The proposed Personal Data Protection Bill 2019 led last week to intense discussion on the exemption it gives the State for its activities
In contrast to this controversial position, the private sector is also closely monitoring the new law, as data has become a company’s most important asset today.
The 2018 Bill gave an overview of the significant changes involved in data-related activities, whether through data localization or the need for data-related activity approval.
Most of these provisions were kept in the 2019 bill, with certain modifications to be noted.
New rules for locating data and transferring data across borders
Data mirroring
The data mirroring provision for personal data has been excluded and limited to confidential personal data (‘ SPD ‘). A copy of data such as religious, biometric, health, financial and related information must be kept in India.
Cross-border data transfers
If the company is a multinational corporation that needs such transfers or when a foreign cloud service provider is used, two conditions must be met when moving SPD from outside India.
First, the data principal’s (person’s) explicit consent is required, and second, cross-border data transfer steps such as an effective decision or an approved agreement or intra-group scheme must be in place.
Interestingly, this has been excluded entirely from the criteria for cross-border transfers of personal data.
Apart from the threat of moving to a country with insufficient safeguards, a second factor is that this could impact India’s ability to acquire an appropriate decision from, say, Europe.
Such a decision would make business between Europe and India significantly easier, as it would allow free data transfer from Europe.
Such a decision would eliminate one measure of compliance for companies.
Critical personal data
The legislation continues to demand that sensitive personal data, which remains undefined be processed within India alone.
The ‘ processing ‘ restriction completely means that no activity can be done for this category of information, including sharing, analysis storage, etc.
Moreover, Bill clarifies that some relaxations can exist, such as whether the privacy laws of the other country are sufficient and the government does not see any benefit with the move, or whether they are for emergency purposes such as health
While this offers some relief, considering the importance of the restriction more detail on this will help companies better prepare for the upcoming legislation.
The Justice Sri Krishna Committee Report Information such as the Aadhaar number, genetic data, biometric data, data on health, etc. could be included.
Consent and consent managers under the new law
Consent under the new law
The 2018 Bill brought to the forefront that agreement will be the foundation stone of the new law.
This is a major issue for organisations because a variety of things are often conducted without approval, such as marketing, lead generation, data analytics, research, fraud testing, etc.
Those operations are usually focused on other production grounds, such as ‘ legitimate (company) interests. ‘ Says Europe’s General Data Protection Regulation,
The downside of this is that under the GDPR, companies have some freedom to decide which actions are fair and within the scope of the law.
A second advantage is that the data protection authority has a somewhat reduced burden to assess the validity of each storage operation.
According to Indian law, most processing is based on consent. There are exceptions in the form of the ‘reasonable purposes’ exemption, compliance with laws, the employment purposes exemption, etc.
However, as under the GDPR, the flexibility is lost. The 2019 Bill also reaffirms the priority given to consent by structurally positioning consent along with the basic processing principles (‘ Data Fiduciary Obligations ‘) rather than the previous processing grounds (under the 2018 Bill).
It suggests the unlikelihood of implementing alternate manufacturing grounds that could offer more flexibility to businesses.
Consent managers under the new law
These are a form of intermediary that serves the purpose of assisting a data principal to give, withdraw and otherwise manage consent with a data fiduciary, and exercising any of its data subject rights under the law (right to delete, right of access, etc.).
These are data fiduciaries that work through a network that is open, usable and inter-operable.
It is unclear whether a consent manager will allow a data manager to communicate with many or all of the data fiduciaries he has dealings with, or whether a data fiduciary can select a single consent manager or a set of managers that a data manager can use to deal with.
The former is identical to the account aggregator system for financial data. This gives the Data Principle a major benefit in terms of promoting consent management and regulation of multiple data trustees ‘ rights.
This can mean a huge compliance burden for companies however, especially in terms of working with multiple consent managers.
The second form, where a given company or class of companies is using a specific consent manager(s), may work better, reducing the burden of compliance for companies and ensuring that the consent manager is working effectively.
Alternatively it is necessary to consider different consent management systems for specific industries, like the financial industry account aggregators.
Liabilities of consent managers
An additional point on which the law is unclear is how the liabilities will be determined through the use of consent managers.
For example, who is responsible if consent communication fails, is conveyed incorrectly, or if at some point there is a security breach? This is a major issue, given the enormous penalties imposed under the 2019 Act, as well as the fact that a contact with a consent manager is considered a communication with the data fiduciary.
It must be specified if such liabilities are to be decided contractually or if this is to be established by India’s Data Protection Authority (DPAI).
Certification of privacy by design policies and a sandbox
Optional certification of privacy by design policies
the 2018 Bill introduced a ‘ data trust score ‘ concept to only be awarded based on the data protection policies of an organization and to be stated in the privacy policy.
This will serve as a public privacy benchmark, just as the ISO marks do for protection.
The 2019 Bill also specifies that data fiduciaries ‘ can ‘ be approved for their privacy through development policies subject to regulations.
This indicates that these policies can be certified by companies at their option and that certain standards will be prescribed for certification of the policy.
It is currently unclear whether such training will be compulsory for certain processing operations or fiduciaries.
A sandbox for AI, ML, etc.
Certification also has an advantage, as this is a condition for applying for a proposed sandbox under the 2019 Act.
The DPAI is setting up such a sandbox to support artificial intelligence, machine learning, and other emerging tech technology.The sandbox’s benefits can be used for up to 36 months.
Provided that the privacy of individuals is not compromised, this could be beneficial if the DPAI monitors new developments at a closer level and if more flexible regulations are possible.
As per the 2019 Bill, the processing permitted under this will be based on consent, and the purpose, collection and storage limitations may be included in the regulatory relaxations provided.
State access to anonymous, non-personal and personal data
Anonymous and non-personal data
Another contentious provision is the right of the central government under the law to request any fiduciary to provide any confidential and non-personal information to be used for ‘ better targeted service delivery ‘ or ‘ evidence-based policy ‘ formulation.
This is a concern given the scope of non-personal data that can relate to anything from statistical data to sensitive business data, and with no clarification as to how corporate interests will be protected over such data.
However, despite the separate formulation of a law on non-personal data, there is no clarification as to why this clause is included here or how it will communicate with the proposed law.
Personal data
The highly controversial state processing exception also affects private businesses.
The law allows a broad exemption to a governmental agency for national security reasons, from any or all the provisions of the law. It implies, for private companies, that the government could also request or seize any personal data in their possession for reasons of national security.
Specific provisions on social media intermediaries
The 2019 Bill also contains some guidelines on social media intermediaries (‘ SMIs ‘), for which special conditions are to be prescribed for classification as a significant data fiduciary.
It also states that it is mandatory for SMIs defined as such to provide users with the ability to validate themselves, and this validation must be demonstrable and clear.
The existence of this clause is unusual — for one, it is unclear why there is a separate provision for the classification of SMIs when the general rule for the classification of fiduciaries as important data fiduciaries applies to each fiduciary, including an SMI.
This would be better placed as a regulation provided by the DPAI, which provides full information on the classification requirements and responsibilities, than as part of the primary legislation.
A second factor is that the confirmation provision would be better placed under intermediary law as an enforcement requirement than under privacy law.
Significant compliance burden
Currently, a select parliamentary committee has referred the Bill for consideration, which means that further changes are likely to occur before the law takes its final form.
The Bill, in its current form, implies that companies around India and the world will have a significant compliance burden.
Although there must be no compromise with people’s rights where it is possible to reduce the company’s compliance burden, these measures should be taken into account.
Furthermore, the enormous amount of power on the DPAI also means that the DPAI is likely to be overloaded by the number of decisions it will have to make.
Measures to ease these need to be considered, such as enabling some amount of self-regulation and industry-determined standards (subject to approval by the DPAI).