A lowdown on Personal Data Protection Bill 2019

The Joint Parliamentary Committee that is deliberating the Personal Data Protection Bill 2019 is expected to submit its report in the upcoming Budget session. In its current form, the Bill will apply to processing of all personal data within India. It will apply to data processing outside India only if it involves profiling users within India or the processing entity does business with India. It has also proposed the creation of a separate regulatory authority—the Data Protection Authority (DPA).

Personal data, according to the Bill, means any data “about or relating to a natural person who is directly or indirectly identifiable”. The 2019 draft also includes inferred data within the definition of personal data. A special category of personal data—sensitive personal data—is also defined within the Bill. Such data, which includes financial data, health data, biometric data, caste and religion data, is accorded higher protection. Another category—critical personal data—is mentioned in the Bill but not defined.

It is important to remember that the central government will determine what kind of biometric data can be processed, as per the Bill.

Entities, including the state, that determine the purpose and means of processing personal data are called data fiduciaries and most responsibilities laid within the Bill pertain to such entities. Data processors, on the other hand, are entities, including the state, which process personal data on behalf of a data fiduciary.

Data fiduciaries can process personal data only if they have clearly specified their lawful reasons for the same, are processing data only for the specified and pre-determined purpose, are collecting only relevant data, have told the user about all of it, and have taken the user’s consent. Data can only be collected for limited purposes and companies cannot retain data forever.
 
Consent is must, except in some cases
To process personal data, consent of the data principal (user) must be taken before processing data. Consent is valid only if it is freely given, informed, specific, clear, and capable of being withdrawn. Giving and withdrawing consent must be equally easy for the user. While processing sensitive personal data, the user’s explicit consent is required, that is, the data fiduciary must inform the user about processing that may cause them significant harm, and the user must consent to each category of sensitive personal data separately. And as in real life, consent cannot be inferred.

There are a few situations under which a data fiduciary may proceed without seeking consent. These include performing a function of the state, to respond to medical emergencies, for employment purposes, amongst others. Depending on the delegated regulations, these exceptions could include whistleblowing, mergers and acquisition, credit scoring, search engine operations, amongst others.

The Bill classifies a special category of data fiduciaries—consent managers—through which users can fan, withdraw, review and manage their consent. Consent managers must register with the DPA.
 
The Bill grants users four rights:
1.   Right to confirmation and access: This allows users to ask data fiduciaries, including the state, whether they processed their data and what kind of processing activities were performed on that data.

2.   Right to correction and erasure: Users can ask data fiduciaries to correct or erase data that is irrelevant.

3.   Right to data portability: For automated data processing, a user can ask the processing entity for the following personal data in a machine-readable format: Personal data provided by the user, data generated by the processing entity about the user, and any other data about the user that the processing entity collected from other sources. The only data exempted from this is data that was processed for state functions or for legal reasons, or sharing such data with the user would reveal trade secrets or would not be technically feasible. Companies can choose to charge users fee for data portability.

4.   Right to be forgotten: The user can prevent the data fiduciary from using their personal data if the purpose of processing has been served or if the user has withdrawn consent.
 
Holding processing entities accountable
Data fiduciaries must prepare a privacy by design policy which defines the steps they have taken to protect users, the technology that they are using for data processing and if it conforms to certified standards, amongst other things. If the fiduciary gets this policy certified by the DPA, it can then participate in DPA’s innovation sandbox to experiment with use of artificial intelligence, machine learning, and “any other emerging technology in public interest”.
 
Dealing with data breaches
In case of a data breach that “is likely” to harm users, the data fiduciary must inform the DPA as soon as possible. This notification must include nature of personal data that has been compromised, number of affected users, potential consequences, and the steps taken by the fiduciary to remedy the breach. The DPA will determine whether the fiduciary needs to inform the users, depending on the severity of the breach and whether users have to take any actions to prevent harm.
 
Significant data fiduciaries have added obligations
A special class of data fiduciaries will be determined by the DPA on the basis of volume and sensitivity of data processed, turnover of the data fiduciary, risk of harm posed by processing and use of new technologies. These are called significant data fiduciaries. Such fiduciaries, along with any other data fiduciaries that the DPA thinks carry a risk of significant harm to users, must do the following:

1.   Register with the DPA

2.   Appoint a Data Protection Officer who will be based in India and review data protection impact assessments.

3.   Undertake data protection impact assessments (DPIA) if they intend to process data using new technologies or do large scale profiling or use sensitive personal data or any other activity that poses significant harm to the user. On the basis of this DPIA, if the DPA believes that the processing is likely to harm users, it may stop the fiduciary from such processing.

4.   Maintain up-to-date records about operations carried out by the fiduciary, review of security safeguards, DPIAs, etc.

5.   Annual audits of policies and conduct of data processing by an independent data auditor. The data auditor will assign the fiduciary a data trust score on the basis of the audit. A list of registered data auditors will be maintained by the DPA.

The special case of social media platforms
The 2019 Bill defines social media intermediaries as “an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services”. It does not include search engines, email service providers, internet service providers, etc. The central government can classify social media platforms as significant data fiduciaries if the platforms have users above a certain (as yet undefined) threshold, and the platforms’ actions can affect electoral democracy, security of the state, public order, or sovereignty and integrity of India. For different classes of social media intermediaries, there will be different user thresholds.

All social media intermediaries which are notified as significant data fiduciaries by the central government must allow their users in India to verify their accounts. Verified accounts must have a “demonstrable and visible mark of verification” (think blue-ticked accounts on Twitter and Facebook).
 
Data processors have limited liability
Data processors (DP) don’t determine the means or purpose of processing but are contracted by data fiduciaries to carry out data processing. DPs cannot appoint another data processer (sub-processor) without contractual permission from the data fiduciary. All processing is controlled by the fiduciary.

Processors are liable only if they do not follow the fiduciary’s instructions, act negligently, or do not have adequate security safeguards. In case of an issue, data processors may still have to compensate a user, if the Adjudicating Officer says so.
 
Dealing with children’s data
If children use a particular service, then the fiduciary must verify the child’s age and get consent of the parent or guardian. Data fiduciaries that are a service directed towards children or process large volumes of children’s personal data will be classified as guardian data fiduciaries. Such fiduciaries are forbidden from serving targeted ads or profiling users or tracking their behaviours.
 
Data localisation requirements
To send personal data outside India for processing (which includes storage, indexing, etc), fiduciaries must take explicit consent. To transfer sensitive personal data, in addition to explicit consent, the transfer must either be a part of a contract or intra-group scheme approved by the DPA, or the transfer has been approved by the central government, or the DPA has allowed it for a specific purpose. Critical personal data can only be processed within India except to provide health services or in cases of emergencies, or where such transfer is allowed by the central government after taking national security interests into account.
 
Only one offence recognised by the 2019 Bill
Data fiduciaries and processors can commit only one offence—re-identify and process de-identified data without user consent. This could lead to imprisonment of up to three years or a fine of up to ₹2 lakh or both.

For other contraventions of the Bill, entities can be penalised from up to ₹5 crore or two percent of total worldwide turnover in the preceding financial year to up to ₹15 crore or four percent of total global turnover.
 
Problems that have been raised with the PDP Bill:
1.   Sweeping exemptions for the state: The Bill empowers the central government to exempt any agency of the government from any or all provisions of Bill in the interest of national security. This functionally excludes the government from being subjected to the Bill. Moreover, for purposes of law enforcement, exercising judicial functions, and make legal claims, fiduciaries are not required to adhere to principle of purpose limitation, minimum data retention, etc. Critics fear that such exemptions could lead to creation of a surveillance state.

2.   DPA is not an independent regulatory body: In the revised draft, the DPA is comprised of a chairperson and six whole-time members. All these members will be appointed on the basis of recommendations made by a selection committee that consists of Cabinet Secretary and Secretaries in-charge of Legal Affairs, and Electronics and IT. The DPA, thus, will be appointed by the executive branch of the government. In the 2018 version of the Bill, the selection committee was to be headed by the Chief Justice of India or another Supreme Court judge. It was to also have another independent expert nominated by the judicial member.

3.   Data localisation requirements mean India won’t meet data adequacy requirements elsewhere: Data localisation and mirroring requirements, along with exemptions for the government and a DPA that is not independent, mean that other territories, such as the European Union, will not deem India adequate from a cross-border data transfer perspective. That will hamper processing activities that are outsourced to India.

4.   Sharing non-personal data with the government: The 2019 Bill allows that central government to direct fiduciaries or processors to provide anonymised personal data or other non-personal data to the government “to enable better targeting of delivery of services or formulation of evidence-based policies” by the central government. Stakeholders have long argued that this infringes on their intellectual property rights. Companies have said that such data sharing would expose their trade secrets since companies today rely on processed data to draw inferences about the kind of services they need to offer to expand their user base. Moreover, given that a separate Committee of Experts is formulating a governance framework for non-personal data, its inclusion in the Personal Data Protection Bill is jarring.

5.   Inclusion of ‘inferred data’ in the definition of personal data: Unlike the 2018 version, the 2019 version expands the definition of personal data to include inferred data. This then includes data that has been subjected to data analytics. If such data is ported under Right to Portability, it could potentially harm companies’ intellectual property.

6.   Compliance period has not been defined: The Bill does not define when which sections of the Bill will come into effect and how long entities will have to comply with the provisions. This has led to a lot of uncertainty amongst stakeholders.