Need more clarity on data bill

Privacy laws or data protection laws have been gaining in importance worldwide. The European Union General Data Protection Regulation (GDPR) has changed the way privacy laws are perceived across the globe. 

India is not far behind. Under the chairmanship of Justice B N Srikrishna, the Personal Data Protection Bill, 2018 was drafted after extensive research and consultation. Law minister Ravi Shankar Prasad has indicated that the bill will be tabled in Parliament soon.

The Bill is broadly based on the foundation of the Supreme Court’s landmark judgment, Justice KS Puttaswamy versus  Union of India, where the court upheld the right to privacy as a fundamental right under the Indian Constitution.

The bill categorises data into three categories – personal, sensitive personal and critical personal.

Personal data stands for information relating to a person, directly or indirectly identifiable, with regard to any characteristic, trait, attribute or any other feature of the identity of such a person or any combination of such features.

Sensitive personal data has been defined to include personal information revealing or relating to password, financial or health data, sex life, sexual orientation, biometric and genetic data, transgender status, intersex status, caste or tribe.

Critical personal data is not defined under the bill. It states that the authority may notify certain categories of data to be critical personal data from time to time.

As expected, the bill is primarily based on GDPR. The now common ‘Data Subject’ and ‘Data Controller’ have been reformulated as ‘Data Principal’ and ‘Data Fiduciary’ to bring out better relationship and trust between the two.

It has a broad definition of sensitive personal data and is not in line with GDPR or other international data protection laws.

In the bill, for instance, even passwords and financial data are included within the ambit of sensitive personal data. This will have a direct impact on MNCs and foreign companies in the form of tougher compliance and doing business in India. 

The bill also specifies that the data fiduciary has to store one serving copy of the personal data on a server or data centre in India. This may increase operational costs for many companies. This restriction also operates as a trade barrier and hinders the ability of MNCs to transfer and process personal data across different jurisdictions.

By the time the bill becomes law, hopefully the fine print will be modified. This will certainly ease the burden on companies as far as data localisation is concerned.

Alternatively, the Data Protection Officer (DPO) can be made the single point of contact so they will make the data available if required by the Data Protection Authority.

Data localisation is a critical topic and will be debated over a period of time. Section 40(2) empowers the central government to classify any sensitive personal data as critical personal data and mandate its storage and processing exclusively within India.

Transfer of personal data is made outside India, subject to standard contractual clauses or intra-group schemes that have been approved by the authority due to necessity, consent with respect to personal data and explicit consent to sensitive personal data. These provisions, however, do not extend to critical personal data.

Where the bill is welcome is that it applies to both government and private entities. It also has extra-territorial application. The law will extend to data fiduciaries or data processors not present in India, provided they carry out processing of personal data in connection with a) any business carried on in India b) systematic offering of goods and services to data principals in India or c) any activity which involves profiling of data principals within the territory of India.

The bill states that the legal grounds of processing personal data could include a) consent b) functions of state c) compliance with law or order of court/tribunal d) for prompt action in case of emergencies e) purposes related to employment and f) reasonable purposes of the data fiduciary.

The bill imposes liability on directors of the company or officers in charge for the conduct of business of the company at the time of occurrence of the offence.

Even in case of GDPR, the liability is on the company and not on the directors or officers in charge. This is a draconian measure. The bill is not clear and it may impose similar fines and penalties on both the directors/officers in charge and the company. It is also not clear on the primary liability between the data fiduciary and the data processor/s in case of a data breach.

The bill provides the data principal with the right to a) confirmation and access b) correction c) data portability and d) be forgotten.

It also makes it mandatory for companies to implement privacy by design, data protection impact assessment, record keeping, appointing a data protection officer and data audits.

Except privacy by design, all other processes should be carried out by data fiduciaries, which can be classified as ‘significant data fiduciaries’ by the Data Protection Authority.

The bill establishes an independent authority to empower and oversee its enforcement. It lays down penalties ranging from Rs 5 crore or 2% of total worldwide turnover to Rs 15 crore to 4% of the total worldwide turnover, whichever is higher.

The data principal can claim damages from the data fiduciary or the data processor for the harm or loss caused to him.

The author is global head and legal chief data protection officer, Ramco Systems