The Personal Data Protection Bill, 2018 drafted by the Justice BN Krishna Committee has been submitted to the Indian Parliament and soon we will see a new Law for data privacy and security in India (either based on the Bill as is or with some modifications). With growing concerns worldwide regarding the protection of data and need for legal regulation of an individual’s personal data/ information in the era of various scandals such as Cambridge Analytica’s allegedly unauthorised collection and processing of personal data, as well as the changes made by the European Union to its Data Protection law (the General Data Protection Regulation), the need for a similar legislation in India were high, where data-driven services and transactions in the digital economy are growing rapidly but at the same time , the privacy and security of Indian citizens data is very little.
Data is everywhere, being collected, processed, and used. The Personal Data Protection Bill outlines how the data of indian citizens is to be collected, processed, used, and protected.
Below are the key points of India’s Personal Data Protection Bill 2018. Every organization that is dealing with the data of India citizens should know the bill:
1. The Personal Data Protection Bill/Law is applicable to organizations who operates within India and process personal data, as well as to those organizations which are set up outside India but process data of Indian citizens for the provision of goods/services to Indians. “Processing” has been defined to mean an operation or set of operations such as collection, recording, storing, adaptation, alteration, retrieval, etc. As one can see, the definition is wide enough to cover all web apps or mobile apps or IoT devices which collect any (India-located) user-related personal information, including through servers located outside India.
2.The Draft defines every entity who determines the purpose and means of processing the personal data as the “data fiduciary”, and every entity who actually processes the data basis instructions from a data fiduciary as a “data processor”. The Bill casts the primary obligation on the data fiduciary to ensure compliance with this Bill but has subsidiary obligations that are cast on the data processor as well. Typically, every app developer or website operator, or any entity which develops, operates, and controls the app and determines the reason for collection and processing of data, will be regarded as a “data fiduciary”, while if a part of the data is shared with a vendor or a third-party service provider for processing, then such an entity will be the data processor.
3.The Bill introduces a “purpose limitation” within its ambit, where any entity collecting or processing “personal data” must identify the purpose for the collection and processing of the data. Such an entity must process personal data as identified for the purpose. For example, if the purpose is to offer goods/services, then data cannot be processed for any other purpose such as say “offering other services” unless such purpose is clearly indicated upfront to the data subject. Therefore every data fiduciary will have to identify the purposes for which the data will be collected and processed within the privacy policy at the time of collection of such data.If the data fiduciary proposes to process data for any purpose which has not been indicated, let’s say for “big data analysis”, then it would be necessary that a separate consent be obtained from the data subject for such processing.
4.Every individual whose “personal data” is being processed will need to be given a notice at the time of collection of personal data which will have to include, among other things, the purpose of data collection, the types of data to be collected, the identity and contact details of the data fiduciary, the right of the data subject to withdraw his/her consent, etc.
5.“Consent” has become paramount under the Bill. Consent of the data subject re his/her personal data will have to be free, informed, specific in terms of the purpose of data processing, clear, and capable of being withdrawn. One must note that “Consent” will necessarily have to be “opt-in” for every service for which the personal data is being collected. Moreover, consent must be obtained at the time the personal data is being collected. The Bill does not indicate the requirement of a separate consent and an “affirmative” act of say using of the app/service, which itself can potentially be treated as consent, subject to satisfying all other criteria described above, and that consent will have to be an “opt-in” in terms of a default setting.
6.The Bill has defined a separate category of personal data, which is “sensitive personal data”, which can be processed only with “explicit consent” of the data subject. “Explicit consent” would entail that the data subject is aware that his/her sensitive data is being collected and that it is being processed for purposes which are specified by the processor and the user’s consent is not inferred from his/her conduct (for instance in using the app or services). “Sensitive personal data” includes passwords, financial data, health data, genetic data, biometric data, transgender status, caste or tribe, etc.The standard of care for categories of “sensitive personal data” is higher. Therefore, startups in the medical services space or financial services space will have to have robust systems which ensure ‘explicit consent’ capturing, and that any sensitive personal data in their possession is kept safe from data breaches.
7.The Bill provides for a “data storage limitation”, where an entity can store data only for so long as the purpose for which it is collected is satisfied, unless any law mandates a longer storage period.
8.All data subjects have the right, under the Bill, to request the data fiduciary for a brief summary of their data being processed along with a summary of the processing activities that are being carried out. The data subject also has the right to make requests to rectify any errors, or inaccurate or misleading information. All of the above is basis an application made by the data subject for review and rectification by the data fiduciary.
9.Every data subject has a right to get his/her data in a portable form which is structured using a commonly used machine readable format. The data subject can request for his/her personal data to be transferred to any other data fiduciary in the commonly used machine readable format and the data fiduciary is under a legal obligation to do so but could charge a reasonable fee. Once the fee is paid, the portability must be ensured as soon as possible, but definitely within the timelines that may be specified by the Data Protection Authority. Till such time that the Data Protection Authority prescribes a timeline, startups may consider setting out a reasonable timeline such as 30-45 days in the privacy policy itself to meet the legitimate expectations of the data subject and so that the data fiduciary gets ample time to process the request.
10.The data subject’s Right to be forgotten is also included in the Bill, where an individual can prevent any continued disclosure and use of his/her personal data after he/she has completed use of any service and where such disclosure of data has completed the purpose of use or where the data subject has withdrawn consent. This is referred to worldwide as the “right to be forgotten”.
11.Except for the right of access, confirmation, and correction of the data subject’s own personal data, the data fiduciary can charge a reasonable fee for the other services such as data porting.
12.The Bill mandates “Privacy by Design” where data fiduciaries are essentially required to (i) implement such policies and measures which are designed to protect a user’s personal information, in a consistent and cognizant manner at every stage of engagement with personal data, and (ii) ensure that technology used in processing personal data is commercially accepted and upto certified standards. The overarching principle that is followed is that personal data needs to be protected from data breaches. This provision is important for AR/VR device manufacturers, and IoT device manufacturers in particular.
13.Every corporation who is a data fiduciary must appoint a “Data Protection Officer” whose qualifications are set out in the Bill.
14.The Bill mandates that at least one copy of all personal data of Indian nationals must be stored on servers in India. This would mean that all overseas companies and service providers who provide services to Indian nationals must store one copy of such data within India. This is one of the contentious provisions in the Bill and we will have to wait and see if this condition gets approved.
15.The law mandates a Data Protection Authority which will be the adjudicating authority who will monitor the working and enforcement of the law and take action, including levying compensation as well as ordering search-and-seizure notices in the event of data breaches.
16.Last but not the least are penalties, which are staggering. The penalty for any breaches of personal data are Rs 5 crore or 2 percent of global turnover of the entity, whichever is higher. Also, the Bill permits any data subject who has suffered harm as a result of any violation of the Bill or any regulation under it, by a data fiduciary or a data processor, to seek compensation from the data fiduciary or the data processor, as the case may be. Typically only data fiduciaries will be held liable, except where a data processor has acted outside the terms of its contract with the data fiduciary or has been negligent in the protection of personal data.
17. All criminal offences under the Act are cognizable and non-bailable. Criminal offences range from obtaining, transferring, or selling personal data in contravention of the Act, which carries a punishment by way of imprisonment for a term not exceeding three years or a fine of Rs 2 lakhs, or both. If the data that is obtained, transferred, or sold in contravention of the Act is sensitive personal data, the offence is punishable with imprisonment of upto five years or fine of up to Rs 3 lakhs, or both. The power to investigate offences under this law are with a police officer not below the rank of an Inspector.
In summation, we believe that once The Personal Data Protection Bill becomes law, businesses will have to comply with each of its requirements, and the best way for that is to be informed and be prepared.