Back to Asia Pacific Regional Forum publications

Avik Biswas
Induslaw, Bangalore
avik.biswas@induslaw.com

Rithika Reddy
Induslaw, Bangalore
rithika.reddy@induslaw.com

 

Introduction

The Winter Session of the 2019 parliament included the introduction of The Personal Data Protection Bill, 2019 (2019 Bill),^[1] which many saw as a seminal leap towards the recognition of data privacy and security issues in India. While the existing law^[2] does provide a certain amount of protection to personal data, the 2019 Bill offers a much-needed comprehensive regulatory framework and even seeks to establish an adjudicatory body for individuals to file complaints relating to breaches of their rights under the 2019 Bill. To date, the 2019 Bill has been referred to a Joint Parliamentary Committee of both Houses of Parliament for further examination.

Personal data and sensitive personal data

The 2019 Bill draws a sharp distinction between personal data and sensitive personal data. Personal data has been defined as ‘data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute, or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.’^[3] Sensitive personal data, which is a subset of personal data, has been defined to include financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation,^[4] or any other data categorised as sensitive personal data by central government, in consultation with the Data Protection Authority (Authority).

Summary of rights and duties under the 2019 Bill

Typically, when data is collected from an individual or ‘data principal’, there are certain obligations imposed on the ‘data fiduciary’ or individual/entity that collects the data. A short summary of the key duties imposed on data fiduciaries is reproduced below:

• data can only be processed for specific, clear and lawful purposes, in a manner that ensures the privacy of the data principal, and only for the purpose consented to by the data principal;

• every data fiduciary shall give the data principal a notice, at the time of collection of personal data, or shortly thereafter, consisting of the purpose for data collection, the nature and category of data being collected and other such particulars;

• the data principal’s consent is required before processing of personal data by the data fiduciary;

• the data principal’s explicit consent is required before processing of any sensitive personal data;

• the data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of the processing;

• explicit consent is required for transfer of sensitive personal data outside of India.

The data principal has the following rights:

• confirmation on whether the data fiduciary is processing or has processed he data principal’s personal data;

• the right to obtain the personal data being processed or that has been processed by the data fiduciary;

• a brief summary of processing activities undertaken by the data fiduciary with respect to the data principal’s personal data.

Processing of personal data: the exception for employment purposes

According to the 2019 Bill, the general rule is that consent is necessary to process an individual’s personal data and explicit consent is necessary to process an individual’s sensitive personal data. There are, however, several exceptions to this rule, one of them being that personal data (except for sensitive personal data) may be processed without consent for purposes relating to employment. The specific situations which are anticipated under this exception are:

• recruitment or termination of employment of a data principal by the data fiduciary;

• provision of any service to, or benefit sought by, the data principal who is an employee of the data fiduciary;

• verifying the attendance of the data principal who is an employee of the data fiduciary; or

• any other activity relating to the assessment of the performance of the data principal who is an employee of the data fiduciary.

The 2019 Bill also provides for the processing of personal data (not being sensitive personal data), where the consent of the data principal is not appropriate having regard to the employment relationship between the data fiduciary and the data principal, or would involve a disproportionate effort on the part of the data fiduciary due to the nature of the processing.

While the exemptions for employment purposes have certainly been well received by industries across various sectors, critics have also warned of far reaching consequences from the misuse of these exemptions. For instance, the Chandigarh Municipal Commissioner, Mr K K Yadav, introduced the concept of GPS watches that were to be worn by all government employees during working hours. According to news reports,^[5] the decision to introduce the watches was taken after the Commissioner found that several employees regularly absented themselves from work and found ways to misuse and flout the manual attendance system that was already in place. While the intent may be to increase operational efficiency, the move has been seen by many to be humiliating and demeaning for employees. Such an exercise would qualify under the exceptions envisaged by the 2019 Bill, with no recourse left open to the employees.

The primary concern, understandably, is the unequal bargaining power that lies in the hands of the employer, with employees often feeling that they may have no choice other than to consent to such requests from employers.

Legal recourse for breaches under the 2019 Bill

While the 2019 Bill makes it mandatory for all data fiduciaries to designate an officer to handle grievances,^[6] the Data Protection Authority is really the institution that serves to protect data principals. The Authority also has the power to conduct an inquiry either suo moto or on the basis of a complaint received by it, if it has reasonable grounds to believe that: (a) the activities of the data fiduciary or data processor are being conducted in a manner which is detrimental to the interest of data principals; or (b) any data fiduciary or data processor has contravened any of the provisions of this Act or the rules or regulations made thereunder, or any direction of the Authority.^[7]

With respect to the employment context, employees have an additional remedy at their disposal with respect to breaches of the 2019 Bill: Whistle Blower Policies. In India, The Companies Act, 2013 makes it mandatory for the Board of Directors of every listed company to constitute an Audit Committee.^[8] The Audit Committee has the power to investigate any matter referred to it by the Board of Directors. Additionally, The Companies Act, 2013 also orders that every listed company or such class of companies as may be prescribed^[9] shall establish a vigil mechanism for directors and employees to report genuine concerns.^[10] Even though such safeguards are mandated for listed entities, most private entities have also followed suit and enacted such vigil mechanisms and whistleblower policies.

In the face of a whistleblower’s complaint, however, it is possible that the Authority could take suo moto cognisance of a matter if it is of such magnitude that it would warrant the Authority’s interference. If the Authority chose to conduct an inquiry into such a complaint, it could mean that the company in question faces parallel proceedings; an external inquiry by the Authority and an internal one by the Audit Committee or other such body dealing with whistleblower’s complaints. Also, it is important to note that whistleblower complaints need not necessarily mean that the complainant is aggrieved; it is sufficient if the complainant establishes that a violation of any law or company policy has been committed by the company in question. This is in stark contrast to the remedies envisaged by the 2019 Bill, wherein the aggrieved person must necessarily file the complaint, either before the designated officer or before the Authority.

Conclusion

A breach of privacy and personal data rights can often have far-reaching consequences. A prime example for this is the Cambridge Analytica scandal, where the data of millions of US citizens was allegedly purchased without their knowledge to build a ‘psychological warfare tool’. It is pertinent to note that the true magnitude and gravity of the scandal only came to light with the help of a whistleblower who submitted various internal documents that helped confirm Cambridge Analytica’s role in the matter. While the introduction of The Personal Data Protection Bill, 2019 is a step in the right direction, only time will tell how some of the provisions, especially the ones relating to the employment exception, will play out.