Data Protection Bill, 2021

New Data Protection Regime in the Making – India – Key Highlights & Observations – Data Protection Bill, 2021

A comprehensive data privacy law for India has been in the works since the Supreme Court’s recommendation in 2017. Two draft versions of proposed law (2018 and 2019) were previously released for public consultation, after which the Personal Data Protection Bill, 2019 (PDP Bill) was referred to a Joint Parliamentary Committee (JPC). The JPC presented its report on the PDP Bill in parliament on December 16, 2021 (Report). While the Report has been adopted by the members of the JPC, eight members have submitted dissent notes on certain aspects of law.

The Report recommends several amendments to the PDP Bill, the most extraordinary one being to regulate the collection and processing of both personal data and non-personal data (NPD) resulting in a change in title to Data Protection Bill, 2021 (DPB). Data protection laws worldwide normally regulate only personal data.

The DPB inter alia (a) seeks to cover personal data (PD), sensitive personal data (SPD), critical personal data (CPD), anonymised personal data and NPD; (b) has a cross border reach and is applicable to entities outside India if they have a business connection to India or carry out profiling of individuals in India; and (c) mandates that a data protection authority for dealing with both PD and NPD should be set up. Higher benchmarks of compliance are prescribed for SPD and CPD (which are subsets of PD). Data localisation norms (i.e., storing data in India) are stringent with respect to CPDs in the interests of national security and law enforcement. Since data is stored in mixed data sets, segregating data for localisation could prove to be a challenge resulting in localisation of both SPD and CPD. Cross border transfer of data also requires permissions and will be cumbersome.

Few elements in the JPC are welcome such as (a) placing importance on provision of notice to data principals by data processors/data fiduciaries coupled with informed consent of data principals; (b) restriction on use of employee data by employers; (c) data retention rules specifying that the data may be retained only till it satisfies the purpose for which it is processed and should be deleted at the end of such period; and (d) reporting security breaches for both PD and NPD within 72 hours to the DPA. It is unclear as to how the DPA will coordinate with specialised agencies such as the Computer Emergency Response Team and the Ministry of Electronics & Information Technology Standardisation Testing and Quality Certification. A timeline of two years has been provided for implementation of the provisions of the DPB, which is a relief to all stakeholders. Stringent standards for children’s data have been introduced pertaining to date of minors (i.e., under the age of 18) including consent of parents / guardians; verification of all children’s data and a ban on profiling / tracking children’s data, etc. However, some aspects of these provisions may have a counterintuitive impact especially for ed-tech and education related gaming / AI companies where it is essential to use children’s data to track a child’s progress. The appointment of a data protection officer from C-Suite introduces higher accountability as opposed to low level employees with lesser responsibility and a process for a grievance redressal has also been introduced. However, an MD, CEO, CFO may not have the bandwidth to handle these issues themselves so it is unclear how this will be implemented.

In an attempt to grant users more control over their data, the DPB introduces a provision with respect to data portability, whereby data principals may seek from the data fiduciary, their personal data in a commonly used and machine-readable format. Exemptions have been provided for instances where (a) the data processing is not automated; (b) where the processing is necessary for compliance of law, order of a court or for a function of the state; and significantly, (c) where compliance with the request is technically not feasible. The exemption in the PDP Bill for data portability of data that reveals trade secrets has been omitted from this version of the law. Certain items with respect to data portability should be fleshed out in the final version of the DPB such as (a) ownership in intellectual property of the data transferred; (b) whether data generated would include derivative data (which may prove a challenge to digital businesses having to share analytical data) and other practical issues such as format of data etc.

Interestingly, the right to be forgotten, also recognised by several High Courts in India seems to have been diluted as the data fiduciary has been provided with (a) an ability to reject the data principals request for erasure of information; and (b) certain exemptions to retain, use and process such data.

Some facets of the DPB appear to be at cross purposes with the main intent of the law – protection of PD / SPD and CPD. Consent is the crux of any data protection law. There is an expansion of state powers and exemptions and the scope of Clause 12 of the DPB, which earlier permitted personal data to be processed without consent for the performance of state functions on just two grounds—(i) the provision of services or benefits and (ii) the issuance of certifications, licences or permits—has been expanded innocuously through the insertion of the word “including”, to now suggest that these two categories are only illustrative of the many other grounds on which the government could collect data without consent. Clause 35 of the DPB adds that the government has the power to exempt any government agency from any or all provisions of the DPB in the name of sovereignty, security of the State etc. which has attracted dissent from members of the committee on the grounds that the government has been given wide discretion for accessing PD / NPD without the consent of the data principals. The Government has been given the power to direct that anonymized / NPD be shared by any entity with the Government, in certain circumstances. The Government has also been given the flexibility to frame a policy on the regulation of NPD including anonymized data. The Report seems to have a misplaced focus on protecting both national sovereignty and commercial interest of the country which is not a common thread with global data protection regimes.

In a similar vein as the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the scope of the DPB seems to extend beyond the ambit of data protection requiring healthy debate in the houses of parliament on its introduction. For example, (a) the overarching extension in making social media intermediaries’ publishers of data in certain instances where they lose their immunity as mere hosts of content; (b) the requirement for social media platforms operating in India to have local offices; and (c) setting up of a statutory media regulatory authority. Further, the recommendation that a framework needs to be established for the monitoring, testing and certification of hardware devices – a provision which is not usually included in data protection laws worldwide.
The DPB provides for civil compensation from data fiduciaries / processors for infringement of any law which could lead to a stream of data protection litigation. In addition, the DPB provides financial penalties such as fines (up to 4% of global turnover) and criminal penalties in the limited case of unauthorized de-identification of data.

The DPB is merely a draft law and is yet to be tabled as a bill for the consideration of the parliament. The recommendations of the JPC are not binding upon the government and DPB may be tabled in parliament in its current form or undergo subsequent changes – for now, all one can do is wait and watch!

This article was originally published in The Financial Express.