Executive Summary

There has long been a need for a specific data protection legislation in India. Until now, the data protection framework in India has been rather rudimentary with only the basic level of protection being guaranteed to the data principals and only minimal, if any, obligations being placed on the entities collecting and/or processing such data. The lack of such guarantees and obligations was reinforced by a 2017 Supreme Court judgement, recognising the right to privacy as a fundamental right, as well as a more recent Supreme Court judgement regarding “Aadhar” (a government identity scheme), which noted the urgency for India to adopt and enforce a data protection law.

Accordingly, a draft personal data protection bill was released for the industry’s review in July 2018 (the Draft) together with a report of India’s Committee of Experts (the Srikrishna Report). Once the industry had had the chance to review the Draft, the government, after having reviewed the suggestions that had been made, introduced the Personal Data Protection Bill, 2019 (the Bill) in the lower house of the Indian parliament. As is usual with bills of such technical nature, the Bill was referred to a joint select committee of both the houses of the parliament. We understand from news reports that the report of such joint select committee is expected in the first half of 2020.

Key Features

A brief overview of the key features of the Bill is set forth below:

GDPR

The Srikrishna Report states that whilst preparing the Draft, the data protection regimes in a number of other jurisdictions were considered. However, the Draft, and consequently the Bill, most closely resembles (but is by no means identical to) the GDPR.

Applicability

The new law will apply to:

• the processing of data by the Indian government, or other Indian persons or entities; and
• the processing of personal data collected, disclosed, shared or otherwise processed within India. Where the processing is done by a foreign entity, then the law will only apply if such processing is in connection with any business carried on in India or any systematic activity of offering goods and services to data principals in India; or is in connection with any activity that involves profiling of data principals in India.

Under the Bill, the government will have the power to exempt the application of the law to personal data collected outside India that is processed in India pursuant to a contract with a foreign party. Given the sheer size of India’s business process outsourcing industry, it is not clear why an automatic exception is not being made in the first instance for the processing of personal information collected overseas. Additionally, the government has the power to exempt the application of the law to personal data collected by agencies of the government in the interest of the integrity and security of India or public order, such as the Airports Authority of India and Coal India Limited. Such an exemption has the potential of creating a situation where government agencies have a competitive advantage over private entities due to lower costs of compliance.

Repeals

The Bill is envisaged as a comprehensive data protection framework for India and as such, proposes to repeal the provisions of Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, both of which currently regulate India’s data protection landscape.

Consent

Under the Bill, data has been categorised into personal data, sensitive personal data (personal data relating to, among others, financial data, health data, biometric data and sexual orientation) and critical personal data (categories of personal data notified by the government to be critical). The Bill, however, categorically exempts anonymised data (personal data that has been irreversibly transformed to a form in which a data principal cannot be identified) from its applicability. 

Informed individual consent will be critical to processing all the personal data of data subjects (called “data principals” in the Bill), and the burden of proving consent will be on “data fiduciaries” (the Bill’s equivalent of data controllers, who will determine the purpose and means of processing of personal data). Consent will need to be free, informed, specific, clear and capable of being withdrawn, and consent obtained through pre­ checked boxes will no longer be acceptable. Such consent will also need to be explicit in case it is in relation to the processing of sensitive personal data. The provision of goods and services cannot be made conditional on consent being provided to collect or process personal data that is not necessary for such purpose.

For the first time, the Bill also introduces the concept of a “consent manager”. A consent manager is envisaged as an entity which acts as an intermediary between the data subject and the data fiduciary and helps the data subject in providing and withdrawing its consent to/from the data fiduciary.

Financial Data

Unlike most other jurisdictions, financial data has been included in the category of sensitive personal data, the use of which requires a high standard of explicit consent. This will be of particular interest to entities engaged in facilitating financial transactions (including through mobile telephones and other online payment gateways).

Data Principal Rights

Under the Bill, data principals will have certain rights, including the right to be forgotten and the right to data portability. However, for a variety of reasons, the Srikrishna Committee did not feel that data principals should have the right to object to profiling or automated decision making.

Processing without consent

The Bill contains limited grounds for processing personal data without consent (such as in emergencies or to comply with law). In particular, the Bill permits the processing of personal data (but not sensitive personal data) if it is for “reasonable purposes”. The data protection authority to be constituted will have the power to “whitelist” the activities where this ground can be invoked, and the Bill provides examples of such activities which include the detection of fraud, whistleblowing, mergers and acquisitions and credit scoring.

Obligations of Data Fiduciaries

The Bill imposes a number of obligations on data fiduciaries to ensure the protection of personal data and includes purpose and collection limitations.

The data protection authority will have the power to designate certain data fiduciaries or classes of data fiduciaries as “significant data fiduciaries”, based on factors such as the sensitivity of the data that they process and their use of new technologies. Significant data fiduciaries will be subject to further obligations which include the requirements to: 

• appoint a data processing officer;
• submit to audits by independent auditors; and 
• undertake privacy impact assessments before conducting processing activities where there could be significant harm to data principals (and share the findings of such assessments with the authority).

The Bill also provides the government and the data protection authority with the power to designate social media intermediaries (entities who primarily or solely enable online interaction between two or more users) such as Facebook or Skype as significant data fiduciaries. If a particular social media intermediary is designated as a significant data fiduciary, it will necessarily need to comply with higher levels of compliance than other bodies corporate.

Separately, news reports suggest that the government is in the process of formulating specific new rules to regulate such intermediaries to replace the existing Information Technology Intermediary Guidelines, 2011. The new draft rules are likely to include increased compliance levels where the intermediaries will be required to maintain a log of its users and potentially provide content hosted on their platforms to the government. 

Penalties 

Under the Bill, penalties for violations include both monetary and criminal penalties.

The monetary penalties range from 2% to 4% of the data fiduciary’s total worldwide turnover for the previous financial year or ₹50 million to ₹150 million, whichever is higher. Total worldwide turnover includes the worldwide turnover of the data fiduciary’s group entities, if the group entities’ turnover arises as a result of the processing activities of the data fiduciary. 

Data principals are also allowed to seek compensation under the Bill.

In addition, the Bill also provides for criminal penalties in case any person re-identifies and processes personal data without following the necessary compliance required under the Bill.

Data Protection Authority

The Bill contemplates the establishment of an independent data protection authority which will have an extensive range of powers (which will include specifying new categories of sensitive personal data, issuing codes of practice, and taking action in relation to personal data breaches). The authority will also have an adjudication wing that will conduct inquiries and deal with offences and breaches.

The Bill gives the government considerable discretion to issue directions to the authority on matters of policy. Whilst such a provision is routinely found in statutes that establish regulators in India, it is uncertain how other jurisdictions will view this possible lack of independence, especially from an adequacy perspective.

There are recent news reports that suggest that the existing Indian telecommunications regulatory authority may itself be designated as the data protection authority but this has not been confirmed at present.

Cross Border Transfers

Whilst the Bill does not propose any regulatory requirement in respect of cross border transfer of personal data, it proposes the introduction of requirements relating to cross-border transfer of sensitive personal data.

Sensitive personal data, other than certain categories to be notified by the government, may be transferred outside India if (i) the transfer is subject to standard contractual clauses or intra-groups schemes that have been approved by the data protection authority, (ii) the transfer is to countries, sectors within countries or international organizations as notified by the Government of India, in consultation with the data protection authority, or (iii) the data protection authority approves a specific transfer or a set of transfers based on necessity. In each circumstance, the explicit consent of the data principal is required for the transfer of sensitive personal data.

Data Localisation Requirements

Data localisation has been the most widely discussed aspect of the proposed new legislation. The Bill allows for the export of personal data subject to certain conditions but requires that one copy of all sensitive personal data must be held on a server located in India. The Bill further empowers the government to notify categories of “critical personal data” which will be prevented from cross-border transfers altogether and can only be processed in India. At present, there is no guidance on how “critical personal data” will be defined.

The Srikrishna Committee was of the view that this requirement will assist with better enforcement and will promote the growth of the digital ecosystem in India and said that the costs in this regard did not outweigh the benefits. However, many multinational companies have expressed concerns about such requirements (they warn of a “splinternet”), and the European Union has termed the data localisation requirements as “unnecessary, harmful and likely to have negative effects on trade and investments”.

The Bill is, however, consistent with the stance taken by some Indian regulators such as the Reserve Bank of India and the Unique Identification Authority of India which mandate that all payment related data/information and Aadhaar information respectively, must necessarily be stored in India.

Timing

Latest news reports suggest that the joint select committee which is currently reviewing the present draft of the Bill is likely to submit its report to the parliament in the first half of 2020. Once such report has been submitted, it is likely that the Bill will be enacted as law later this year. However, what is surprising is that the Bill does not provide for a transition period to allow bodies corporate time to comply with the new requirements. 

Analysis

There will be much to do for companies (both within and outside India) to whom the legislation will apply, in terms of ensuring compliance with the new requirements. The proposed Bill is not identical to any existing legislation (such as the GDPR), so even companies that are currently compliant with those legislations will need to amend their data related systems to comply with the new requirements in India.

Whilst the data localisation requirements in the Bill have been controversial, it is uncertain if these will be relaxed in the current environment. Concern has also been expressed in certain quarters about the security of data localised in India when coupled with the government’s ability to define “critical personal data”, and the resultant risk of increased State surveillance.

Additionally, the power granted to the government to exempt any government agency from the applicability of the Bill has also drawn criticism and may well be deleted or changed once the joint select committee releases its report.

Accordingly, the new legislation will need to ensure that appropriately high levels of privacy and data protection are provided even with regard to the various arms of the government! The new legislation should also ideally provide a transition period to allow bodies corporate to comply with the now more stringent requirements under Indian law.

We are continuing to closely monitor all further developments regarding the Bill.

---

This material is for general information only and is not intended to provide legal advice. For further information, please contact:

Karam Daulet-Singh
Partner

Anuj Bhatia
Partner

Punya Varma