ANALYSIS OF DATA PROTECTION BILL

INTRODUCTION:-

The Personal Data Protection Bill, 2019 (the "2019 Bill") was introduced in the Lok Sabha on
December 11, 2019 by the Ministry of Electronics and Information Technology. The 2019 Bill is
proposed to be further examined and reviewed by a joint parliamentary committee before being
tabled before the Lok Sabha.

The 2019 Bill is broadly based on the principles of the General Data Protection Regulation,
2016 (the "GDPR") and the landmark judgment of the Supreme Court of India: Justice K.S.
Puttaswamy (Retd.) & Anr v Union of India, wherein right to privacy was upheld as a
fundamental right under the Indian Constitution.

The 2019 Bill intends to protect the privacy rights of individuals with respect to their personal
data and governs and regulates the organizations processing such personal data.

The 2019 Bill has been formulated largely in line with the provisions of the Draft Personal Data
Protection Bill, 2018 (the "2018 Bill") which was released on July 27, 2018 along with the report
by the Committee of Experts under the chairmanship of Justice B.N. Srikrishna (the "Report").

The 2019 Bill has brought in certain crucial additions and revisions to the 2018 Bill, however
there are still certain concerns that were highly debated and discussed under the 2018 Bill,
which are yet to be addressed.

KEY OBSERVATIONS:-

While we await the 2019 Bill to be tabled before the Parliament, we are examining its key
provisions below:

 Applicability of the Bill:

Under the provisions of the Report, an exception based on the principles of territoriality had
been recommended. The Report stated that any entity located in India and only processing
personal data of foreign nationals not present in India may be exempted from the application of
the Bill by the Central Government. This exception was not included under the 2018 Bill. The
lack of such an exemption made the scope and applicability of the 2018 Bill more over-reaching
than the GDPR.

The 2019 Bill allows the Central Government to exempt from the application of the 2019 Bill, the
processing of personal data of data principals not within the territory of India, pursuant to any
contract entered into with any person outside the territory of India, including any company
incorporated outside the territory of India, by any data processor incorporated under Indian law.
However, till the time that the Central Government notifies such an exemption, the benefit of the
same is not available.

This is a welcome addition from the draft 2018 Bill, given that it benefits the outsourcing industry
and facilitates cross-border processing of data by group companies. This exemption from
applicability is also in keeping with a similar notification issued by the Ministry of
Communications & Information Technology, dated, April 24, 2011 under the current regulatory
framework on data privacy, but was not available under the 2018 Bill; which had sparked
discussions and queries by companies that have similar cross-border contractual arrangements.

Further, under the 2018 Bill, the term in connection with 'any business that is carried out in India'
in relation to the exercise of jurisdiction over any data fiduciary or data processor not located
within India, is vague in nature and lacks specificity. Even the 2019 Bill does not provide any
clarity with respect to the above provision. Therefore, to tighten the scope of the 2019 Bill and
bring in more specificity with respect to the applicability of the 2019 Bill, the above term should
have been specifically defined or explanation with respect to the same should have been
provided.

Definition of Personal Data:

The definition of 'personal data' under the 2019 Bill has been considerably broadened to read as
"personal data means data about or relating to a natural person who is directly or indirectly
identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity
of such natural person, whether online or offline, or any combination of such features with any
other information, and shall include inference drawn from such data for the purpose of
profiling."

Under the 2018 Bill, personal data has bad been defined to mean "data about or relating to a
natural person who is directly or indirectly identifiable, having regard to any characteristic, trait,
attribute or any other feature of the identity of such natural person, or any combination of such
features, or any combination of such features with any other information.”

The expansion of the definition of personal data is undoubtedly a welcome measure as it

broadens the ambit of the 2019 Bill, strengthening the privacy rights of data principals in return.
Further, the definition also additionally covers any inference drawn from personal data for the
purpose of profiling since such inference typically leads to indirect identification of a natural
person.
This is important as certain entities using modern technologies carry on targeting online
advertisement and use an individual's online activities and pattern to customize their
advertisements. Although data gathered from one's online activities may not be capable of
identifying a person individually, but when taken collectively or in combination with other
characteristics, may result in identifying a person.

Amended Definition of Sensitive Personal Data:

Although the definition of sensitive personal data has largely remained the same, a conscious
decision to remove 'passwords' from that definition has been made under the 2019 Bill. This
seems to be an effort on the part of the government to streamline the definition of sensitive
personal data in line with international standards and legislations.

This was also the need of the hour since entities that may not be processing sensitive personal
data per se, also needed to comply with a higher degree of compliance associated with such
data, merely by virtue of password-enabling access to their services to afford enhanced data
security to their users.

Foreign companies and multinational companies may now find it easier (in comparison with the
onerous compliance requirements under the 2018 Bill with respect to sensitive personal data) to
comply with the provisions of the 2019 Bill, as the stringent provisions pertaining to sensitive
personal data will not be applicable on passwords.

Having said that, the 2019 Bill has retained financial data under the definition of sensitive
personal data, which may still prove to be burdensome for foreign entities with respect to the
stringent compliance requirements for sensitive personal data under the 2019 Bill.

Under the 2018 Bill, the Central Government had the sole and exclusive power to notify certain
other types of personal data as sensitive personal data. Under the 2019 Bill, the Central
Government

is now required to consult with the Authority7 before notifying certain other types of personal
data as sensitive personal data.

Another welcome change under the 2019 Bill is that, while the Central Government can specify
categories of personal data as sensitive personal data, they cannot expand the grounds of
processing, unlike the 2018 Bill. To serve the objective and intent of the 2019 Bill in prescribing
different levels of obligations and compliance for personal data and sensitive personal data, it is
important for the Central Government and the Authority to exercise caution while notifying any
personal data as sensitive personal data.

Grounds of Processing of Personal Data:

The 2018 Bill stated that personal data may be processed if such processing is necessary for
any function of the Parliament or any state legislature. The 2019 Bill has deleted this provision
and limited the processing of personal data, without consent of data principal, for provision of
any service or benefit to the data principal from the State or for the issuance of any certification,
license or permit for any action or activity of the data principal by the State, with respect to the
functions of the state authorized by law9.

The 2018 Bill stated that personal data can be processed, without consent, for certain
reasonable purposes as may be specified by the Authority. The Authority may specify the
reasonable purposes which includes the prevention and detection of any unlawful activity
including fraud, whistle blowing, mergers and acquisitions, network and information security,
credit scoring, recovery of debt, processing of publicly available personal data.

The 2019 Bill has broadened the ambit of 'reasonable purposes' by adding 'operation of search
engines' to the list, which subject to certain conditions may be notified as a reasonable purpose.
Therefore, personal data may be processed without the consent of the data principal for the
purpose of operations of search engines.

Although the extent and scope of permissible processing of personal data under this head will
be dictated by the regulations, this will, in all likelihood, be seen as a welcome move by
companies operating search engines who would have been otherwise unduly burdened by
compliance requirements to obtain consent of data principals – that could hinder the efficiency
of their service.

Additional Rights of Data Principal:

The 2019 Bill provides the data principals with 2 (two) additional rights with respect to their
personal data:

(a) The right to access in one place the identity details of the data fiduciaries with
whom there data has been shared:

Although this provision seems to have been enacted for the data principals to have information
about and access to, the data fiduciaries with whom their personal data has been shared/stored,
it is not clear as to who would have the details of all the data fiduciaries with whom the personal
data of the data principals have been shared.

This becomes particularly relevant in arrangements where the data needs to be shared among
multiple data processors at different points in time. Further, as of now there seems to be no
clarity with respect to the manner in which this right shall be implemented under the 2019 Bill or
who would take responsibility for the same.

(b) The right to data erasure. 

Although this new right of erasure of personal data on request has explicitly found its way into
the 2019 Bill, the 2018 Bill already imposed an obligation on the data fiduciaries to delete
personal data once the purpose for which the same had been collected was achieved.

Privacy by Design Policy:

Under the 2018 Bill it was unclear whether a data fiduciary is required to have a separate
privacy policy (as currently required under the current data privacy framework prescribed under
the Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules, 2011). The 2019 Bill has removed the above ambiguity
and has expressly stated that a data fiduciary is required to formulate a privacy by design policy
("Privacy Policy") that ensures that:

(a) Managerial, organizational, business practices and technical systems are designed in a
manner to anticipate, identify, and avoid harm to the data principal;

(b) The obligations of data fiduciaries;

(c) The technology used in the processing of personal data is in accordance with commercially
accepted or certified standards;

(d) The legitimate interests of businesses including any innovation is achieved without
compromising privacy interests;

(e) The protection of privacy throughout processing from the point of collection to deletion of
personal data;

(f) The processing of data is in a transparent manner; and

(g) The interest of the data principal is accounted for at every stage of processing of personal
data.
The 2019 Bill further states that the data fiduciary may submit its Privacy Policy to the Authority
for certification in the manner as may be prescribed14. Further, the 2019 Bill also requires the
data fiduciaries to display the certified Privacy Policy on their websites

New recognized categories of Data Fiduciaries:

 Consent Managers:

The 2019 Bill has introduced the concept of 'consent managers' which are data fiduciaries
enabling data principals to manage their consent given to other data fiduciaries ("Consent
Managers"). Under the 2019 Bill the data principals can either give or withdraw their consent
either by themselves or through these Consent Managers16.

The 2019 Bill states that the Consent Managers are required to register with the authority,
however, does not provide any further clarity with respect to who is required or permitted to
register as Consent Managers, or the manner in which consent of the data fiduciaries will be
managed by such Consent Managers.

Further, since the 2019 Bill designates Consent Managers as data fiduciaries, the Consent
Managers will also be required to comply with the provisions of the 2019 Bill. Additionally, the
Consent Manager is expected to manage consents through an interoperable platform.

It is not clear on the manner in which such interoperability can be achieved, technically and
operationally, specifically taking into account the informed, specific and clear consent
requirement, without jeopardizing the ability of each independent data fiduciary to safeguard
details of their business offering from other data fiduciaries (including their competitors
registered as Consent Managers).

 Social media intermediaries:

The 2019 Bill also introduces the concept of 'social media intermediaries'. Social media
intermediary has been defined under the 2019 Bill to include "an intermediary who primarily or
solely enables online interaction between 2 (two) or more users and allows them to create,
upload, share, disseminate, modify or access information using its services but shall not include
intermediaries which primarily: (a) enable commercial or business oriented transactions, (b)
provide access to the Internet, (c) in the nature of search engines, online encyclopedia, email
services or online storage services".17
In light of the growing concerns surrounding the effect of social media platforms on free and fair
elections reaching a fevered pitch, especially in the West, and the spread of fake news all over
the world, the 2019 Bill gives the Central Government the power to notify any social media
intermediary as a significant data fiduciary. Significant data fiduciaries are subjected to more
onerous responsibilities, such as audits, maintenance of records, data protection impact
assessments, and appointment of data protection officers.

Further, every significant data fiduciary shall enable users who register their service from India,
or use their services in India, to voluntarily verify their accounts. The voluntary verification of
accounts shall be provided with a demonstrable and visible mark of verification, which shall be
visible to all users of service.

Although such profile verification may curb the spread of fake news, it may increase the
operational cost for such social media intermediaries, as they would now be required to
implement a mechanism that enables a user to verify his or her profile and can drive greater
accountability. Further, there is no clarity on what documents will be accepted for the purpose of
verification and what consequences (if any) will follow from this verification.

In light of the above provision, the Central Government should be cautious before notifying
social media intermediaries as significant data fiduciary and should notify only those social
media intermediaries as significant data fiduciaries that meet the relevant criteria prescribed
under the 2019 Bill.

Restriction on Cross-Border Transfer of Personal Data:

The 2019 Bill has done away with the requirement of data localization (that is, the requirement
of every data fiduciary to store 1 (one) serving copy of the personal data on a server or data
center that is located within the territory of India). While this is a welcome move in the interest of
ease of doing business and permitting global companies to transfer and process personal data
across different jurisdictions, the 2019 Bill still mandates storing a copy of sensitive personal
data in India.

While the relaxation of the data localization norms with respect to personal data would mean a
reduction in operational costs for quite a few organizations/companies that don't process
sensitive personal data, the retention of localization requirements for sensitive personal data
under the 2019 Bill18 is likely to draw criticism again from stakeholders.

This becomes particularly relevant, considering that the authority has the right to expand the
scope of data that will be treated as sensitive personal data under the 2019 Bill (please refer
above). The 2019 Bill has also laid down certain conditions based on which sensitive personal
data can be transferred outside India.

Further, with respect to the definition of 'critical personal data', the 2019 Bill remains silent as it
was in the case of 2018 Bill. It is important that the 2019 Bill or accompanying regulations
clearly define the term critical personal data or provide guiding principles of determination, to
avoid confusion and misrepresentation. However, the 2019 Bill now allows 'critical personal
data' to be transferred outside India (previously prohibited under the 2018 Bill) only where
transfer is:

(a) To a person or entity engaged in the provision of health services or emergency services
where such transfer is necessary for prompt action; or

(b) To a country or any entity or class of entity in a country, or to an international organization,

where the Central Government has deemed such transfer to be permissible, and where such
transfer, in the opinion of the Central Government does not prejudicially affect the security and
strategic interest of the State. 

While the first ground on which transfer of critical personal data is allowed is commendable as it
keeps society's best interests in mind. However, the transfer of critical personal data solely
because the Central Government deems it permissible is too vague and seeks to grant
unfettered powers to the Central Government, which was one of the primary reasons for the
need to revise the existing regulatory framework relating to data privacy.

Exemption for Government agencies:

The 2019 Bill gives the power to the Central Government to exempt any governmental agency
from complying with the provisions of the 2019 Bill wherein the same is deemed necessary or
expedient in the interest of the sovereignty and integrity of India, security of the country, friendly
relations with foreign states, public order, or in order to prevent the incitement of commission of
any offence relating to any of the above.

The above power vested with the government is very broad leaving scope of mis-use and
misinterpretation of the same.

Creation of a Sandbox:

The 2019 Bill requires the authority to create a sandbox for the purpose of encouraging
innovation in artificial intelligence, machine-learning or any other emerging technology in public
interest. Entities included in the sandbox will be exempted from complying with certain
requirements of the 2019 Bill.

Data fiduciaries who have obtained certification of their Privacy Policy shall be eligible to apply
for being included in the sandbox, subject to certain additional conditions as provided under the
2019 Bill.
The term for which a qualifying data fiduciary seeks to utilize the Sandbox cannot exceed 12
(twelve) months and cannot be renewed more than twice, thus resulting in a maximum time
frame of 36 (thirty-six) months cumulatively.

Selection Committee:

The composition of the Selection Committee with respect to the recommending the appointment
of the Authority has been considerably revised under the 2019 Bill. As per the provisions of the
2018 Bill, the Selection Committee was to comprise of (a) Chief Justice of India or a judge of the
Supreme Court, (b) the Cabinet Secretary, and (c) and expert nominated by the Chief Justice of
India or by the judge of the Supreme Court.

As per the provisions of the 2019 Bill, the judicial representation on the Selection Committee
has been done away with and the Selection Committee only comprises of (a) Cabinet Secretary
who shall be the chairperson, (b) the Secretary to the government of India in the Ministry or
department dealing with legal affairs, (c) the Secretary to the government of India in the Ministry
or Department dealing with electronics and information technology.

Excessive Liability:

The 2018 Bill imposed excessive liability on the directors of a company or the officers in charge
for the conduct of the business of the company at the time of commencement of the offence,
which seemed to be a draconian measure as even most international data protection
legislations such as GDPR do not provide for such stringent liability.

There was also a lack of clarity under the 2018 Bill with respect to (a) the quantum of fine that is
to be imposed on directors and officers in charge (i.e. whether the same quantum of fine will be
imposed on directors and officers in charge as may be imposed on the company) and (b) the
nature of liability imposed inter se between a data fiduciary, data processor, or between multiple
data processors in case of data breach.

The abovementioned lacunae remain unanswered and unclear even under the provisions of the
2019 Bill.

Code of Practice & Transitional Provisions:

The 2018 Bill had certain additional provisions with respect to code of practice that have been
eliminated from the 2019 Bill. Namely, it is no longer mandated for the Authority to issue codes
of practice outlining good practices of data protection or for the Authority to make such codes of
practice publicly available on its website.

The 2019 Bill has also done away with provisions allowing for the Authority or any court, tribunal
or statutory body to look at non-compliance with a code of practice by any data fiduciary or
processor while determining whether such data fiduciary or processor has violated the
provisions of the 2019 Bill

Another important factor to note is that while the 2018 Bill had an entire chapter dedicated to
'transitional provisions' that provided for phased implementation of the provisions, the 2019 Bill
has made a significant departure from this approach. This implies that the 2019 Bill will come
into effect on such date(s) as notified. This may prove to be particularly burdensome given the
limited time to effectively meet all the expectations and obligations set out under the 2019 Bill.

Government's use of anonymized data:

A key addition to the 2019 Bill is that the Central Government may direct any data fiduciary or
data processor to provide any personal data anonymized or other non-personal data to enable
better targeting of delivery of services or formulation of evidence-based policies by the Central
Government27

While the 2019 Bill has relaxed some of the stringent provisions found under the 2018 Bill such
as the obligation of data localization, it also seems to dilute few of the salient features of the law
that aims to protect the privacy rights of data principals.

Keeping in mind the growing need of the digital economy, having a regulatory sandbox in place
may be the need of the hour, however, providing the government with unregulated and broad
powers to exempt government agencies from the provisions of the 2019 Bill for certain
circumstances may defeat the purpose of the 2019 Bill and jeopardize an individual's
fundamental right to privacy.

As mentioned above, the 2019 Bill is still to be reviewed by the Joint Parliamentary Committee
and the shortfalls will hopefully be addressed before the same is finalized and brought into
effect. The 2019 Bill is expected to have a far-reaching impact on Indian businesses and
multinational corporations doing business in India.