What are the opportunities and risks for Chinese investors once the personal Data Protection Bill 2019 is approved?
With more than 560 million users, India is now the second-largest online market in the world after China. With increasing internet penetration, debates around data theft and privacy have come to the forefront, and data protection has become a national priority.
The Supreme Court of India elevated “right to privacy” to the status of a fundamental right under the Constitution of India when it delivered its judgment in Justice KS Puttaswamy (retd) & Anr v Union of India and Ors on 24 August 2017. Almost three years later, the wait for India’s first comprehensive legislation to regulate data is drawing to an end.
Existing privacy obligations in India are contained in the Information Technology Act, 2000, and deal with sensitive personal data or information including financial, physical, health, biometric information, etc. The law prescribes civil and criminal sanctions for non-compliance with privacy obligations. The proposed legislation is awaiting approval from parliament as the Personal Data Protection (PDP) Bill 2019. The PDP bill is largely modelled along the lines of the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018, with one significant difference being the requirement for localization of data and strict restrictions on the cross-border transfer of data.
The PDP bill recognises three kinds of data: (1) personal data (which is wide enough to include any and all data relating to a natural person that could identify him/her); (2) sensitive personal data (SPD) such as financial, health, sexual orientation and biometrics; and (3) critical personal data (not defined under the PDP bill at present). It also empowers the data principals – defined as a natural person to whom the personal data relates – by conferring on them the right to confirmation and access, correction and erasure, data portability, and the right to be forgotten.
The entities recognised under the PDP bill are data processor (similar to the processor concept of GDPR), data fiduciary (similar to the data controller concept of GDPR), and significant data fiduciary, which is a class of data fiduciary. The PDP bill also proposes the establishment of a specialized regulator, the Data Protection Authority of India (DPA), conferred with vast powers for the purposes of inter alia protection of privacy of individuals, and regulation of personal data such as laying down regulations for protection of rights of data principals, standards of anonymization, and notification of data breach.
While the PDP bill provides various safeguards for maintaining the privacy of personal and sensitive data, it has also introduced the concept of “anonymized data”, i.e., an irreversible process of converting personal data to a form in which a data principal cannot be identified. Provisions and safeguards have been introduced to protect children by mandating the data fiduciaries to carry out age verification and take parental consent for processing a child’s personal data. The PDP bill also mandates cross-border transfer of SPD for processing to require explicit consent of a data principal and be subject to a contract or scheme approved by the DPA, and to a country or an entity approved by the DPA.
Further, the concept of a “sandbox” has been introduced – which provides relaxations to certain data fiduciaries, innovation in artificial intelligence, machine learning and emerging technology – from certain obligations under the PDP bill for a limited tenure, aimed at ensuring no hindrance to the growth and development of technology.
Consent is the core of the PDP bill, however certain exceptions for processing data have been permitted, such as performance of a state function, safety measures, medical emergencies, prevention of illegal activities, whistle-blowing, credit scoring, debt recovery, operation of search engines, and the cross-border transfer of critical personal data for specific purposes like health and national emergencies.
The PDP bill has attracted controversy mainly on account of data localization restrictions that primarily require that SPD be stored in India, and provisions that exempt governmental agencies from obligations under the PDP bill on account of national security, integrity & sovereignty, public order, etc. Heavy monetary penalties up to US$2 million, or 4% of global turnover, are prescribed for breaches of the proposed law. Imprisonment for up to three years is also prescribed for certain offences.
The new legislation will require companies to substantially revisit their present model of collection, storage and transfer of data. Cross-border transfer and data localization restrictions will impose greater challenges for foreign investors having Indian business operations.
Companies will also have to review and amend, if necessary, their existing third-party contracts to make them more robust by including consent requirements and adequate representations and indemnities in relation to privacy matters. Appropriate technical security safeguards and procedures to detect, report and investigate data breaches will have to be built in.
A disproportionately large number of Chinese companies, and portfolio companies of Chinese investors, in India operate within the internet technology industry, which is extremely data intensive. Even subsidiaries of Chinese companies in traditional industries operating in India will expose their parent companies to statutory risks and penalties on account of non-compliance, so it is imperative that they start reviewing their data processes at the earliest.
Unfortunately, there is no transition period provided in the PDP bill, so companies operating in India need to start preparing for implementation immediately, since the parliament is expected to approve the PDP bill before the end of 2020.