Personal Data Protection Bill 2019: an ambiguous initiative or a compliance nightmare

Back to Technology Law Committee publications

Salman Waris
TechLegis Advocates & Solicitors, New Delhi
salman.waris@techlegis.com

The Personal Data Protection Bill, 2019 ('the Bill') was introduced in India’s parliament on 11 December 2019. It seeks to protect individuals’ personal data and proposes the establishment of the Data Protection Authority to implement this protection. Nevertheless, the numerous terms and concepts left undefined in the draft legislation and complicated consent requirements could mean that implementing the new legislation is a nightmare for companies. The Bill is currently in its final stages of parliamentary review, being examined by a Joint Parliamentary Committee. It’s unclear when the new law will be enacted and in what form.

The highlights of the Bill

The Bill is based on the concept of consent, purpose limitation, limited storage capabilities and the minimisation of data. It sets out requirements for the data fiduciary only to collect data required for specific purposes, after obtaining express consent of the data principal. The Bill also confers rights on the data principal to obtain their personal data, correct, update and erase their data. The Bill further confers the right to move data to other fiduciaries and restrict/prevent disclosure of personal data. Another important feature of the Bill is that an individual has a ‘right of grievance’ against the data fiduciary and can approach the Data Protection Authority of India, an organisation which is to be established under this Bill.

The Data Protection Authority of India ('the Authority') is to consist of a chairperson and up to six full-time members to be appointed by central government. The Bill also allows for the establishment of an appellate tribunal to deal with any appeals from the Authority.

The Bill has a provision for social media intermediary whose actions have a significant impact on electoral democracy, state security, public order, or the sovereignty and integrity of India. It empowers central government to notify the intermediary as a significant data fiduciary. The Bill also has penal provisions for contraventions in the manner of personal data breach and failure to protect data. Finally, the Bill empowers the Authority to set up a ‘code of practice’ to promote good practices in data protection and facilitate compliance with the terms of the new legislation.

Issues of concern and ambiguities

In its statement of objects and reasons, one of the salient features of the Bill is that it provides for central government, in consultation with the Authority, to notify a ‘social media intermediary whose actions have significant impact on electoral democracy, security of the state, public order or the sovereignty and integrity of India’ as a significant data fiduciary. This is a new aspect that has been added and will have significant regulatory implications on such entities as all the provisions and obligations applicable to a ‘significant data fiduciary’ shall now be applicable to entities such as Facebook, Twitter or WhatsApp, should the Indian government decide to designate them as such.

The Bill creates a need for the data fiduciary to obtain certification of privacy by design policy from the Authority. Such provisions will lead to an unnecessary compliance burden on companies and hinder their ‘ease of doing business’ which is much needed in boosting the IT sector in the current economic climate.

Under the current draft, section 92 states that no data fiduciary shall process such biometric data as may be notified by central government, unless such processing is permitted by law. There appears to be some ambiguity with regard to this provision of the draft Bill. It bars processing certain forms of biometric data, but the provision lacks clarity as to which type of biometric data can or cannot be processed, as the Bill leaves this unclear and dependent on notification by central government.

It could lead to regulatory confusion and complicate matters for companies involved in dealing with biometric data or who manufacture devices dependent on processing of biometrics, such as phones, voice recognition/operated devices and appliances and IoT technology. It could also have an adverse impact on the Fintech and banking sectors which use biometrics as a means of customer authentication. However, the provision permits processing of all biometric data that is specifically permitted by law such as under the 2016 Aadhaar Act.

Therefore, several crucial aspects of the actual working and implementation of the legislation remain ambiguous and are to be decided by the Authority once it has been established. Under the current scheme, the enforcement of law will be mandated to the authority, which would cause a massive burden of drafting and implementing secondary legislation setting common ground rules for all data fiduciaries. To date, several crucial aspects have been left undefined and unclarified. These include:

• categories of critical personal data;

• standards relating to commercially accepted or certified standards;

• standards relating to privacy by design policy;

• guidelines relating to auditing; and

• guidelines on data breach disclosure to the Authority.

Moreover, according to the current draft Bill, there is no official timetable nor any timeline regarding the setup and commencement of the new Authority’s operations. Even if the Bill passes, going by the existing standards, it can be expected that it will take another year before the required secondary legislation is drafted and enforced.

Some other questions that arise relating to storage and processing of personal data include:

• What happens if a data principal will not give explicit consent for a data transfer outside of India? What happens if the data principal is a foreign national?

• If a company is operating using critical personal data of a data principal of non-Indian nationals, how will the Government of India restrict processing and storage in Indian territory?

• If an Indian company such as a call centre is exclusively processing personal data, subject to European Union GDPR compliance and processing and the storage of personal data is performed through a European infrastructure, will these operations fall under the jurisdiction of the current Indian Bill?

Conclusion

While this present legislative endeavour may be perceived as light finally at the end of a tunnel of regulatory flux, the many critical issues and remaining ambiguities greatly influence the architecture of processing and storage systems, especially regarding databases, where there will be a large amount of work identifying different types of data. It may be too little too late anyway, as the government has taken so much time introducing this Bill that it has lost the initiative and technological developments have already changed the techno-legal landscape. We can already see the early signs of acknowledging this fact with the government announcing the constitution of a separate Committee of Experts Non-Personal Data (Community Data) under the chairmanship of Shri Kris Gopalakrishna. This new Committee will deliberate on a data governance framework. By the time companies have worked out ways to reconfigure systems to be compliant with the Bill and the subsequent regulations published by the Authority, we will have more legislation in place regulating non-personal data/community data, requiring companies to initiate yet more exercises in reconfiguration.