The Personal Data Protection Bill, 2019, which is expected to be tabled in the Lok Sabha soon, has many tweaks from the draft Bill of 2018. There are significant grey areas as well or clauses that remain ambiguous. If this Bill, currently being circulated among Members of Parliament, goes through in the present form, it could mean significant regulatory burden on large companies. However, smaller companies or start-ups that collect and process personal data could be spared the compliance burden or its costs. And, there is some good news for companies that run search engines.
Let's start with the hotly debated clause - data localisation. There is a lot more business for real estate and hardware companies coming since there is a prohibition on the processing of 'sensitive personal data' and 'critical personal data' outside India. While sensitive personal data may be transferred outside India under certain conditions (it requires the explicit consent of the person whose data is being processed), such data must continue to be stored in India. Critical personal data can only be processed in India.
The Bill defines what constitutes sensitive personal data and there is a small deletion from the draft of 2018. In the 2018 Bill, sensitive personal data constituted passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation. The 2019 Bill omits 'passwords' in the sensitive category. Critics of the 2018 draft stressed that even financial data should not be considered sensitive.
There is ambiguity around what would constitute 'critical personal data'. The 2019 Bill says that it "means such personal data as may be notified by the Central Government to be critical personal data".
All personal data companies collect must be processed with the consent of the user. However, there are exceptions to the rule. Consent may not be required when a data fiduciary (entity determining the purpose and means of processing of personal data) processes the data for prevention and detection of any unlawful activity including fraud, whistleblowing, mergers and acquisitions, network and information security, credit scoring, recovery of debt, and processing of publicly available personal data among others. An important addition to this list, missing in the 2018 draft Bill, is 'the operation of search engines'. This should come as a relief to the likes of Google and Microsoft.
Nevertheless, larger companies would also bear a significant compliance burden. Both the 2018 draft and the 2019 Bill define the concept of a 'significant data fiduciary' as different from just a data fiduciary. The Bill states that the Data Protection Authority of India, once established, will notify any data fiduciary or class of data fiduciary as 'significant' depending on their volume of personal data processed, the sensitivity of personal data processed, the turnover of the data fiduciary, and the use of new technologies for processing among others.
When these 'significant data fiduciary' wants to process data involving new technologies or use sensitive personal data such as genetic or biometric data, they need to undertake a Data Protection Impact Assessment or a detailed description of the proposed processing operation, the purpose, the nature of personal data being processed, an assessment of the potential harm that may be caused. This assessment has to be submitted with the Data Protection Authority of India.
The significant data fiduciary also has to appoint a Data Protection Officer - in the 2018 draft, the mention of 'significant' was missing and all data fiduciaries needed a data protection officer. This could be good news for smaller start-ups, as it would reduce their cost of compliance.
A reading of the 2019 Bill also underlines the immense powers that would be granted to the Data Protection Authority of India. Every data fiduciary, for instance, has to prepare a 'privacy by design policy' that would layout "the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal". The Authority or an officer authorised by the Authority will certify the policy. Further, the privacy by design policy got to be published on the website of the data fiduciary as well as the Authority. In the case of Data Protection Impact Assessment, if the Authority believes that the processing of data is likely to cause harm, it could direct companies to stop such processing.
"The Bill is a step towards ensuring privacy and protecting data of Indian citizens. However, there are challenges with the present draft," says Kazim Rizvi, Founding Director of The Dialogue, a think tank. "One, Clause 35 allows the government to exempt any agency from the applicability of the act in the name of national security. That primarily allows blanket surveillance opportunity to any agency as may be prescribed by the government," he says.
"Two, Clause 91 talks about government demanding companies to provide anonymised personal or non-personal data for planning purposes. This will open the door for access without checks and balances and might discourage investment if companies are asked to reveal their insights in the name of planning. Third, restrictions on the flow of critical personal data and sensitive personal data amount to localisation, which will have a major economic impact on the country. Further, this bill also does not provide any judicial oversight on the Data Protection Authority and no provisions have been included which makes the DPA autonomous," Rizvi adds.