Anda di halaman 1dari 37

DR.

RAM MANOHAR LOHIYA NATIONAL


LAW UNIVERSITY

LEGISLATIVE DRAFTING
SEMINAR PAPER ON

ANALYSIS OF PERSONAL DATA PROTECTION BILL,2018

Submitted for the seminar paper undertaken in the partial fulfillment of B.A.LLB(Hons) 5year

integrated course at Dr. Ram Manohar Lohiya National Law University,Lucknow.

UNDER THE GUIDANCE OF SUBMITTED BY

MS. ANKITA YADAV APOORWA VERMA

ASSISTANT PROFESSOR (LAW) ENROLL. NO. 140101037

Dr.RMLNLU SEC-A ,9TH SEM

B.A.L.L.B(HONS)

1|Page
ACKNOWLEDGEMENT

I want to express my sincere thanks towards my teacher,Ms. Ankita Yadav,for her guidance

and support as and when needed while making this seminar paper. She has helped me in

removing the errors and in making the necessary corrections so as to give the paper its final

shape .She has guided me in a supportive manner which enabled me to make progressive

research and complete my seminar paper work.

I would also like to express my gratitude towards my seniors,who have helped me in the best

possible way.My batchmates and faculty members also deserve a special mention in this regard

for their constant help in various ways.I am thankful to everyone who have spent their precious

time in helping me for my paper. This work could not have been accomplished without their

help.

2|Page
TABLE OF CONTENTS

PART-I

1.Introduction

2. Existing Data Protection Framework in India

3. Need for revamping the Data Protection Framework in India

4. Proposed Data Protection Framework for India

PART-II

5. Key Features of the Bill

6.Applicability and Purpose

7. Data Protection Obligations

8. Categories of Data

9. Grounds for processing Personal Data and Sensitive Personal Data

10. Processing of Personal Data and Sensitive Personal Data of Children

11. Rights of Data Principal

12.Cross Border Transfer of Personal Data

13. Data Protection Authority

14. Exemptions

15.TRAI Recommendations and the Personal Data Protection Bill,2018

3|Page
PART-III

16.Important Observations

17. Suggestions

18. Conclusion

19.Bibliography

4|Page
1.INTRODUCTION

The 21st century has been described as the 'information age' due to the extensive use of
information and almost everyone is constantly connected to the internet. The analysis of large
and complex sets of data has become a specialized science called 'Big Data' analytics providing
never before insights to alleviate societal problems relating to areas such as health, food
security, transport and urban planning. Governments of the day are launching specialised
programmes focused on this digital revolution, like the one launched by the Government of
India called 'Digital India' initiative.

With nearly 450 million Internet users and a growth rate of 7-8%, India is well on the path to
becoming a digital economy, which has a large market for global players. While the transition
to a digital economy is underway, the processing of personal data has already become
omnipresent. The reality of the digital environment today, is that almost every single activity
undertaken by an individual involves some sort of data transaction or the other. Some of the
largest companies in the world today are data driven.The Internet has given birth to entirely
new markets: those dealing in the collection, organization, and processing of personal
information, whether directly, or as a critical component of their business model. “Uber”, the
world‟s largest taxi company, owns no vehicles “Facebook”, the world’s most popular media
owner, creates no content , “Alibaba”, the most valuable retailer, has no inventory, “Airbnb”,
the world’s largest accommodation provider, owns no real estate.

Both the public and the private sector are engaged in amassing personal data which seems to
be generated ceaselessly. While there are justifiable uses that are vastly beneficial, such
centralization of data, profiling of individuals and increased surveillance, has led to concerns
relating to erosion of privacy of individuals, ability to impact public decision-making process
and national security.1

Various countries have been over the years trying to formulate strategies to counter or control
the negative affects of this digital aggregation. The EU has adopted a rights-based approach to
privacy where personal privacy of an individual is the central pillar of the protection regime.
The US being a laissez faire culture, has mainly focused on individual's right to be left alone

1
Amba Kak,The Emergence of the Personal Data Protection Bill, 2018, (October 3, 2018, 4:00 PM),
https://www.epw.in/journal/2018/38/commentary/emergence-personal-data-protection-bill.html.

5|Page
by the State and thus the legislations have been regarding personal information being processed
by the government, where processing of personal information by the private sector has been
left open through a notice and choice model. China on the other hand has adopted a centrally
dominant model where personal information has been perimetered within the country through
legislation on grounds of national security.2

2.EXISTING DATA PROTECTION FRAMEWORK IN INDIA

In India too the digital era has triggered concerns about data protection. For mitigating against
privacy concerns and national security concerns, the Indian legislature and governments have
over the years passed some specific laws in this regard:

General Application: Information Technology (Reasonable Security Practices and Sensitive


Personal Data or Information) Rules, 2011

Govt. Collection of Data: Aadhaar (Targeted Delivery of Financial and other Subsidies,
Benefits and Services) Act, 2016; Aadhaar (Data Security) Regulations, 2016

Banking Sector: Credit Information Companies (Regulation) Act, 2005; Credit Information
Companies Regulations, 2006; circulars of Reserve Bank of India including KYC circulars;
Master Circulars on credit cards, etc.; Master Circulars on Customer Services; Code of Bank's
commitment to Customers

Telecom Sector: Unified License Agreement issued to telecom service providers by the
Department of Telecommunications; Telecom Commercial Communication Preference
Regulations, 2010

Healthcare Sector: Clinical Establishments (Central Government) Rules, 2012; Indian


Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002

It may appear that the aforesaid data protection regime in India is similar in scope to the US
data protection regime as it is applicable to specific sectors with a target audience. Having said
that, the core differentiator is the fact that in the US the data protection laws are focused on
'protection from the State' and mostly do not have an application relative to the private sector,

2
Ibid.

6|Page
while in India, such a distinction is not present and the principle driver seems to be protection
of data simpliciter being equally applicable to public and private sector.

3.NEED FOR REVAMPING THE DATA PROTECTION FRAMEWORK


IN INDIA

While the aforesaid specific legislations exist, the complexity, dynamism and all-encompassing
reach of the digital revolution require a far more comprehensive regulatory regime to mitigate
the concerns that are ever present.

Essentially, it appears that there were three main drivers for revamping the existing data
protection framework in India:

a. Justice Puttuswamy judgment: A nine -judge bench of the Supreme Court of India
delivered a landmark judgment in the case of Justice K.S. Puttaswamy (Retd.) v. Union
of India & Ors. 2017 (10) SCALE 1,3 wherein it was held that the right to privacy is an
intrinsic part of the fundamental right to life and personal liberty under Article 21 (in
particular and in all fundamental rights in Part III which protect freedoms in general)
of the Constitution of India. It was held that the Constitution of India must evolve with
the circumstances of time to meet the challenges thrown up in a democratic order
governed by the rule of law and that the interpretation of the Constitution of India
cannot be frozen on the perspectives present when it was adopted. The Supreme Court
acknowledged that the concept of the right to privacy has evolved from the basic right
to be let alone, to a range of negative and positive rights. The Court recognised
'informational privacy' as an important aspect of the right to privacy that can be claimed
against state and non-state actors, but such a right is not an absolute right and may be
subject to reasonable restrictions. Further, the Court has laid down a test to limit the
possibility of the State clamping down on the right, i.e., such an action must be
sanctioned by law, it must be necessary to fulfil a legitimate aim of the State, the extent
of the State interference must be 'proportionate to the need for such interference' and
there must be procedural safeguards to prevent the State from abusing its power.
b. State's duty to protect national security: India is a vast country with multiple
cultures, religions and linguistic diversity and such diversity presents its own challenges

3
K S Puttaswamy v Union of India (2017): Writ Petition (Civil) No 494 of 2012.

7|Page
for the State. This is further complicated by its geo-political location, due to which India
has ranked third on the list of countries suffering from terror attacks. For tackling the
internal and external security challenges, the State necessarily needs to have the ability
to engage in real-time surveillance of its data subjects if the need arises. For such
surveillance to be effective, the State must have the ability to access the data centres,
however, in today's digital world, the physical site of the data may be outside India.4
c. India's prowess in IT enabled services: India had a 55% share of the US$185-190
billion global outsourcing business in FY18. With the advent of the General Data
Protection Regulation in the EU w.e.f. May 25, 2018, transfer of data from the EU to
another non-EU country will need to pass either (i) the adequacy test, or (ii) be in
accordance with standard contractual clauses offering enough safeguards in relation
with the data. Although, the transfer of data from EU nations at present is being
undertaken under the standard contractual clauses, due to the sheer size of economic
activity and the pervading global protectionist environment, a view may be taken that
India's data protection regime is not in sync with the EU requirements despite the
contractual clauses being in place citing difficulty in enforcing the contractual clauses
in absence of a regulatory framework. This threat is mitigated if India fulfils the
adequacy test, i.e., India has adequate level of data protection framework in place. For
this test, the European Commission will examine the data protection rules in place in
India, data protection rights and their effective administration, data protection authority,
powers vested with such authority, international commitments with regard to data
protection and a periodic review of the aforesaid criteria. In the present list of countries
determined to be “adequate”, India does not figure, however, countries like Argentina,
Canada, Israel, Isle of Man, New Zealand and the United States have been determined
as 'adequate'. Accordingly, it may be strategically prudent for India to bring its own
regulatory framework on data protection in line with the EU (which has been trail-
blazing the global data protection practices).

4
Amba Kak,The Emergence of the Personal Data Protection Bill, 2018, (October 3, 2018, 4:00 PM),
https://www.epw.in/journal/2018/38/commentary/emergence-personal-data-protection-bill.html.

8|Page
4.PROPOSED DATA PROTECTION FRAMEWORK FOR INDIA

The Government of India constituted a committee, chaired by Justice Srikrishna (retired),


Supreme Court of India in August 2017 to design and draft data protection laws for India. The
committee after a year of deliberations and public consultations has released a draft bill titled
'The Personal Data Protection Bill, 2018 (Draft Bill). 5

The long awaited Personal Data Protection Bill, 2018 (the “Bill”) was released on July 27,
2018 along with the report by the Committee of Experts under the chairmanship of Justice B.N.
Srikrishna (the “Report”). The Committee, chaired by Justice Srikrishna, was constituted by
the Ministry of Electronics & Information Technology, Government of India to put together a
draft of data protection law for India. The Report elaborates on the Committee discussions and
deliberations and throws light on the provisions of the Bill. The Bill may undergo further
changes before it is adopted as law.
This is a keystone development in the evolution of data protection law in India. With India
moving towards digitization, a robust and efficient data protection law was the need of the
hour. The Bill has been drafted with an intention to fill in the vacuum that existed in the current
data protection regime, and to enhance individual rights by providing individuals full control
over their personal data, while ensuring a high level of data protection.
The Bill has been broadly based on the framework and principles of the General Data
Protection Regulation (the “GDPR”) recently notified in the European Union and on the
foundation of the landmark judgement of the apex court: Justice K.S. Puttaswamy (Retd.) &
Anr v Union of India & Ors (W.P. (Civil) No. 494 of 2012), wherein the Supreme Court of
India upheld the right to privacy as a fundamental right under the Indian Constitution. The Bill
shall come in supersession of Section 43A of the Information Technology, 2000 (the “IT Act”)
and the Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules, 2011 (the “IT Rules”) which was enacted under Section
43A of the IT Act.

5
Krishnadas Rajagopal,Drafting a Data Protection Bill ( October 3,2018, 6:15 PM),
https://www.thehindu.com/opinion/op-ed/drafting-a-data-protection-bill/article24584467.ece.

9|Page
5.KEY FEATURES OF THE BILL

Some of the key observations on the Bill are outlined below:

5.1. Wide Definition of Sensitive Personal Data

The Bill has defined sensitive personal data to include personal data revealing or relating to
password, financial data, health data, official identifier, sex life, sexual orientation, biometric
data, genetic data, transgender status, intersex status, caste or tribe. Such a broad definition of
sensitive personal data (for instance, to include passwords and financial data) is not in line with
international data protection laws, which have provided a much narrower definition for
sensitive personal data.

Therefore, foreign companies and multinational companies would face a higher compliance
requirement under the data protection law in India. Such companies may find it difficult to
adhere to these unique onerous compliance requirements, which would significantly affect their
ease of doing business in India.
5.2. Data Localization
Every data fiduciary is required to store one serving copy of the personal data on a server or
data centre that is located within the territory of India. The data fiduciaries are likely to find
this obligation onerous, as it will increase operational costs for most of them. This restriction
may also operate as a trade barrier and hinder the ability of global companies to transfer and
process personal data across different jurisdictions.Importantly, this requirement does not seem
to be relevant in the context of a framework that seeks to protect the right to privacy of
individuals. Hopefully there will be clarifications provided or interpretations evolve in the
future allowing such copies of data to be backed up over periodic cycle instead of backing up
on a real time basis and this may somewhat ease the burden of this obligation on data
localisation.6
One alternative that may have been provided is a choice for companies to either localise or
have a representative like a data protection officer who is responsible for making available any
data as needed by the Data Protection Authority.7

6
Amber Sinha,Draft Privacy Bill and its Loopholes, (October 5,2018, 12:04 PM)
https://www.livemint.com/Opinion/zY8NPWoWWZw8AfI5JQhjmL/Draft-privacy-bill-and-its-loopholes.html.

7
Ibid.

10 | P a g e
5.3 Scope of Applicability
Under the Justice B. N. SriKrishna Report, an exception has been made based on the principle
of territoriality. The Report states that any entity located in India only processing personal data
of foreign nationals not present in India may be exempted from the application of the Bill by
the Central Government. However, this exemption has not been brought out in the Bill. It is
likely that this exemption would be provided under the rules adopted under the Bill. But, in
case no such exemption is provided under the rules, the scope and applicability of the Bill may
be more over-reaching than the GDPR.Further the term in connection with ‘any business that
is carried out in India’, in relation to exercise of jurisdiction over any data fiduciary or data
processor not located within India, is vague in nature and lacks specificity.
5.4 Definition of Critical Personal Data
The Bill states that critical personal data shall be only processed in a server or data centre
located in India. This effectively means that such data cannot be transferred to any country
outside India. It may be a challenge for businesses to service Indian consumers solely through
the data centres in India. Further, the Bill does not define the term critical personal data or
give any guiding principles for its determination.
5.5 Excessive Liability
The Bill imposes liability on the directors of a company or the officers in charge for the conduct
of the business of the company at the time of commission of the offence. This seems to be
draconian measure and takes an extreme stand as even most international legislations such as
the GDPR do not provide, in case of data breach, for liability of the person responsible for the
conduct of business.
Further, due to lack of clarity in the law, the directors and officers in-charge may be held liable
to pay the same quantum of penalties as may be imposed on the company. Additionally, there
is lack of clarity on the nature of liability imposed inter se between a data fiduciary and a data
processor, or between multiple data processors in case of data breach.
5.6 Repeal of Section 43A of IT Act and IT Rules
The Bill comes in supersession of Section 43A of the Information Technology, 2000 and the
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal
Data or Information) Rules, 2011, which was enacted under the same provision. However,
there are certain provisions under the Rules, which are not specifically provided for under the
Bill, for instance the disclosure of information in a privacy policy. There is lack of clarity on
whether data fiduciaries need to have a separate privacy policy or whether the detailed notice
requirements under the Bill would be sufficient compliance under the law.

11 | P a g e
5.7 Employment
Under the Bill, exemption to obtaining consent of the data principal for processing their data
has been granted for certain employment related matters. However, this ground for processing
of personal data can only be invoked if processing of personal data on the basis of consent is
not appropriate giving regard to the employer-employee relationship between the data fiduciary
and the data principal or would involve a disproportionate effort on the part of the data fiduciary
due to the nature of the processing activities. With the Bill coming into effect, it may pose a
possible challenge for employers to continue retaining data of their former employees, obtained
during the course of employment, post their separation from the employer.
5.8 Periodic Review of Stored Personal Data
Under the Bill, the data fiduciaries are under an obligation to conduct periodic review of the
personal data stored with them so that it is not retained beyond the period necessary for the
purpose of processing. The term periodic review is too general in nature and the Bill does not
specify whether such periodic reviews need to be conducted monthly, bi-annually or annually.
Further, this is mostly likely to increase operational costs for all companies.
5.9 Notice
Under the Bill, the data fiduciary is under an obligation to provide the data principal with
adequate notice before collection of personal data. The notice is required to be clear and
concise, and if necessary and practicable, the notice shall be in multiple languages. In a country
like India with multiple languages, this may be an operational challenge and may increase the
cost of compliance.
5.10 Data Protection Authority – Scope of authority
The Bill has vested the Authority with a wide range of administrative, discretionary,
quasilegislative and quasi-judicial powers. The exercise of powers vested in the Authority
under the rules adopted under the Bill, should be in a manner to avoid any concentration of
multiple conflicting powers and excessive delegation, thereby defeating the purpose of the Bill.
Further, the Bill does not make any provision for filing of a class action suit or a representative
suit in situations where a data breach affects large number of individuals.
5.11 Status of TRAI Recommendations
The Telecom Regulatory Authority of India recently released its Recommendations on Privacy,
Security and Ownership of Data in the Telecom Sector. The TRAI recommendations provide
that till the adoption of a general data protection legislation, the existing rules/ license
conditions applicable to telecom service providers for protection of users’ privacy be made
applicable to all the entities in the digital ecosystem.

12 | P a g e
Hence, it is uncertain whether the TRAI Recommendations offering sector-specific guidelines
(such as encryption standards) will be applicable to data fiduciaries operating in the telecom
sector along with the provisions of the Bill, or whether the TRAI Recommendations will cease
to govern the privacy, security and ownership of data in the telecom sector.
6. APPLICABILITY AND PURPOSE
Under the current personal data protection regime in India, which is governed by the IT Rules,
all government bodies and related organizations have been excluded from its purview.
However, in contrast to this, GDPR makes no such exception and its application is extended to
all entities, depending on the processing of personal data. The Bill has been drafted along this
same principle and is applicable to all entities whether or not such entities are controlled or
owned by the government.
The IT Act and hence the IT Rules applies to the whole of India and to any offence committed
outside India by any person, if the conduct that amounts to an offence involves a computer,
computer system or computer network located in India. The effect of the offence being felt in
India or a threat to Indian security or the security of its citizens, and not presence of the offender
in India, is the key to establishing jurisdiction.
The Bill has adopted an enhanced principle of extra-territorial scope from the provisions of
GDPR. The Bill shall be applicable to processing of personal data: (i) where personal data has
been collected, disclosed, shared or processed in any manner within the Indian territory; and
(ii) where the processing has been undertaken by the government, by any Indian company, by
any Indian citizen or any person or body of persons that has been incorporated under the Indian
laws.8So the Bill recognises the principle of territoriality and nationality in defining the scope
of application. Further, the Bill shall also be applicable to processing undertaken by a data
fiduciary or data processor not located within the territory of India (i) if such processing is in
connection with any business that is carried out in India or if the there is any systematic activity
of offering goods and services to data principals6 within the territory of India (ii) in connection
with any activity that involves profiling of data principals within the territory of India.9
The principal of extra-territorial application has been broadened under the Bill to cover
offences, even in cases which do not involve a computer, computer system or computer
network in India, considerably improving the privacy rights of the data principals. The long
arm jurisdiction of the Bill would bring India at par with international standards of data

8
Section 2(1) of the Personal Data Protection Bill, 2018.
9
Section 2(2) of the Personal Data Protection Bill, 2018.

13 | P a g e
protection. However, there is lack of clarity in the language of the law. The term ‘in connection
with any business that is carried out in India’ is vague in nature and lacks specificity. Therefore,
it would be advisable that above the term should be separately defined or an explanation should
be provided. The extra territorial jurisdiction of the Bill is in line with the terms of GDPR.
However, there are certain difference between the two legislations. The GDPR shall be
applicable if foreign data controllers (equivalent to data fiduciaries) or data processors are
offering goods and services to the data subjects (equivalent to data principals) in the European
Union. Processing of personal data in connection with business carried out in the European
Union has been left out of its ambit.
Further, the Bill covers such processing of personal data in relation to a systematic activity of
offering of goods or services to data subjects in India, unlike the GDPR which applies to all
instances of offering of goods or services, including irregular and ad hoc processing of personal
data. Further with regard to processing of personal data in relation of data subjects in the
European Union, to monitor their behaviour, GDPR states that applies if such monitoring takes
place within the territory of the European Union. In the case of the Bill, any processing of data
involving profiling of data principals in India, regardless of where the profiling takes place,
gets covered.
Under the Report, an exception has been made based on the principle of territoriality. It states
that any entity located in India only processing personal data of foreign nationals not present
in India may be exempted from the application of Bill by the Central Government. However,
this exemption has not been brought out in the Bill. It is likely that this exemption would be
provided under the rules adopted under the Bill. But, in case no such exemption is provided
under the rules, the scope and applicability of the Bill may be more over-reaching than the
GDPR.Further, the Report has suggested that the Bill shall not be applicable retrospectively
i.e. it shall only be applicable to on-going or future processing activities and shall not apply to
processing activities that have been completed before the law comes into effect.
7.DATA PROTECTION OBLIGATIONS
The Bill sets out the data protection obligations that are required to be fulfilled for processing
personal data of any data principal. The data protection obligations are as follows.
7.1 Fair and Reasonable
Processing of personal data shall be conducted in a manner that is fair and reasonable and in
a manner that respects one’s right to privacy.10

10
Section 4 of the Personal Data Protection Bill, 2018.

14 | P a g e
7.2 Data Quality
Ensure that the personal data that is processed is complete, accurate, not misleading and kept
updated at all times.11
7.3 Purpose, Collection, and Storage Limitation
The personal data shall be processed only for purposes that are clear, specific and lawful.
Processing of personal data shall be limited only to the purpose that has been specified or any
incidental purposes reasonably expected by the data principal.12 With regard to collection of
personal data, it shall only be limited to such data that would be necessary for processing.13
Hence, broadly defined purposes, such as “improving user experience” or “marketing
purposes” may not meet the standard set out under the Bill and there must be a reasonable
nexus between the actual use of the personal data collected and the list of purposes stated in
the notice to data principals.
Additionally, the personal data shall be retained only for the time period necessary to fulfil the
purpose related to the processing.14 The data fiduciary is under an obligation to undertake a
periodic review of all its stored personal data to ensure that no personal data has not been
retained for more than the necessary time period.15
The term periodic review is too general in nature and does not specify whether such periodic
reviews need to be conducted monthly, bi-annually or annually. Although, such periodic review
is likely to increase compliance costs for data fiduciaries, in the interest of privacy it is essential
that provision should be retained and made more specific.
7.4 Notice
Notice is a significant step towards obtaining consent from the data principals for processing
their personal data. Under the Bill, the data fiduciary is under an obligation to provide the data
principal with adequate notice before collection of personal data, or as soon as reasonably
possible if the personal data has not been collected directly from the data principal.The notice
shall be in a clear and concise, and if required and if practical, the notice shall be in multiple
languages also.Providing notice in multiple languages is an additional compliance for the data
fiduciaries, considerably increasing their operational costs.
Among the other requirements regarding the contents of the notice, the notice shall state the
purpose for which personal data is being processed and the categories of personal data

11
Section 9 of the Personal Data Protection Bill, 2018.
12
Section 5 of the Personal Data Protection Bill, 2018.
13
Section 6 of the Personal Data Protection Bill, 2018.
14
Section 10 of the Personal Data Protection Bill, 2018.
15
Ibid.

15 | P a g e
collected. The data fiduciary shall provide its identity and contact details along with the contact
details of the data protection officer (if applicable). In case, the personal data has not been
collected directly from the data principal, the notice shall mention the sources from which the
personal data has been collected. Other information such as name of the entities/ persons with
which the personal data shall be shared, information regarding cross border transfer of personal
data, the time period for which the personal data shall be retained shall also be included in the
notice. Additionally, the notice shall also inform the data principal about its right to withdraw
consent and the right to file a complaint against the data fiduciary.
If a credit score has been assigned to the data fiduciary, such credit score shall also be
mentioned in the notice. The Data Protection Authority (the “Authority”) has reserved it right
to add additional information as it deems fit.
7.5 Accountability
The data fiduciary shall be accountable and responsible for protecting the personal data of the
data principals. It is the responsibility of all data fiduciaries to ensure compliance with the
provisions of the Bill.
The obligations of data protection are similar to the principles enumerated under GDPR,
bringing the data protection obligations in line with international best practices.16 The GDPR
enumerates the following principles of data processing: lawfulness, fairness, transparency,
purpose and storage limitation, data minimisation, accuracy, integrity and confidentiality and
accountability.However, under the IT Rules, the data protection obligations are limited only to
the collection, use and storage of information falling in the category of sensitive personal
information, excluding personal data from its ambit. Therefore, it is essential to extend the
above data protection obligations to all personal data of a data principal, as achieved by the
Bill.
Further, under the Bill a data fiduciary shall engage a data processor for processing personal
data only through a valid contract between the two of them. However, there is a necessity that
certain non-negotiable clauses be prescribed to be included in the contract between the data
controller and the data processor. Further, the data processor is barred from subcontracting with
another data processor, unless there is specific clause in the agreement with the data fiduciary
and data processor, allowing the same.17However, assuming that the data processor is permitted

16
Article 5 of General Data Protection Regulation, 2016.
17
Article 37 of General Data Protection Regulation, 2016.

16 | P a g e
to sub-contract with another data processor, the Bill does not discuss the manner in which such
multiple data processors would be liable for breach of any provisions of the Bill.
8. CATEGORIES OF DATA
The Bill categorises data into three different categories - personal data, sensitive personal data
and critical personal data.18 Personal Data has been defined under the Bill to mean “data about
or relating to a natural person who is directly or indirectly identifiable, having regard to any
characteristic, trait, attribute or any other feature of the identity of such natural person, or any
combination of such features, or any combination of such feature with any other information”.19
The definition of personal data is in line with the definition of personal data enumerated under
GDPR, Further, the definition also covers personal data that may indirectly lead to
identification of a natural person. This is important as certain entities using modern
technologies carry on targeting online advertisement and use an individual’s online activities
and pattern to customise their advertisements. Although such data gathered from one’s online
activities may not be identifiable individually, but when taken collectively, may result in
identifying a person.
Sensitive personal data has been defined under the Bill to include personal data revealing or
relating to password, financial data, health data, official identifier, sex life, sexual orientation,
biometric data, genetic data, transgender status, intersex status, caste or tribe.20Currently under
the IT Rules, sensitive personal information includes only seven (7) categories of information,
that are - password, financial information, physical, physiological and mental health condition,
sexual orientation, medical records and history, biometric information; and other details
relating to the above categories for providing services, any of the above information received
by body corporate to process data under lawful contract.
Expanding the scope of sensitive personal data is not in consistent with the international
standards and law, which would mean that foreign companies or multi-national companies
would face stricter compliance requirements under the Indian law. Such companies may find
it difficult to adhere to such onerous compliance requirements, which would significantly affect
their ease of doing business in India.
However, on the positive side the remedies available to the data principal in case of data breach,
extend to both breach of personal data and sensitive personal data, unlike under the IT Rules
which provides for compensation only in case of breach of sensitive personal information of a

18
Article 40 (2) of General Data Protection Regulation, 2016.
19
Article 2(29) of General Data Protection Regulation, 2016.
20
Section 2(35) of the Personal Data Protection Bill, 2018.

17 | P a g e
data principal. With regard to the term critical personal data, the Bill does not provide any
specific definition. However, it states that the Authority may notify certain categories of data
to be critical personal data.
It remains to be seen whether there will be any additional data security requirements or
compliances that will be prescribed in relation to critical personal data. Further, it has been
stated that the Bill shall not be applicable to processing of anonymised data 21.Even though
anonymised data has been excluded from the ambit of the Bill, de-identified data continues to
be treated as personal data and will be governed by the provisions of the Bill.
9. GROUNDS FOR PROCESSING PERSONAL DATA AND SENSITIVE
PERSONAL DATA
With regard to processing of personal data and sensitive personal data, the Bill provides the
lawful grounds on which such data can be processed. Out of all, consent of the data principal
is the primary ground for processing personal data or sensitive personal data. The others are
the ground on which personal data or sensitive personal data can be processed without
obtaining the consent of data principal. Such grounds of processing has been mentioned below.
It is to be noted that the Bill does not provide for any separate grounds for processing critical
personal data.
9.1 Consent
It is the basic ground for processing personal data or sensitive personal data. 22The consent of
the data principals shall be free, informed, specific, clear and capable of being withdrawn. The
burden of proof to establish that the consent has been giving lawfully lies with the data
fiduciary. For processing sensitive personal data, in addition to the above requirements, the
consent shall be provided explicitly, meaning that the data principal shall be informed about
the possible consequences of the processing; it shall be clear without needing to refer to context
in which it had been provided; and specific in the context such that the data principal has the
choice to give separate consents for different purposes, operations and use of different
categories of sensitive personal data relevant to the processing.23This means that implied
consent, inactivity or pre-checked boxes that indirectly signifies consent may no longer be
acceptable modes of consent under the Bill. The GDPR alsorecognizes the importance of
consent for processing personal data and the need for explicit consent for processing special
categories of personal data. Even in India, the IT Rules, subject to certain other provisions,

21
Section 2(3) of the Personal Data Protection Bill, 2018.
22
Section 12 of the Personal Data Protection Bill, 2018.
23
Section 18 of Data Protection Bill, 2018.

18 | P a g e
consent of the individual before collecting, disclosing or transferring sensitive personal
information is required. However, in the case of performance of a contract, there is a difference
between the two legislations.
Under the Bill, performance of a contract cannot be made contingent on the basis of the need
for consent for processing personal data that is not necessary for the purpose. This is a departure
from the current IT Rules, whereby entity can deny performance of a contract (such as delivery
of goods or performance of service) if consent has not been given for processing personal data,
regardless of whether such data is required to be processed in connection with performance of
the contract or not. It is evident that consent is a primary ground for processing personal data.
However, consent shall not be the only ground on which consent shall be processed. The Bill
makes provision for other grounds on which personal or sensitive personal data can be
processed, without the need to obtain consent. Such grounds are as follows:
9.2 Functions of the State
Personal data or sensitive personal data (as the case may be) can be processed if such processing
is necessary for the function of the parliament or any state legislature or for exercising any
function of the state such as providing any service or benefit to the data principals, or for issuing
any certificate, license or permit for any activity of the data principal.
9.3 Compliance with Law or Any Legal Order
Personal data or sensitive personal data can be processed for complying with any provision of
the law or any order of a court or tribunal.24
9.4 Prompt Action
Personal data and sensitive personal data can be processed without obtaining the consent of the
data principal in situations where the processing is necessary to cater to medical emergencies;
providing health services during any epidemic, outbreak of disease or any kind of threat to
public health. Further, processing of personal data can be undertaken for any prompt action
that would be required in case of break down public order.25
9.5 Employment Related Action
Personal Data can be processed if it is necessary for employment related purposes such as
recruitment, termination, assessment of performance, provision of any benefit to the data
principal (employee), verification of attendance of the data principal.26

24
Section 14 of the Personal Data Protection Bill, 2018.
25
Section 15 (c) of the Personal Data Protection Bill, 2018.
26
Section 16(1) of the Personal Data Protection Bill, 2018.

19 | P a g e
However, this ground for processing of personal data can only be invoked if processing of
personal data on the basis of consent is not appropriate giving regard to the employeremployee
relationship between the data fiduciary and the data principal, or would involve a
disproportionate effort on the part of the data fiduciary due to the nature of the processing
activities.
Although such ground is a reasonable ground to process personal data, it is important to impose
strict obligations on the employer (data fiduciary) to first take all reasonable steps toobtain the
consent from its employee. Further, the law should clearly state that the burden of proof to
establish that it was not reasonably possible for the employer to obtain consent shall strictly
vest with the employer.
Additionally, many of the employers retain the personal data of their former employees for
various purposes, several years post cessation of their employment. With the Bill coming into
effect it may pose a challenge for employers to continue retaining data of their former
employees, obtained during the course of employment, post their separation from the employer.
9.6 Reasonable Purposes
Personal Data can be processed for reasonable purposes as may be specified by the Authority.
The Authority may specify the reasonable purposes for prevention and detection of unlawful
activity including fraud, whistle blowing, mergers and acquisitions, network of information
security, credit score, recovery of debt, processing personal data available in public. As such
reasonable ground for processing of personal data will be set out by the Authority, there is a
very limited scope for misusing this provision. Further, in this regard, the Authority would also
be prescribing the safeguards for the protection of the rights of the data principals. Under the
current IT Rules, the scope of processing personal data without the consent is very limited.
Information including sensitive personal information (as defined under IT Rules) can be shared
with a third party without the consent of the information provider only with government
agencies that are mandated under law to obtain such information, and for purpose of
verification of identity, or for prevention, detection, investigation including cyber incidents,
prosecution, and punishment of offences.27
Even under GDPR several grounds have been recognized for processing of personal data and
sensitive personal data without the consent of the data subject. However, the scope under the

27
Rule 6(1), proviso of Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules, 2011.

20 | P a g e
GDPR is a little wider than the scope under Bill. For example, under GDPR, processing is also
considered lawful without the consent of data subject, when such processing is necessary for
the performance of a contract to which the data subject is party or in order to take steps at the
request of the data subject prior to entering into a contract.
10. PROCESSING OF PERSONAL DATA AND SENSITIVE PERSONAL
DATA OF CHILDREN
The Bill recognises and seeks to protect the personal data and right to privacy of children.
Every data fiduciary is required to process personal data of children in a manner that protects
and advances the rights and best interests of the child. Under the current IT Rules, there are no
special provisions with respect to processing of personal data or sensitive personal data of
specifically for children. The provisions relating to processing of personal data and sensitive
personal data of children are as follows.
10.1 Age limit
The Bill, defines a child to mean any data principal below the age of 18 (eighteen) years of
age.28 The age limit set out is in compliance with the provisions of the Indian Contract Act,
1872, but differs from the age limit set out in GDPR, which is 16 (sixteen) years of age.
10.2 Parental Consent and Age Verification
To process personal data of children, the data fiduciary shall obtain the consent of the parents
and incorporate age verification mechanism to verify the age of the child. Similar obligations
under the GDPR have been imposed upon the data controller.
10.3 Guardian Data Fiduciaries
The Authority shall notify data fiduciaries as guardian data fiduciaries who (i) operate
commercial websites or online services directed towards children, or (ii) process large volumes
of personal data of children. Guardian data fiduciaries shall not perform any kind of processing
or profiling, tracking, behavioural monitoring of, or targeted advertising directed at, children,
which causes significant harm to children. However, if a guardian data fiduciary is exclusively
involved in providing specified child counselling services or child protection services, it shall
be exempted from obtaining parental consent.
Under the GDPR, there is no such provision such as guardian data fiduciaries. However, such
distinction under the Bill would be a valuable addition to the data protection regime in India,
restricting all gaming websites regularly accessed by children, from exploiting the privacy
rights of children.

28
Section 2(19) of the Personal Data Protection Bill, 2018.

21 | P a g e
11. RIGHTS OF DATA PRINCIPAL
The Bill grants certain rights to the data principals with regard to processing their person data,
which are broadly based on the framework of the right granted to data subjects under GDPR.
The rights granted to the data principals are as follows:
11.1 Right to confirmation
The data principal has the right to obtain confirmation whether the data fiduciary is processing
or has processed its personal data; obtain summary of the personal data that is being processed;
obtain summary of the processing activities undertaken by the data fiduciary. Similarly, under
GDPR, a data subject has the right to obtain confirmation from the data controller whether or
not the personal data concerning him/ her is being processed. Also, under the GDPR, the data
subjects have the right to access his personal data and all other information related to it.29
11.2 Right to correction
The data principal has the right to demand correction of inaccurate or misleading personal data,
completion of the personal data, which is incomplete and an update any personal data, which
is out of date. Similarly rights to rectify and update inaccurate or incomplete personal data or
information has been provided under GDPR and under the current IT Rules.30
11.3 Right to data portability
The data principal shall have the right to obtain their personal data from the data fiduciary in a
structured, commonly used and machine readable format, where data has been processed
through automated means. The data principal has a right to receive the personal data: (i) which
the data principal has provided the data fiduciary, (ii) which is generated by the data fiduciary
in the course of providing services or use of goods, and (iii) which forms part of any profile on
the data principal, or which the data fiduciary has otherwise obtained.In addition to the above,
the data principal shall also have the right to transfer the abovementioned personal data to any
other data fiduciary.
However, the right to data portability shall not be applicable in certain situations such as where
processing is necessary for the function of the state, where processing is in compliance with an
applicable law, or where processing would result in revelation of any trade secret of any data
fiduciary or where it would not be technically feasible. Similarly, right of data portability has
been provided to data subjects under GDPR. Under the IT Rules, there is no specific provision
whereby a data principal/individual has the right of portability towards its personal data.

29
Section 24 of the Personal Data Protection Bill, 2018.
30
Section 25 of the Personal Data Protection Bill, 2018.

22 | P a g e
11.4 Right to be forgotten
The Bill provides the data principals with a limited right to restrict or prevent the continuation
of disclosure of any personal data by the data fiduciary where such disclosure (i) has finished
its purpose and is no longer needed, (ii) the consent on the basis of which it was done has been
withdrawn, or (iii) disclosure was made in contradiction to the provision of the Bill or any other
law in force.31This right may be exercised by the data principal by filing an application with
the adjudicating officer. Although the right to be forgotten is a part of our fundamental right to
privacy, it is essential to balance such right with respect to the fundamental right to freedom of
speech and expression of the general public. GDPR has also provided the data subjects with
the right to erase their personal data (subject to certain conditions). However, under the IT
Rules, there is no specific provision whereby an individual has the option to exercise
his or her right to be forgotten.
12. CROSS BORDER TRANSFER OF PERSONAL DATA
The Bill imposes strict regulations on the transfer of personal data outside the territory of India.
12.1 Data Localisation
As per the Bill, every data fiduciary shall store one serving copy of the personal data on a server
32
or data centre that is located within the territory of India. However, the central government
has the right to exempt certain categories of personal data from the above requirement on the
grounds of necessity or strategic interests of the State, but sensitive personal data in no way
will be exempted from the above requirement.The obligation to store a copy of the personal
data that is being transferred outside India, within the territory of India may not be accepted
and may be criticised as it is likely to increase operational costs for most entities, especially for
start-ups. This will also hinder the ability of global companies to transfer and process personal
data across different jurisdictions. Even under the GDPR, there is no obligation to store a copy
of the personal data in the member country to which the data relates. This may affect ease of
doing business with India.33
12.2 Critical Personal Data
The Bill imposes and absolute restriction on processing of critical personal data (personal data
as notified by the Central Government) stating that such critical personal data shall be only

31
Section 27(1) of the Personal Data Protection Bill, 2018.
32
Section 40 (1) of the Personal Data Protection Bill, 2018.
33
Nirvaan Gupta,Data Protection In India(October 12, 2018, 9:45 PM)
http://www.mondaq.com/article.asp?article_id=744160&signup=true.

23 | P a g e
processed in a server or data centre located in India. This effectively means that such data
cannot be transferred to any country outside India. It may be a challenge for businesses to
service Indian consumers solely through the data centres in India. It is important to have the
term critical personal data clearly defined to avoid confusion or misrepresentation.34

12.3 Conditions for Cross Border Transfer


The Bill has laid down the conditions for transferring personal data outside the territory. Such
of these conditions are as follows.
(a) Transfer of data is according to standard contractual clauses or inter-group schemes that
have been approved by the Authority;
(b) The central government in consultation with the Authority has prescribed a country or
section within a country or a particular international organization where such transfers are
permissible based on the adequacy of the data protection framework in such country and
monitoring of circumstances applicable to such data; or
(c) A particular transfer is approved by the Authority on grounds of necessity.
Along with the above 3 (three) conditions the data principal shall consent and explicitly consent
to the transfer of personal data and transfer of sensitive personal data, respectively. Further, the
Bill also lays down additional requirement for transferring sensitive personal data clearly (as
notified) outside the territory of India.
Under the current IT Rules, sensitive personal information or any information may be
transferred to a body corporate or person outside India that ensures the same level of data
protection that is to be adhered under these Rules. Further, the transfer may be allowed only if
it is necessary for the performance of the lawful contract between the body corporate and
provider of information or where such person has consented to data transfer.
13. DATA PROTECTION AUTHORITY
The Bill establishes an independent body called the Data Protection Authority of India.35
Currently, there was no such independent authority under the present data protection regime in
India. The Data Protection Authority shall possess all characteristics of a body corporate. The
Authority shall consist of a chairperson and 6 (six) whole time members.The Bill has vested
the Authority with a wide range of powers.Such powers may be divided into the broad head of
administrative, discretionary, quasi-legislative and judicial powers. It remains to be seen the

34
Ibid.
35
Section 49 of the Personal Data Protection Bill, 2018.

24 | P a g e
manner in which the exercise of powers vested in the Authority shall be prescribed under the
rules adopted under the Bill, to avoid any concentration of multiple conflicting powers and
excessive delegation, thereby defeating the purpose of the Bill. Further, the Bill does not make
any provision for filing of a class action suit or a representative suit in situations where a data
breach affects large number of individuals.
14. EXEMPTIONS
The Bill list down certain categories that are exempted from application of the Bill in whole or
part. The exempted categories are- security of state, prevention detection, investigation or
contravention of law, processing for purposed related to legal proceedings, research, archival
or statistical purposes, personal or domestic purposes, journalistic purposes or processing done
by small entities.

15. TRAI RECOMMENDATIONS AND THE PERSONAL DATA


PROTECTION BILL, 2018
The Telecom Regulatory Authority of India had released its Recommendations on Privacy,
Security and Ownership of Data in the Telecom Sector (the “TRAI Recommendations”) on
16 July, 2018. The TRAI Recommendations highlights the importance of data privacy and data
protection in the sector which is driven by telecommunications and digital services. The Bill,
to some extent, has incorporated the TRAI RecommendationsThe TRAI Recommendations
also state that entities collecting and processing data are mere custodians or fiduciaries and do
not have any primary rights over such data. TRAI Recommendations on rights of individuals
with respect to choice, notice, consent, portability and right to be forgotten, in the
telecommunication sector have been recognised and incorporated under the Bill, subject to
certain limitations. The Bill has also incorporated the principles suggested in the TRAI
recommendations, which are: privacy by design, data minimisation, purpose limitation and
collection limitation.36 The TRAI Recommendations stresses the importance of conducting a
hybrid model of audit (which would be a combination of both technology based and human
based audit). Under the Bill, audit obligations have been made compulsory for significant data
fiduciaries. With regard to cross border flow of data, the Bill has incorporated TRAI’s
Recommendation suggesting the need to localise sensitive critical data such as financial data,
data related to healthcare.

36
Para 2.57 of TRAI Recommendations on Privacy, Security and Ownership of Data in the Telecom Sector.

25 | P a g e
However, there is no particular definition of critical sensitive data under the Bill and it is up to
the Central Government to notify personal data as sensitive personal data. However, the TRAI
recommendations provide that till the adoption of a general data protection, the existing rules/
license conditions applicable to telecom service providers for protection of users’ privacy be
made applicable to all the entities in the digital ecosystem. Hence, it is uncertain whether the
TRAI Recommendations offering sector-specific guidelines will be applicable to data
fiduciaries operating in the telecom sector along with the provisions of the Bill, or whether the
TRAI Recommendations will cease to govern the privacy, security and ownership of data in
the telecom sector. This is relevant because certain recommendations, such as encryption
standards, are critical to the telecom sector and may not be adequately addressed with the
provisions of the Bill, which are more generic in nature.
16. IMPORTANT OBSERVATIONS
Some of the important observations on the bill are as following-
16.1 Dilution Of The RTI Act
16.1.1 Issue of accountability
The Personal Data Protection Bill, 2018, drafted by the Srikrishna Committee, identifies
“personal data” as any data that directly or indirectlyidentifies a person. It then calls for
amending clause 8.1.j of the Right to Information (RTI) Act, 2005. The clause currently
exempts the following from disclosure: “information which relates to personal information, the
disclosure of which has no relationship to any public activity or interest, or which would cause
unwarranted invasion of the privacy of the individual unless the Public Information Officer is
satisfied that the larger public interest justifies the disclosure. Provided that the information
which cannot be denied to the Parliament or a State Legislature shall not be denied to any
person.”
The Srikrishna Committee suggests amending this clause to authorise public information
officers, or PIOs, to deny information containing ‘personal data’, if they feel that such
disclosure is likely to cause harm to ‘the data principal’, and if such harm outweighs public
interest. The Bill defines ‘data principal’ as whoever the data relates to. This amendment may
seem reasonable on first reading, but for the practical experiences of RTI users in the past years.
The RTI Act’s core aim is to bring accountability by making available public records that
disclose the actions and decisions of specific, identifiable members of the political class and
the bureaucracy. The Data Protection Bill extends the cloak of ‘personal data’ over all such

26 | P a g e
information. It asks PIOs (now overwhelmingly appointed at junior levels) to weigh public
interest against the potential for harm to those identifiable in public documents.
The Bill defines harm expansively to include everything from blackmail and bodily injury to
loss of reputation, humiliation and “mental injury”. The Bill ignores that another key aim of
the RTI Act is “containing corruption”. By bringing corruption to light, dogged RTI users have
served public interest and caused ‘harm’, in terms of the Bill, to those exposed. 37
16.1.2 A ‘powerful proviso’
Further, most public records identify one or more persons. For instance, file notings identify
bureaucrats making decisions by their posts, or even initials/names; public records, such as
contracts awarded or clearances issued, identify specific private actors. Under the proposed
amendment, PIOs will be forced to test public interest versus potentialis a responsibility they
will be reluctant to take on. When nine judges of the Supreme Court are unable to frame the
bounds of privacy, can we expect PIOs to assess which information is private, and then weigh
the potential harm to individuals due to disclosure, guided all the while by public interest and
the cause of accountability? The amended clause will chill the RTI Act, as PIOs will now have
a strong legal ground to play safe, and toss out RTI requests deploying an amended clause 8.1.j.
In fact, this is already happening on account of how the Supreme Court has perhaps
inadvertently mangled the privacy safeguard provided in the existing Section 8.1.j. The RTI
Act currently provides an acid test to help PIOs respond to requests: “Provided that the
information which cannot be denied to the Parliament or a State Legislature shall not be denied
to any person.” This is a powerful proviso, also retained in the proposed amendment. It implies
that PIOs can deny only that information to applicants which they would deny to Parliament or
State legislatures. However, in Girish Deshpande v. Central Information Commission & Ors.
(2012), a two judge Bench of the Supreme Court ignored this proviso and prior precedents in
order to rule that the assets and details about the performance of a public servant constituted
personal information, and were exempt from disclosure. This has set a precedent for subsequent
court rulings and for PIOs to indiscriminately expand the ambit of personal information, and
reject RTI requests, using clause 8.1.j. Recently, the Union Department of Personnel and
Training denied information about the mere number of IAS officers whose annual performance
appraisal reports were pending, as of 2017. The PIO cited clause 8.1.j and the 2012 SC ruling

37
Aniket Aga & Chitrangada Choudhury,Opacity in the name of privacy ,(September
29,2018,6:15PM),https://www.thehindu.com/opinion/op-ed/opacity-in-the-name-of-privacy/article25051410.ece

27 | P a g e
as grounds for denial. In essence, the court has implicitly read down the powerful proviso
above, prompting PIOs to “profusely abuse” the privacy exemption in the RTI Act, as Central
Information Commissioner M. Sridhar Acharyulu has observed. According to Acharyulu,
PIOs’ “misuse of 8.1.j is rampant”, and is reducing RTI to “a mockery.” The government
should be addressing these alarms raised by the Central Information Commission, the RTI’s
apex watchdog. The precedent created by Deshpande and its widespread abuse by PIOs need
to be corrected, to reaffirm the fundamental right to information. Instead, the government is
embarking on a project to legalise such ‘abuse’, by diluting transparency in the guise of an
amendment furthering privacy.

16.2 Ownership Over Data Vs. Rights Over Data

The PDP Bill doesn’t recognize an individual as an owner of the data which pertains to her. It
considers an individual as a ‘Data Principal’ with certain rights available against a person
collecting and processing that data called ‘Data Fiduciary’. The Bill has been criticized for
not upholding an individual’s ownership of her data which flows from the understanding that
‘one’s data is an extension of oneself’ and one can choose who to entrust it to. Ownership
creates not just rights but a sense of control as well, which empowers an individual. However,
a member of the Expert Committee has tried to justify this omission by arguing that if an
individual is considered owner of her data, then data is reduced to a ‘property’ which can be
traded, bought, sold and in some cases, even forcefully acquired (like acquisition of land by
government for development programs).38

There seems to be an effort to create a false dichotomy between owning data and having
rights over it. On the contrary, not owning one’s data can seriously hinder practising the rights
provided under this Bill. It must also be noted that just before the Expert Committee’s report,
the Telecom Authority of India came out with its report on the protection of data privacy of
telecom subscribers, in which it categorically held that each user owns her data and has primary
rights over it. Every person who collects the data is a custodian bound by certain obligations.

38
Maansi Verma,Personal Data Protection Bill: Looking At Loopholes In Sections Of The Bill Pertaining To
Data Ownership, RTI And More( October 3,2018,4:25 PM) https://www.firstpost.com/tech/news-
analysis/personal-data-protection-bill-looking-at-loopholes-in-sections-of-the-bill-pertaining-to-data-ownership-
rti-and-more-2-5197791.html.

28 | P a g e
And when we take stock of the many provisions in the Bill in which the State is provided with
untrammelled powers to collect and process data without consent, it seems that the argument
of the Expert Committee against ownership of data is borne out of convenience because it can
give more bargaining power to an individual against vested business interests and state
excess.39

16.3 Segregation Of Personal Data & Sensitive Data

The draft Bill includes comprehensive definitions of personal data and sensitive data and
separates these two. Personal data as per the said Bill means any data which can directly or
indirectly identify the natural person whereas a list is being provided as being sensitive personal
data which also includes intersex status, religious or political beliefs or affiliations.

The Bill doesn't talk about how the already existing mass volume of data of the data principal
(natural person to whom the data relates) be segregated into personal and sensitive data. This
is an added burden on the data fiduciaries (the one who alone or in conjunction with others
determines the purpose and means of processing of personal data) and data processors (the one
who processes the personal data on behalf of data fiduciary but doesn't include an employee of
the data fiduciary).

Also, how such segregation would serve the purpose of privacy or protection from unrequited
surveillance. Sensitive data, say for example religious beliefs, biometrics, political affiliations
or health data can also be collected through google searches or a combinations of various other
factors.

16.4 Anonymisation

As per the Bill, personal data may be irreversibly processed converting it into a form in which
the data principal cannot be identified. The Act doesn't apply to the processing of anonymised
data and thus the provisions of the Act need not be complied with in case of anonymised data.
The companies dealing with analytics or research where data mining takes places of huge
volumes of data can process and analyze their anonymised data without fear of any

39
Anuja Nair,Observations/Recommendations On Personal Data Protection Bill, 2018(October 18,2018, 2:05
AM)http://www.mondaq.com/india/x/734422/data+protection/ObservationsRecommendations+on+Personal+D
ata+Protection+Bill+2018.

29 | P a g e
repercussions. However the Bill clearly states that anonymisation has to meet the standards set
by the Authority. How far it can remain anonymised where the source data is not deleted is a
food for thought as the source data can be used to identify the anonymised data. The Bill doesn't
talk about regular audits or reviews to check whether standards have been met for the data to
be anonymised or whether the source still contains the personal data of the data principal.

16.5 Data Deletion

Sec 10 of the Bill states that the personal data which is no longer required for the purpose for
which it was collected, must be deleted in a manner as may be specified unless such retention
is explicitly mandated or necessary under law. Such data if not deleted regularly, would be at
a huge risk of being misused. There's always a higher chance for the data to be not deleted and
used for purposes for which the data principal hasn't given his consent. The Bill doesn't put a
larger emphasis on this vital aspect involved in data protection.40

16.6 Consent

It is specifically stated in the Bill that the data of a data principal cannot be processed without
his consent given no later than at the commencement of the processing. Such consent has to be
free, informed, specific, clear and capable of withdrawn. Also, once the data principal wishes
to withdraw his consent, the Bill hasn't specified about what needs to be done with data thatwas
collected prior for processing.Children's data if collected has to have a parental consent after
age verification as per the Bill. However, this has to be looked at as most of the social media
sites have profiles of children created by them. The Bill is also silent about any retrospective
action in such cases.

16.7 Data Auditors

The Bill gives the freedom to the data fiduciaries to have their own policies and conducts of
their audits for compliance. The data auditor will evaluate the compliance. But, at the same
time, the Bill also lays down that where the Authority is of the view that data processing is

40
Maansi Verma,Personal Data Protection Bill: Looking At Loopholes In Sections Of The Bill Pertaining To
Data Ownership, RTI And More( October 3,2018,4:25 PM) https://www.firstpost.com/tech/news
analysis/personal-data-protection-bill-looking-at-loopholes-in-sections-of-the-bill-pertaining-to-data-ownership-
rti-and-more-2-5197791.html.

30 | P a g e
carried out by any data fiduciary in a way that it could cause harm to the data principal, order
can be passed to conduct an audit by appointing an Auditor. As the new data privacy and
protection regime plays out, timely planning/action will help organizations continue their
business as usual and enhance their business reputation-NASSCOM. How mandatory the
auditing process is, under what conditions do the companies need to get it done suo-moto,
periodicity thereof, and what all would be checked/evaluated as part of the auditing process is
not clearly laid out which we hope the final Act would.

16.8 Collection limitation and Purpose limitation

The data collected should be limited as per the requirement and used only for the purpose for
which it was required. The data fiduciary is under an obligation as per the Bill to state the
purposes for which the data is being collected. However, this is never the scene. Even if the
companies do mention the purpose, the same is very high level and can include multiple
actions, part of which may be allowed by the data principal and other may not be. Therefore, it
should be mandated that the data fiduciary has to give in specific purpose for which the data
would be used. Albeit, the Bill talks about periodical review of the data it is silent about the
usage of data that would be considered to be redundant.

16.9 Security Safeguards

The data fiduciary and the data processor shall have to implement security safeguards like
encryption, de-identification or the steps to protect personal data they are processing. End-to
end encryption is one of the strong ways to avoid data breach and for risk management in
companies where the data at the source gets encoded with a key. This data when transferred to
the destination can be decoded only with its correct/decryption key. De-identification, which
is stated as another security safeguard, may not be as effective as encryption. One of the widely
used social application, Whatsapp now claims end-to-end encryption which means no one in
between can read the messages when transferred to the person we are communicating with, not
even Whatsapp.

16.10 Data Localizing/Mirroring

As per the Bill, personal data to which the Act applies also has to be stored on a server or data
centre in India. An obligation has been laid down on the Central Government to notify certain

31 | P a g e
categories data as critical personal data which can only be processed and stored in a server or
data centre in India. Thus, there is still confusion as to which categories of data would fall
under this clause. If location of a data principal is considered to be a critical personal data, then
companies like Uber, Ola would probably not be able to operate in India or the data stays only
in their servers or data centres in India.41

Data mirroring is an added responsibility and would lead to extra expense and doubling-up the
volume of data to be stored by the data fiduciaries. These data which is stored in servers or data
centresin India along with the places out would have to be regularly backed up in tapes to
prevent its safety and storage in India. The Report of the Committee tries to provide its reasons
as to why at least one serving copy has to be stored in India. This is at variance with the global
character of digitalization and connecting globally through technology.

One reason that attracts attention is data mirroring being required for the development of
artificial intelligence (AI) which again would raise wide concerns over data privacy.

16.11 Government bodies exempted

The Bill seems to be in favor of the State and the Central Government. Wide exceptions are
being given to them in terms of data collection, storage and processing. Though it has held the
Government also accountable being one of the biggest stakeholders, the vast exemption frees
them from their liability at the same time. The Bill lays down that the Government can process
any personal data for any functions of the Government and can notify certain categories of
personal data for which no data mirroring is required purely on the grounds of necessity and
strategic interests of the State.

16.12 Accountability

The Bill as per Sec. 11 holds only the data fiduciary accountable for complying with all its
obligations and be able to demonstrate that all of its data processing is in accordance, whereas

41
Maansi Verma,Personal Data Protection Bill: Looking At Loopholes In Sections Of The Bill Pertaining To
Data Ownership, RTI And More( October 3,2018,4:25 PM) https://www.firstpost.com/tech/news-
analysis/personal-data-protection-bill-looking-at-loopholes-in-sections-of-the-bill-pertaining-to-data-ownership-
rti-and-more-2-5197791.html.

32 | P a g e
not much accountability has been put on the data processors who would be equally or more
involved in the process of handling mass data volume of the data principal.

17. SUGGESTIONS

i) Collection of data should be limited to such data that is strictly necessary for the
specific purpose of processing, and not just mere “purpose” (Section 6).

ii) In Section 8, where data is not collected from data principal, instead of‘reasonably
practicable’ time period for giving notice, a time frame should be provided – 3
months perhaps.

iii) Section 12(1) should be improved such that consent is taken prior to processing of
information.

iv) Any exception to consent needs to be narrowly tailored. The carveout under 14(a)
is broad and either should list existing laws and also indicate any future legislation
should make a specific reference to the existing statute.

v) Under section 17, the Authority is provided over-broad powers of determining


“reasonable purposes” as grounds for processing of personal data. Consent of the
data principal is not required to be taken where the purpose of processing falls
within such reasonable purposes. Provision of such wide powers to the Authority is
unnecessary, and may lead to unjustified, opaque and potentially illegal processing
of information, which go against the right to privacy of an individual. This section
and the accompanying powers must be deleted.

vi) The right to correction (Section 25) is currently unclear and not strong enough for
protecting the interests of data principals. The prefatory language of “where
necessary, having regard to the purposes for which the personal data is being
processed” should be omitted. An express and limited ground for rejection of a
request for correction by the data fiduciary should instead be added, for when it
proves impossible or if it involves disproportionate effort.

vii) The exceptions on the applicability of a right to data portability to personal data
processed [Section 26(2)]. There must not be any blanket exception to the right to

33 | P a g e
data portability applying to personal data processed under the “functions of the State
ground”. The burden to demonstrate that the portability would reveal a trade secret
or would be technically infeasible must be on the data fiduciary.

viii) The exercise of the rights granted under the Draft Bill may be limited by the data
fiduciary, wherein a data fiduciary may refuse the data principal, in cases where the
exercise of the right would harm the right of any other data principal (Section 28).
This criteria for rejection is over-broad and liable to misuse. Limitations to rights
of users should be narrow and specific with clear avenues for redress.

ix) Under section 41, the Authority is provided the power to approve a particular
transfer or set of transfers as permissible due to a “situation of necessity”. The use
of such words brings in ambiguity and render such provisions to misuse, which may
result in the rights of users being violated.There is no guidance provided regarding
such situations of necessity. Such situations of necessity must be based on narrow,
and specific standards which must be explicitly mentioned under the Act.

x) The Draft Bill troublingly seeks to establish a data localisation / mirroring regime
in India. Section 40 of the Draft Bill makes it mandatory for every data fiduciary to
store one serving copy of every personal data on a server or data centre located in
India. This section dilutes India’s connection to the global internet and betrays a
governmental interest in desiring more control over the data of Indian citizens. The
report submitted by the expert committee enlists enforcement and access as the
primary motives behind this requirement. However, data localisation is not - and
should not - be a prerequisite for enforcement of data protection rules. What is more,
such a requirement may facilitate third party abuses of personal data and infringe
on users’ right to privacy as actors would know where data is located.

xi) Amendments which seek to dilute the RTI Act must not be made .

34 | P a g e
18. CONCLUSION

The Draft Bill, in its current state, has many hits and misses. It is important to pay attention to
the deeper details involved in many of these issues, in order to ensure that Parliament considers
and passes a strong, effective privacy and data protection law aimed at protecting Indian
citizens.

In my analysis, I found that the provisions of the Draft Bill defining the scope of application
of the law, along with data security measures proposed for entities, seem to be strong. While
multiple important rights entitled to the users have been codified under the Draft Bill, many
gaps persist under the proposed regime. Rights such as the right to access and rectify data have
been diluted and must be strengthened, and certain key rights such as right to object and the
right to explanation are not provided under the Draft Bill. The steps taken toward data integrity
and data protection impact assessment are encouraging and so are the provisions aimed at
ensuring proper consent and standards thereof. However, the provisions on obtaining prior
explicit consent have been diluted by the over-broad criteria of “exercise of functions of the
state”.

I found the proposals for data localisation quite concerning, especially given such measures
serve a surveillance and law enforcement purpose, at the cost of privacy and protecting user
data. In the absence of adequate regulation of governmental access to citizen data in India,
these data localisation measures may make user data in India liable to indiscriminate access by
the government.

And that there is a severe need for reforming the surveillance regime in India is a fact noted by
the expert committee itself in its report. However, despite this acknowledgement, neither the
Draft Bill nor the report contain legislative language to reform and tighten Indian surveillance
and investigatory powers. This is exacerbated by the several exemptions currently proposed by
the Srikrishna Committee to be provided to government departments and other public agencies
from data protection requirements in the name of “security of state” and “exercise of state
functions”. This approach undermines confidence in the Indian government’s publicly stated
resolve to truly protect the rights of its citizens and signal a surveillance creep in the data
protection regime in India.

35 | P a g e
19. BIBLIOGRAPHY

Articles Referred-

i) Amba Kak,The Emergence of the Personal Data Protection Bill, 2018 ,53 EPW
12,16 (2018)

ii) Nirvaan Gupta,Data Protection In India(available at


http://www.mondaq.com/article.asp?article_id=744160&signup=true)

iii) Anuja Nair,Observations/Recommendations On Personal Data Protection Bill,


2018(available at
http://www.mondaq.com/india/x/734422/data+protection/ObservationsRecommen
dations+on+Personal+Data+Protection+Bill+2018)

iv) Aniket Aga& Chitrangada Choudhury,Opacity in the name of privacy (available at


https://www.thehindu.com/opinion/op-ed/opacity-in-the-name-of-
privacy/article25051410.ece)

v) Maansi Verma,Personal Data Protection Bill: Looking At Loopholes In Sections Of


The Bill Pertaining To Data Ownership, RTI And More (available at
https://www.firstpost.com/tech/news-analysis/personal-data-protection-bill-
looking-at-loopholes-in-sections-of-the-bill-pertaining-to-data-ownership-rti-and-
more-2-5197791.html)

vi) Amber Sinha,Draft Privacy Bill and its Loopholes, (available at


https://www.livemint.com/Opinion/zY8NPWoWWZw8AfI5JQhjmL/Draft-
privacy-bill-and-its-loopholes.html)

vii) Krishnadas Rajagopal,Drafting a Data Protection Bill (available at


https://www.thehindu.com/opinion/op-ed/drafting-a-data-protection-
bill/article24584467.ece)

36 | P a g e
Websites referred-

i) www.scconline.com

ii) www.manupatra.com

iii) www.jstor.com

iv) http://lawmin.nic.in

v) http://meity.gov.in/

37 | P a g e

Anda mungkin juga menyukai