar Act, which dealt with the sharing of data with private entities such as e-commerce firms, private banks and telecoms companies.
Overall, the proposed bill is a progressive legislation and, in some aspects, even leads the way for new concepts and governance experiments. The rights of individuals have been strengthened and the evolution of the data regulator will play a crucial role with respect to delegated legislation and governance.
There are only a few creases to be ironed out with respect to exemptions to the government and the independence of regulators. The author hopes to see public consultations by the joint parliamentary committee currently examining the bill before it gives its report to the parliament in February to address these issues.
Yukti Sharma is the assistant vice president, legal, at Piramal Capital and Housing Finance. The views expressed are personal.