Data Protection In India: Recent Developments.
Legal News & Analysis - Asia Pacific - India - Cybersecurity
24 September, 2019
Data is the new gold. Various means, fair and unfair, are being used to trade in data. Unfair instances of data breaches are many. The Cambridge Analytica scandal exemplified misuse of personal data which adversely affected every sphere of life including the politics of various countries. In India, the importance of data and consequently protecting data, has arisen not only from instances of data breaches but from the realisation of the fact that the most efficient way to alleviate poverty in India is to deliver government benefits to masses through digital means. Digitisation of the social benefits delivery system means that humungous amounts of data is being processed and used by the Government and its various agencies. The other aspect though intricately linked to the Indian economy, is the growth of e-commerce and social networking in India. Again, a significant amount of data is now in the hands of private enterprise. Keeping the above in view and taking into account the benefits of digitisation and the digital economy, in July 2018, an expert committee constituted by the Government of India under the leadership of Justice (retired) B. N. Srikrishna released its final report on India’s way forward on protecting data, which included a draft data protection bill called the Personal Data Protection Bill, 2018 (‘Draft Bill’).
Currently in India, data protection and its management are governed by Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (‘SPDI Rules’). Data protection would broadly involve a ‘data provider’ and a ‘data collector’.
SPDI Rules are applicable to data collectors which can be body corporates and persons located within India. Body corporate includes companies, firms, sole proprietorships or other associations of individuals engaged in commercial or professional activities.
Broadly, data is classified as:
(i) Personal Data - any information relating to a natural person available with a body corporate capable of identifying a person; and
(ii) Sensitive Personal Data - personal information relating to passwords, bank account, credit/debit card, physical/mental health, medical history, etc. Sensitive Personal Data does not include information available in public domain or which is disclosed under India’s regime of right to information for its citizens.
Current data protection laws in India are being re-evaluated and the Draft Bill will soon be placed before the Indian Parliament for consideration. If and when the Draft Bill becomes law, it will repeal and replace SPDI Rules. The Draft Bill covers the concept of Personal Data, Sensitive Personal Data and includes a new category of data, known as the Critical Personal Data.
Broadly, ‘Personal Data’ would mean data about an identifiable natural person which is same as that under the SPDI Rules. However, the definition of ‘Sensitive Personal Data’ is broader in the Draft Bill as compared to the SPDI Rules and would mean Personal Data specifically pertaining to financial information, sexual orientation, caste or tribe, religious or political belief, genetics, etc. Critical Personal Data, absent as a category under the current SPDI Rules, would pertain to matters of Indian national interest.
Under the Draft Bill, a data collector (termed as a data fiduciary) means any person, who determines the purpose and means of processing of Personal Data. The SPDI Rules only covered body corporates and persons within India under its scope as data collector(s). As per the Draft Bill, a new term ‘data processor’ has been introduced to mean any person who processes Personal Data on behalf of a data collector. Further, the Draft Bill, unlike SPDI Rules, proposes to establish a separate authority called Data Protection Authority of India (‘Authority’) which will monitor and enforce the application of the data protection provisions and will have a separate adjudicating wing.
SOME OF THE KEY HEADS UNDER WHICH WE HAVE DISTINGUISHED THE PROPOSED DRAFT BILL VIS-À-VIS CURRENT SPDI RULES ARE LISTED BELOW:
1. Applicability: Presently, SPDI Rules are applicable to the processing of Sensitive Personal Data by the body corporates and persons located within India. The Draft Bill would apply to processing of Personal Data by government, private entities incorporated in India, and also by entities incorporated overseas if their processing is in connection with either the business operations carried out in India or profiling of data provider in India.
2. Grounds for Processing: SPDI Rules allow the Sensitive Personal Data to be processed based on the consent of the data provider, for compliance under law, or if a government agency authorised under the law needs to obtain such information. Under the Draft Bill, both Personal Data and Sensitive Personal Data can be processed based on consent, functions of the state, compliance under law or order of court, prescribed emergencies or any other purpose as specified by the Authority. For Personal Data, it would also include purposes related to employment.
3. Data Provider Rights: Under the SPDI Rules, the data provider has to ensure the accuracy of his Personal Data and has certain rights such as right to review the information provided, right to withdraw consent and right to abstain from giving consent. However, under the Draft Bill, onus to ensure the accuracy of the collected Personal Data will be on the data collector (and not data provider) and the data provider, in addition to the rights given under the SPDI Rules will have the right to confirmation and access, right to data portability and right to be forgotten.
4. Significant Data Fiduciary: Under the SPDI Rules there is no further classification of the data collector. However, under the Draft Bill, the Authority will have the power to classify certain data collectors as significant data fiduciaries based on certain factors such as volume of Personal Data processed, sensitivity of Personal Data processed, turnover of the data collector etc. Further, the Authority at its discretion can subject significant data fiduciaries to some additional obligations such as data protection impact assessment, record keeping, data audits and requirement of a data protection officer.
5. Data Localisation: The SPDI Rules do not have any requirement of storing a serving copy on a server/data centre located within India. However, under the Draft Bill, every data collector is required to store one serving copy of the Personal Data on a server or data centre located within the territory of India. Further, Critical Personal Data will only be processed in a server or data centre located in India.
6. Cross-border Transfer: SPDI Rules allow cross border transfer of Sensitive Personal Data to a third-party provided same level of data protection is maintained by that third party. Further, such cross-border transfer is allowed, if such transfer is necessary for the performance of the contract between the data collector and the data provider or if the data provider has consented to such transfer. The Draft Bill allows the cross border transfer of Personal Data and Sensitive Personal Data where (i) transfer of data is according to standard contractual clauses or intra-group schemes that have been approved by the Authority; or (ii) the Central Government in consultation with the Authority has prescribed a country or section within a country or a particular international organization where such transfers are permissible based on the adequacy of the data protection framework in such country; or (iii) a particular transfer is approved by the Authority on grounds of necessity. Along with (i) and (ii) mentioned above, the data provider’s consent will be required to transfer the Personal Data and Sensitive Personal Data.
7. Adjudication Authority: SPDI Rules and Information Technology Act, 2000, do not prescribe for a separate adjudicating officer or tribunal for matters pertaining to data protection. The Draft Bill proposes to set up an Authority to monitor and enforce the application of the data protection provisions. The Authority will have powers of a civil court and a separate adjudication wing comprising of adjudicating officers. The Draft Bill also proposes to set up an Appellate Tribunal which will have the powers of a civil court.
8. Penalties: The SPDI Rules provide for fines ranging from ~ USD 1,500 to ~ USD 7,000. The Draft Bill proposes inter alia heavy penalties ranging from ~ USD 700,000 or 2% of total worldwide turnover to ~ USD 2.1 million or 4% of the total worldwide turnover.
9. Exemptions: SPDI Rules provide exemption from consent requirement
(i) to a government agency authorised under the law to obtain the Sensitive Personal Data for certain purposes; or
(ii) if there is an order under the law passed for disclosure of information to any third party.
The Draft Bill proposes to provide exemption from the obligations specified in the Draft Bill, if data provider’s Personal Data is processed for the purposes of
(i) national security (pursuant to a law),
(ii) prevention, detection, investigation and prosecution of contraventions of a law,
(iii) legal proceedings,
(iv) personal or domestic purposes, and
(v) journalistic purposes.
The only restriction on data processing for these purposes are those of
(i) processing Personal Data in a fair and reasonable manner, and
(ii) ensuring appropriate security safeguards while processing the Personal Data. Data processing for research purposes may also be exempted to the extent specified by the Authority. Small entities having turnover of less than ~ USD 28,000; manually processing data of less than 100 data providers; and which do not disclose the collected Personal Data to any other individuals/entities, will be exempted from most of the data protection provisions.
Personal Data of citizens needs to be secured and protected while enabling the flow of global data into and from India. The Draft Bill stipulates significant emphasis on demonstration of accountability and re-establishing trust between entities and consumers in the digital ecosystem. It is yet to be seen as to what the Government of India finally proposes as it is still seeking inputs and clarifications from industry experts on certain points especially on the data localisation requirement. Further, as seen from past new enactments, the ultimate test will not be the enactment of the new law but the enforcement of the new law.
For further information, please contact:
Souvik Ganguly, Partner, Acuity Law