The Personal Data Protection Bill, 2019, which has now been more than three years in the making, will presumably see progress with the Joint Parliamentary Committee on the Bill tabling its report in the Parliament this Winter Session. The Bill marks a watershed moment for the data protection and privacy movement in India for several reasons.
First, it provides statutory enforcement of the fundamental right to privacy recognised in Puttaswamy v. Union of India (2017). Second, the Bill is a significant shift from the co-optive approach, adopted hitherto, of addressing data protection and privacy concerns under the Information Technology Act, 2000 to recognising them as issues that merit regulatory attention in their own right. Third, it seeks to accord protections to natural persons on par with some of the most robust data protection legislations, including the General Data Protection Regulation, 2016, in force in the European Union.
The fundamental way in which the Personal Data Protection Bill provides for these protections is by embodying the principle of informational autonomy i.e., giving a person (data principal) extensive control over the data they generate. This is reflected in various provisions of the Bill, the foremost of which is requiring consent for any processing of personal data by the regulated entities (data fiduciaries).
Any processing of personal data (barring certain exemptions discussed later) is lawful only when it is based on the consent of the person which has to be free, clear, specific, informed and withdrawable. This is accompanied by the principles of data minimisation in the Bill in the form of collection, purpose and storage limitation. Put simply, this means that only such personal data will be collected that is necessary for the purposes for which it was collected, that the collected data will be processed only for the purposes for which it was collected, and that it shall be retained only for such period as is required to fulfil the purposes it was collected for.
Additionally, the Bill provides data principals the right to know if and what personal data a data fiduciary possesses in relation to them, the right to correct, complete and update such data as well as erase it when it is no longer required for the purpose for which it was collected.
Obligations on Data Fiduciaries
Corresponding to these rights, the Bill prescribes various obligations on data fiduciaries. For example, to enable the data principals to exercise the above-mentioned rights, data fiduciaries are required to provide them with relevant information relating to their data and also put in place grievance redressal mechanisms. They are also required to undertake sufficient security safeguards to ensure the security and integrity of the data they process.
Keeping in mind that protections run with the data, the Bill provides that similar obligations are also placed on any entity that processes data on behalf of the data fiduciary. This approach is also reflected in cross-border transfer of data, wherein, “sensitive” personal data can only be transferred outside India on the fulfilment of certain conditions. Further, to increase the enforceability of data protection provisions against multinational data fiduciaries, the Bill requires that all “critical” personal data exclusively and a working copy of sensitive personal data be stored locally in India.
In keeping with the growing understanding across various data protection regimes that big tech can often lead to more pernicious effects on informational privacy of individuals, the Bill recognises the concept of “significant” data fiduciaries. These data fiduciaries are notified on the bases of nature and volume of personal data they process and the harms that may arise out of such processing. Such significant data fiduciaries are required to comply with additional obligations such as conducting data protection impact assessments and audits of their data protection policies.
Exemptions for the State
However, various exemptions have been carved out of the key provisions of the Bill. Processing of personal data is broadly subject to notifying the data principal of such processing and the data fiduciary obtaining clear consent for such processing. However, chapter III of the Bill provides broad exemptions from the requirement of obtaining consent prior to an individual’s personal data being processed.
These exemptions are also available for employers seeking to verify attendance or assess the performance of an employee of the data fiduciary. The latter exemption is of particular relevance these days given the rise in workplace surveillance habits being adopted in remote work, and its effects on individual privacy. Further, the processing of such personal data outside the consent framework must be reconciled with not just the parameter of necessity, but also of proportionality and legality.
Chapter VIII of the Bill provides broad powers to the central government to exempt any agency of the government from any or all provisions of this Bill under certain grounds. In Puttaswamy (2017), the Supreme Court stated that restraints to individual privacy requires such restraints to be legally prescribed, in furtherance of a legitimate state aim, and the means used to achieve the state’s aim must be proportional to the objectives of the state.
In Puttaswamy v. Union of India (2018) case, the Supreme Court added nuances to the proportionality test by assessing whether measures restricting privacy are the least restrictive but equally effective option. By allowing blanket and disproportionate exemptions, the provisions of the Bill do not reconcile with the threshold of permitted restraints to individual privacy contemplated by the SC. Most recently, concerns have been raised over the breadth of these exemptions by members of the Joint Parliamentary Committee as well.
The Bill establishes the Data Protection Authority of India (DPAI), a regulatory body to oversee the implementation of the law. The DPAI within the Bill is envisaged as a super-regulatory body whose ambit shall encompass various other ministries and sectors where personal data is processed. The smooth functioning of the DPAI is crucial for the private sector. Timely certifications of huge numbers of privacy-by-design policies and quick efficient reviews of data protection impact assessment reports would be a major ongoing function of the DPAI, not to mention the DPAI’s significant powers to frame regulations, codes of practices, exemptions and sandbox design.
These functions must be carried out efficiently along with receiving complaints from data principals seeking to exercise their rights, conducting inquiries and taking action under the Bill. It remains to be seen whether the DPAI, comprising seven full-time members, would be timely in its actions or would end up swamped without the right infrastructure, budget or manpower for the scale of each of these roles.
Robust Framework for Data Protection
The Bill, as it stands, is a promising draft that marks a huge step forward in the Indian understanding of data protection and privacy. It provides for a robust framework for data protection and sets out comprehensive rights and obligations for the stakeholders in India’s digital economy. The exemptions provided within the proposed law indicate a greater focus on private sector personal data processing—a necessary move in today’s increasingly connected and personal data-centric services, and brings India to level terms with global data protection norms.
However, considering the nature of exemptions to state action, it remains to be seen how similar data protection obligations within the enacted version of this Bill would play out against the State so as to holistically protect citizens from unwarranted restraints on their privacy.
Trishee Goyal is a Project Fellow and Dhruv Somayajula is a Research Fellow at the Centre for Applied Law and Technology Research, Vidhi Centre for Legal Policy. The views expressed in this article are those of the authors and do not represent the stand of this publication.
Read all the Latest Opinions here
Comments
0 comment