Digital Eldorado: Data Privacy 2018

In-House Counsel

Digital Eldorado: Data Privacy 2018

Kiran Radhakrishnan | March 2019

The 21st century has long been touted as the ‘information age’, and over the years, breakthroughs in technology have helped catapult many economies into the big league. Access to a treasure trove of data has transformed the way the world does business today. While technology has made almost a limitless bounty of data available and provided access to data pertaining to pretty much all aspects of people’s lives, it has also unleashed a plethora of challenges. There has been an alarming rise in cybercrimes with the perpetrators often impinging on people’s privacy. Acknowledging the serious nature of this menace, many countries have been striving to formulate strategies to counter or control the negative effects of the digital domain. There is a growing sense of urgency for having a proper legislative framework in place to address concerns on cyber security, data protection and privacy.

In India, for instance, the digital era has triggered concerns about data protection, especially in the wake of the Supreme Court ruling (Justice K.S. Puttaswamy (Retd.) v. Union of India & Ors. 2017), that privacy is a fundamental right. A committee was set up by the Ministry of Electronics and Information Technology, Government of India (MEITY) in July 2017 to prepare a data protection framework and the draft of The Personal Data Protection Bill, 2018. The Bill was released by the Committee of Experts chaired by retired Supreme Court Justice B. N. Srikrishna (Committee) on July 27, 2018.

The key objective of the proposed data privacy framework is to ensure a free and fair progressive digital Indian economy while ensuring a framework that gives an individual citizen maximum freedom to protect their personal data against any unwarranted transgressions. Parallel to many regulations across the globe, the Indian Personal Data Protection Bill also introduces and mandates the concept of ‘privacy by design’ and has been broadly based on the framework and principles of the General Data Protection Regulation (GDPR). This shall apply to the whole of India, including foreign entities processing personal data for any business carried on in India and/or involving profiling of Indian citizens in India. It is applicable to the public and private sector, to any and all personal data collected, disclosed, shared or otherwise processed within the territory of India, goods and services offered to data principals in India, and for that matter, any activity involving classification of Indians.

WHAT DOES DATA PRIVACY MEAN FOR CORPORATES?

Place Privacy at the core and in totality

At every phase of the data life cycle ¬– be it collection, use, retention, storage, disposal or destruction ¬–¬ the organization will have to assimilate the concept of privacy and security into the design; supervision, operation, and management of the system, business process, or design specification. Organizations will have to outline and institute a data privacy framework as well as privacy controls for diverse categories of sensitive personal data at all the stages of the data lifecycle. The framework and controls will need to be published and communicated to all departments across the organization by taking a top-down approach.

Relook at the MechanisM used to collect Personal data

While collecting personal data, organizations will need to ensure they only source data to the minimum required for the purpose of processing. A clear notice must be provided while collecting personal data, which should specify details such as the purpose of processing, and categories of personal data being collected. It must also mention the names of individuals or entities with whom personal data will be shared. All organizations, irrespective of their size, turnover or industry, will have to ensure that only the minimum personal data fields are collected from the users, which are critical to achieve the purpose of processing the data and provide the product/ service requested by the data principal. Additionally, data collected for one purpose should not be blindly reused without further consent. This applies to both online and offline collection modes.

IT Governance

While data is being collected, organizations will need to communicate the rights of the people from whom the information is sought and explain to them how they can exercise those rights. Even while storing data, organizations will have to come up with a strategy to ensure data privacy and security. Organizations will need to institute a personal data governance framework, detailing the duties, functions, and responsibilities of key stakeholders of the privacy and compliance team. While the framework will have to completely map the capture, usage and storage of personal data, it should also have the scope to delete such data if any individual wants it to be deleted. To address grievances, organizations will need to have a well-defined and robust communications channel (internally and externally), to be able to fulfil requests for right to access, right to rectification, etc., within a reasonable time.

REVISIT & REFRESH CONSENT

Organizations will have to periodically refresh the notice and consent forms on all personal data procurement touch points – digital or physical. All corporate would need to obtain the consent of the people involved before processing personal data. Before processing any sensitive personal data such as financial data, health data, biometric data, passwords, etc, explicit consent needs to be sought. Organizations will be required to analyze their digital presence in accordance with the requirements of the Bill. A crucial aspect of this Bill deals with safeguarding the personal information of children. Organizations offering services primarily to children, other commercial websites or online services directed at children or those processing a large volume of personal data of children will be identified as ‘guardian data fiduciaries’ and would be required to provide for special safeguards for processing personal data of children for their best interest. This includes providing for age verification and parental consent. It bars organizations from ‘profiling, tracking, or behavioural monitoring of, or targeted advertising directed at children’ or data processing that may cause any child ‘significant harm’.

IMPORTANT DEFINITIONS

Data

“Data” means and includes a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means. Protected data includes the following data points pertaining to any individual: (i) passwords; (ii) banking and financial information; (iii) sexual orientation; (iv) medical records and history; and (v) biometric information. A vital marker to determine information captured as protected data is ‘data which, either directly or indirectly, is capable of identifying an individual’.

Data Fiduciary

Data fiduciary means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others decides the purpose and means of processing of personal data.

Data Principal

Data Principal refers to the natural person and includes any person, company, or entity whose information is being collected.

Data Processor

Data processor means any person, state, company, juristic entity or any individual who processes personal data on behalf of a data fiduciary but does not include an employee of the data fiduciary.

Manage Data transfer

Organizations will have to reconsider their cloud strategy and gain visibility into data storage locations. Global organizations serving Indian customers will have to reassess their cross-border data movement practices. They will need to determine the locations/data centers in which data will be stored within India and they will also have to ensure that at least one copy of the personal data is available on a server or data center situated within India. The disaster recovery strategy of global organizations with disaster recovery sites outside India will have to be reinforced with additional controls.

Data storage Management

Organizations will have to invest in mechanisms and techniques to provide a copy of all the personal data they hold, in case the data needs to be corrected, completed or updated to ensure data quality. Organizations should hold on to personal data only as long as it is reasonably necessary to satisfy the purpose for which it is obtained. Data stored by the organization will have to be reviewed periodically to determine what needs to be retained and what needs to be discarded. Recipients of protected data are required to implement utmost security measures and systems for management of protected data in accordance with the security practice code which is system approved and notified by the Central Government. The Recipients are also required to carry out yearly audits; to be carried out by an independent auditor approved by the Central Government.

Data Security and Protection

With regard to the data they hold, organizations must take stock of their vulnerabilities, possible threats, and leakage points such as third party access, external sharing, network susceptibilities, corporate espionage, snooping, phishing, etc. and outline a comprehensive incident response mechanism. The procedures must include an end-to-end workflow for management of a personal data breach along with integration of a personal data breach notification mechanism in the prevailing incident management tool. Further, organizations are required to Register with the Data Protection Authority (DPA) of India, and necessarily execute a riskbased data protection impact assessment (DPIA) for dealing, curtailing, mitigating, and eliminating the risk of damage to any person whose data has been sought. Organizations are further required to implement annual independent audits of their policies and measures to protect personal data and appoint a Data Protection Officer (DPO). They would further need to develop a secure disposal policy for disposal of data that is no longer required.

EXCEPTION

The Bill offers exclusions to definite data processing activities, while asserting that processing of an individual’s personal data will not be subject to the responsibilities specified, and the data principal will not have the rights demarcated in the Bill, if their personal data is processed for the purposes of;

National security (pursuant to a law)
Prevention, detection, investigation and prosecution of contraventions to a law
Legal proceedings
Personal or domestic purposes
Journalistic purposes

Provided that such personal data is processed in a fair & reasonable manner, and with also ensuring that appropriate security safeguards are in place.

HIGHLIGHTS

The Indian Personal Data Protection

Bill:

Identifies the role of the data principal and the data processor
Provides various grounds for handling different classes/groups of personal data
Provides data protection duties and transparency and accountability procedures to be adopted by data fiduciaries and data processors
Lists the rights of data principals
Proposes the establishment of a data regulator, the Data Protection Authority of India (DPA)
Sets out penalties and grievance redressal mechanisms for breach of personal data.w

About Author

Kiran Radhakrishnan

Kiran Radhakrishnan is a skilled negotiator and business law specialist with more than ten years’ diversified experience in providing expert counsel and directing company policy on a broad range of issues. He is currently working with PF Matters as Legal Counsel. He can be reached at [email protected]