Personal Data Protection Bill 2018 – A Hit or A Miss?

Niraj Singh, Rajshree Chaudhary | August 2019

The personal data has been one of the most undervalued assets and the same requires protection with rapid advancement in information and communication technology. In the case of Justice K S Puttaswamy (Retd.) & Anr. Vs. Union of India & Ors. reported as 2015 SCC OnLine SC 1640 the Hon’ble Supreme Court of India has held that the Right to Privacy is an integral part of Right to Life and Personal Liberty under Article 21 of the Constitution of India. Indian legislature needs to be in sync with emerging global practices. This makes it essential to keep as privacy now recognized as intrinsic to the right to life and liberty. To nurture and grow these activities there should be clear guidelines for data localization in the planned legislation as data is an asset where the valuation only appreciates over time and the same required to be protected.

In the absence of any specific enactment, the information privacy is being protected in India by way of following legislations:

The Indian Information Technology Act, 2000

The IT Act governs the interchange of digital data and information which takes place in electronic transactions. It provides that where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected. The Act also provides that whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under such circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to 3 years or with fine not exceeding 2 lakh rupees, or with both. However, the information can be accessed under the provision of Section 69 of the IT Act, by the Government if satisfied that such information is required, particularly in the matters pertaining to the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order, etc.
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

The rules provide a safety net “Personal sensitive data or information”. While accessing the sensitive personal data, the body corporates are required to be in strict adherence to the rules enshrined in the Information Technology Rules, 2011. However, the term “Personal sensitive data or information” was limited to data related to biometric information passwords, instruments of payment, mental health, and medical profile, sexual orientation, etc.

Looking into the fact that in India, use of data is subjected to a loose and fragmented regulation which lacks standardization and uniformity, on 21st July 2017, the Member of Parliament Sh. Baijayant Panda introduced the Bill titled ‘The Data (Privacy and Protection Bill), 2017’. The Bill was introduced in line with the GDPR norms. This Bill attempted to mandate the consent of a person before collection of personal information or data. Thereby, giving an individual the final say while handling personal data from on a public or private platform. The Bill also suggests that personal data could still be accessed for welfare schemes and social protection laws.

In view of the aforesaid factual matrix and in order to protect the autonomy of the individual in relation to their personal data the Government of India appointed a Committee of experts under the chairmanship of Justice B.N. Sri Krishna (Retd. Supreme Court Judge) and entrusted with the task of drafting comprehensive Data Protection Law. The Justice Srikrishna Committee Report has attempted to formulate a data protection law to cater the dynamic needs of the digitized Indian Society and Economy by way of “The Personal Data Protection Bill, 2018” which is the first-ever attempt at codification of legislation that would guarantee the protection of personal data. The committee as extensively discussed and referred to the European Union’s General Data Protection Regulation (‘EU GDPR’). The Bill has been drafted in a manner such that the concepts ‘privacy by design’, ‘right to be forgotten’ and ‘extraterritorial application’ etc. to fit into Indian data protection requirements. The Bill has also subjected sensitive personal data to greater protection as found place in EU GDPR and instead of data controller concept, the Committee has intentionally used the term “fiduciary” to impose fiduciary responsibility on “any person” handling personal data.

The Bill also has extra-territorial applicability and would apply to the processing of personal data by data fiduciaries/processors outside India if the data processing occurs in connection with;

Any business carried on in India;
Any systematic activity of offering of goods and services to data principals within the territory of India; or
The profiling of data principals within the territory of India.

The Bill also recognizes the “right to be forgotten” of a data principal and provides for a limited right to restrict or prevent “continuing disclosure” of personal data subject to fulfilment of certain criteria. The Bill prescribes heavy penalties for violation of its provisions based on the total worldwide turnover of the entity of the previous financial year. The Bill has taken cognizance of India’s unique data protection requirements and has attempted to address the sensitive digital data protection which is apparent from the following:

The Bill governs the access of personal data of an individual by the companies incorporated in India or abroad and by the government bodies.
Data Protection Authority (DPA) will be set up at national level to supervise access of data by government bodies. The DPA is empowered to (i) draft specific regulations for all data fiduciaries across different sectors, (ii) supervise and monitor data fiduciaries, (iii) assess compliance with the Bill and initiate enforcement actions, and (iv) receive, handle and redress complaints from data principals.
The governing bodies are required to provide the individual with the purpose and nature of data processing while handling their data.
The Bill requires that a serving copy of personal data be stored within the territory of India. Certain critical personal data must be stored solely within the country.
The Bill permits data processing if consent is provided by the individual. However, the data may be processed by the State for providing benefits to the individual; compliance with a court order; in the interest of maintenance of public order; medical purpose or for reasonable purposes specified by the Data Protection Authority.
The person whose data is being processed has a right to obtain a summary of personal data held with the data fiduciary, modify personal data, the right ‘to be forgotten’ etc.
The serving copy of all personal data is required to be maintained by the fiduciary in a server or data center located in India.
Sensitive personal data may be transferred outside India only when the central government prescribes those transfers or the DPA approve the transfer in a situation of necessity.
The penalty for violations may attract imprisonment ranging up to five years, or a fine of up to three lakh rupees.

The reforms are designed to reflect the progressive world that can legislate around personal data, privacy, and consent. The Bill proposes four rights that every citizen would over their data:

Right to ask the companies to confirm that data has been used for many processes and also to share details of what data was used and for what purpose.
Right to ask companies to correct any inaccurate, misleading or incomplete personal data.
Right to ask companies to share details of personal data that has been generated while was using a service or goods.
Right to restrict a company from using data which was shared earlier.

Though the formulation of the Bill has to be applauded, the Bill has to be refined further to clarify certain provisions, remove wide discretionary powers of the State and specify “appropriate mechanisms” for obtaining consent. With data being one of the core assets of the digitized economy, the Bill is required to maintain the delicate balance between an individual’s right to privacy and the ease of doing business in India which we are lacking. Some of the infirmities in the Bill are:

The exemption provided to State should have been limited to welfare schemes as initially proposed and is extended to not seeking the consent while providing benefits or services.
While reporting a breach to the DPA, there may be differences of interpretation of the nature of the breach by the entities processing data. The Bill states that the fiduciary shall inform the DPA about an accidental or unauthorized use or disclosure of data when it may cause damage to an individual. The fiduciary has been conferred with the swelling power of determination of nature of breach that needs to be reported to the DPA.
The DPA has been vested with the powers of arresting and detaining without court order.
Access of data for the purpose of journalism, research, or legal proceedings, etc. does not run-in coherence with the dire need to season the newly introduced right to privacy.
The Bill provides no meaning which can be subscribed while processing of data in ‘fair and reasonable’ manner of personal data processing. As a result, there exists no standardization and numerous assumptions can be drawn while interpreting.
The Bill permits data processing for the welfare benefits without the consent of the individual. The Bill does not limit this to welfare schemes and the fiduciaries are not required to obtain consent while data processing for all services of the State or function of the Parliament or state legislature.
The Bill states that every data fiduciary shall keep a ‘serving copy’ of all personal and sensitive personal data in a server in India. However, it has failed to define ‘serving copy’ of data.
The Bill states that certain ‘critical personal data’ may be notified by the government, which shall be processed only on servers located in India, which again has not been clearly defined.
The Bill put the onus on the individual to demonstrate how the violation has caused him damage or harm, thereby placing the burden of proof on the individual.
The DPA has been conferred with arbitrary and disproportionate powers as in addition to the imposition of penalties and compensations, like the power of attachment or sale of movable and immovable property, and arrest and detention in prison.

The aim is not only confined to securing personal data but also attempts to enhance economic opportunities in India as India is a country where digitization is on a constant rhythm of rising but the success of the new law will depend on its effective implementation by all the stakeholders.

About Author

Niraj Singh

Niraj Singh is a Partner of RNS Associates with extensive experience in litigations mainly in commercial arbitration, insurance, consumer, banking & finance and corporate fraud.

Rajshree Chaudhary

Rajshree Chaudhary is currently working as an associate with RNS Associates and actively litigates in areas pertaining to arbitration, electricity, commercial and corporate law. She also assists in the drafting of contracts and various related issues.