The Personal Data Protection Bill, 2019 (“PDP Bill“) was introduced in the lower house of the Parliament on December 11, 2019. The “Committee of Experts on Data Protection” chaired by Justice B.N. Srikrishna submitted its report along with the draft bill (“2018 Bill”) on 27th July 2018. The PDP Bill is largely based on the 2018 Bill and seeks to protect the personal data of individuals.
The PDP Bill governs the processing of personal data: (i) where such data has been collected, disclosed, shared or otherwise processed within the territory of India, (ii) by the State, any Indian company, any citizen of India association of persons, and (iii) by foreign entities dealing with personal data of individuals in India.
Personal data has been defined as data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline or any combination of such features with any other information.
The PDP Bill further categorises certain personal data as sensitive personal data (‘spd’) which includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.
PDP Bill – Consent for processing
Consent is the primary ground for the processing of personal data. Similar to other privacy legislations certain exemptions for processing with consent have been provided under Chapter III (Section 12 to 15). Consent is not necessary when the processing is for compliance with law or any order of a court, and for providing health services to any individual during an epidemic, outbreak of disease or any other threat to public health, providing assistance during a disaster or breakdown of public order. In addition, personal data which is not spd may be processed without consent by an employer for purposes such as recruitment, termination or assessment of employees, provision of any service to, or benefit sought by, the employee.
PDP Bill – Data Fiduciary Rights
A data fiduciary is defined as an entity or individual who decides the means and purpose of processing personal data. The term data fiduciary is similar to the data controller under the General Data Protection Regulation. Section 04 prohibits the processing of personal data without any specific, clear and lawful purpose. Every data fiduciary is required to give data principal a notice, at the time of collection of the personal data comprising inter alia the purposes for which the personal data is to be processed; the nature and categories of personal data being collected; the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable.
The data fiduciaries, further, must undertake certain transparency and accountability measures such as (i) implementing security safeguards (such as data encryption and preventing misuse of data), and (ii) instituting grievance redressal mechanisms to address complaints of individuals. They must also institute mechanisms for age verification and a parent or guardian consent when processing sensitive personal data of children.
The PDP Bill provides certain rights to the data principal which includes the right to (i) obtain confirmation from the fiduciary on whether their personal data has been processed, (ii) seek correction of inaccurate, incomplete, or out-of-date personal data, (iii) have personal data transferred to any other data fiduciary in certain circumstances, and (iv) restrict continuing disclosure of their personal data by a fiduciary if it is no longer necessary or consent is withdrawn.
Social Media Intermediaries: The PDP Bill defines these to include intermediaries as entities that primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its service. All such intermediaries which have users above a notified threshold, and whose actions can impact, or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India, have certain obligations, which include providing a voluntary user verification mechanism for users in India. This provision is expected to impact social media entities like Facebook, Instagram and Twitter
Data Protection Authority: A Data Protection Authority is to be notified by the Central Government which may: (i) take steps to protect interests of individuals, (ii) prevent misuse of personal data, and (iii) monitoring and enforcing application of the provisions of this Act and take prompt and appropriate action in response to personal data breach in accordance with the provisions of the provisions the proposed act; (iv) maintaining a database on its website containing names of significant data fiduciaries along with a rating in the form of a data trust score indicating compliance with the obligations by such fiduciary ensure compliance with the Bill.
The authority will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology. Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Appellate Tribunal will go to the Supreme Court.
Transfer of data outside India: Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions which include the transfer is made pursuant to a contract or intra-group scheme approved by the Authority (similar to Binding Corporate Rules under GDPR) or is based on adequacy decision by Central Government. Certain personal data notified as critical personal data by the government can only be processed in India.
However, critical personal data can be transferred outside India to a person or entity engaged in the provision of health services or emergency services where such transfer is necessary for prompt action as per section 12; or to a country or, any entity or class of entity in a country or, to an international organisation, where the Central Government has deemed such country, organisation offers adequate protection and where such transfer in the opinion of the Central Government does not prejudicially affect the security and strategic interest of the State.
Exemptions: The Central Government can exempt any of its agencies from the provisions of the proposed enactment: (i) in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, and (ii) for preventing incitement to commission of any cognisable offence (i.e. arrest without warrant) relating to the above matters.
Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as (i) prevention, investigation, or prosecution of any offence, or (ii) personal, domestic, or (iii) journalistic purposes. However, such processing must be for a specific, clear and lawful purpose, with certain security safeguards.
Offences: Offences under the PDP Bill include: (i) processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and (ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.
Sharing of non-personal data with government: The Central Government may direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data (means the data other than personal data) to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government. This is the most controversial provision and is expected to be challenged before Courts.
Amendments to other laws: The PDP Bill proposes to amend the Information Technology Act, 2000 to delete Section 43 of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.