New Obligations for mining the new Oil?
“Data is like garbage. You’d better know what you are going to do with it before you collect it.”Mark Twain
The attempt of the Government to regulate the processing of personal data while it stresses on the purpose of such data collection as a major differentiator, [upon taking the Personal Data Protection Bill, 2019 off the table] and strike a healthy balance between the individual’s fundamental right to privacy and the juristic person’s fundamental need to compete, prosper and preserve its business as the state instrumentalities retain untrammeled powers to exercise unilateral control over the personal data obtained with or without consent, in the name of national security, integrity and international diplomacy in the digital age that we now inhabit, is laudable at best and palliative at worst in a trying-too-hard-to-fit-in kind of way.
The Bill may come into force if it passes the muster of the Legislature, subsequent to the completion of the consultative process on December 17, up until when any one may send in their comments and/or suggestions here.
Before adverting to the granular distillation, analysis and decoding of the Bill and unboxing the incidental pandora’s box of legal compliance, in the interest of the unmoored, it may be worth your while to note that every person that exists [or is deemed to exist by virtue of the Internet of Things] on this planet today, is inevitably affected by the double edged sword of the technology that unites and isolates us, that enables and disables us, that blurs the boundaries of our nation and our person, lifting the veil of protection and privacy, more often than not, without our knowing, which is precisely why, the digital scape needs regulating, so we could intensify the highs and temper the lows that our necessary evil brings with it.
A. Who and What are governed by the Bill?
The Bill is surprisingly relatively concise, comprising 30 paragraphs, 6 chapters and 1 schedule, easy on the eyes in avoidance of legalese, and in tow with the recent trends in its overzealous deployment of ‘she/her’ and attempt to downplay the English language by emphasizing on the availability of the option to the users to access information in any of the eighth schedule languages, albeit painfully prosaic as it mechanistically travels the extremes, in essaying to be a bland simulacrum of Singapore’s Personal Data Protection Act, 2012 as opposed to its previous voluminous and dense attempts to draw heavily from European Union’s General Data Protection Regulation.
It proposes to be applicable to:
- All entities, Indian or foreign (foreign entities for the purposes of profiling and/or providing any services or products to individuals in India), digitally and in an automated way, processing personal data of individuals, Indian or foreign, within the territory of India
It proposes not to be applicable to:
- Non-automated & offline personal data
- Individuals processing personal data for domestic or personal purpose
- Personal Data in records for 100 years
- Data Fiduciaries and Data Processors have been defined in the Bill as persons determining the means and the purpose of processing the data, implying them to be corporates, entities, organizations, HUFs, state instruments, colored as persons in the eyes of law, While Data Principals have been defined as individuals to whom the personal data relates, thus clarifying that only the data of an individual and not the artificial persons, is sought to be protected (also defined as such). This subtle distinction is underscored in the paragraph that stipulates the applicability and scope of the Bill. Even so, it shall be applicable on the foreign entities only if the personal data is processed for the purposes of profiling or providing services or goods in India, thus, by omission, it excludes the personal data collected and processed by such foreign entities for extraneous purposes viz. strategic planning or business decision making et al, effectively rendering individuals subjected to such data breaches, if any, remediless. It further goes on to exempt individuals who process data for ‘domestic or personal purposes’ without defining such purposes.
- The umbrella definition of Personal Data i.e. data about an individual who is identifiable by, or in relation to such data, is a significant departure from the need for a distinct category of sensitive personal data that was introduced in the previous drafts and included biometrics, health and biological data etc. that enabled greater protection, by providing for graded consent mechanisms and consequent penalties. Sans the distinction, stricter and heavier compliance may have to be made to protect data that may not be as important while the compliance may not be strict enough to deter entities from misusing and breaching the sensitive data.
- Similarly, clear exclusions for the processing of anonymized information, and potentially, ‘bright line’ standards for such anonymization, are no longer part of the Bill. Re-introducing these exclusions may enable ease of doing business by helping entities, especially in healthcare industry, develop novel technologies.
- Grounds for Data Processing include any lawful purpose which has been defined as any purpose which is not expressly forbidden by law. This inadvertently gives rise to the potentiality of unwarranted leeway, loopholes and wiggle room to entities that may be engaged in certain unlawful cyber activities that are yet to be forbidden by law. For instance doxing is yet to be specified and declared as an offence in India.
B. OBLIGATIONS OF DATA FIDUCIARIES
Data Fiduciaries are allowed to process data for lawful purposes subject to the following:
- Itemized Notice must be issued to obtain consent. If consent has already been given prior to commencement of the Act, the itemized notice must specify the data so processed and the purpose. Onus to prove that such a notice was issued and consent was given is on the Data Fiduciary.
- Must allow the user/Data Principal to withdraw consent at any stage with the help of the Consent Manager.
- Must appoint a Data Protection Officer and Consent Manager [to be registered with the Data Protection Board].
- Reasonable efforts and security safeguards must be taken to ensure accuracy and completeness, technical and organizational measures to ensure compliance [in case of breach-notify the Board & Data Principal].
- Cease to retain the data when no longer required for the purpose as mentioned in the notice.
- Publish business details of the Data Protection Officer, and formulate grievance redressal mechanism.
- Valid contract must be executed to appoint Data processor to process data on its behalf.
- Children’s data to be processed only after verifiable parental consent is obtained, an obligation that may be exempted by the Rules.
- No data processing if likely to cause harm to a child.
- No tracking or behavioral monitoring of children or targeted advertisements directed at children, an obligation that may be exempted by the Rules.
- Significant Data Fiduciaries dealing with sensitive or voluminous personal data may be notified by Central Government and shall be obligated to:
- Appoint Data Protection Officer based in India directly responsible to the Board of Directors & to be the Point of Contact in grievance redressal mechanism
- Appoint Independent Data Auditor
- Undertake periodic Data Protection Impact Assessment
- Consent is defined to be freely given, specific, informed, and through a clear affirmative action), for processing of data for the purpose specified in the notice. While Deemed Consent is when the Data Principal voluntarily provides her personal data for availing any services, benefits, issuance of license/permits by the state, for compliance with court’s order, for treatment in medical emergencies, for safety in the event of endemics & natural disasters, for employment purposes, in public interest or any other reason as prescribed. The loose lexicon amplitude attributed to the definition of Deemed Consent takes away from the ‘freeness’ with which it must be given and for which the notices are mandated under the Bill. Such notices do tend to open the floodgates of frivolous mails that are received and go to the spam box of general public, and do little to deter the entities from processing unauthorized data in as much as they keep collecting the consents once given for the continued processing of data in perpetuity so long as the ‘purpose’ is not deviated from.
- Unlike the Previous Drafts, the Bill does not prescribe any mechanism for enactment of regulations or rules for processing on the basis of deemed consent, which may result in the abuse of this provision, especially in light of ability of Data Fiduciaries to obtain broad based consent.
- Under the Previous Drafts, employment was a basis for processing only non-sensitive data, and only where consent of the Data Principal was not appropriate or would involve disproportionate effort. The Bill instead proposes far broader language which, while having the benefit of being convenient for employers, may provide little protection to Data Principals.
- Several “reasonable purpose” exceptions have been included as deemed consents, and yet subjected to an additional qualifier of public interest, thereby creating a dual filter that is not only unnecessary, but also fundamentally incompatible with some of the listed items, such as credit scoring.
- An important exception for search engines has been narrowed from Previous Drafts to limit it only to processing publicly available personal data. And publicly available personal data has not been defined.
- An exception provided under the previous drafts for journalistic purposes has not found its way into the deemed consent provisions.
- Data Processing prohibitions carved out in case of children may be exempted at any point by the Rules as prescribed by the state which may cause uncertainty and laxity in dealing with significant data breaches affecting children.
- Practically, much of the internet is aimed at teens, and several products and services are marketed and sold to people below the age of eighteen. A more nuanced approach may stand a better chance here than a blanket ban. The Bill creates a restriction on processing that can ‘harm’ a child without defining it. Limiting restrictions to this and providing for a reasonable standard for age verification may prove to be a more practical approach.
C. RIGHTS & DUTIES OF DATA PRINCIPALS
Data Principals have also been kept under scrutiny to further highlight the pro-business approach that is sought to be taken by the Bill. Their rights are juxtaposed and complimented by their duties.
- Right to Information in respect of the means and purposes for processing their personal data.
- Right to Correction & Erasure that requires the Data Fiduciaries to rectify/modify/update or erase the personal data if instructed by the Data Principal [equivalent to Right to be forgotten in the previous drafts].
- Right to Grievance Redressal first by the Data Fiduciary, not satisfied then by the Data Protection Board.
- Right to Nominate another individual to manage the personal data, give or withdraw consent, seek information etc. in case of death or incapacity of the Data Principal.
- Duty to comply with the provisions of the Bill.
- Duty to not lodge false complaints/grievances.
- Duty to not provide false information or cause material suppression or impersonation.
- Duty to provide verifiably authentic information for correction or erasure.
D. CROSS BORDER DATA TRANSFERS AND DATA PROTECTION BOARD
- Central Government. may notify the countries where data may be transferred.
- Exemption from Data Fiduciary’s duty to protect data, rights & Duties of Data Principals and transfer of data outside India in cases of enforcement of legal rights, court or tribunal processing data, state or its machinery, prevention detection investigation or prosecution of any offence.
- Any other exemption in the interest of national security, for research may be notified.
- Digital Data Protection Board to be set up by the Central Government. Members of the Board shall be deemed to be Public servants as defined under Section 21 of IPC.
- The Board may issue directions & impose penalties and its decisions shall be deemed to be a decree under the Civil Procedure Code.
- Complaint may be filed by any affected person, reference by government, in compliance with court’s directions, non compliance of duties of Data Principals.
- Sufficient grounds must be shown to proceed with an inquiry. The Board shall have powers to summon, enforce attendance-may not restrict access that affects day to day functioning of any person- may require police assistance-may issue interim orders-if non compliance deemed to be insignificant inquiry closed-if not proceed to financial penalty.
- May impose penalty or warn the complainant in case of meritless complaint.
- May review [modify, suspend, withdraw or cancel with or without conditions] on representation or suo motu- no time limit specified.
- Appeal shall lie before the High Court within 60 days.
- Civil jurisdiction barred- no injunction/stay against the implementation of any action under this Act.
- Alternate Dispute Resolution mechanism may be suggested by the Board.
- Voluntary undertaking may be given by the opposite party at any stage which would result in bar on proceeding.
- If the Complaint is proved and it is declared to be a significant non-compliance, the Board may impose Financial penalty up to INR 500 crores as specified in the Schedule.
- The Bill requires Data Fiduciaries to cease retention of personal data or de-identify it as soon as it is reasonably clear that the purpose for its collection is no longer served by retention, and where retention is not required for any legal or business purpose. the Bill varies for the previous drafts on two counts; (i) it permits retention of personal data after the conclusion of the purpose for its collection, not only when required under a legal obligation, but also for business purposes, and (ii) it keeps the term ‘business purposes’ broad and undefined and does not provide a standard for ‘de-identification’.
- The Bill dilutes the requirement for ensuring accuracy of personal data by Data Fiduciaries, and makes this mandatory on a reasonable efforts basis only where data is likely to be used to make a decision affecting the concerned individual, or is likely to be disclosed to another Data Fiduciary.
- Unlike the previous drafts, the Bill does not allow Data Fiduciaries to refuse Data Principal’s request for grievance redressal on grounds that they may harm the rights of any other Data Principal.
- Though the Bill requires implementation of reasonable security safeguards and appropriate technical and organisational measures, these requirements are not as extensive as those provided in the Previous Drafts with respect to security safeguards, privacy by design, and transparency requirements.
- In respect of the Board, much about it including its composition and the qualifications of members who will need to discharge functions of a quasi-judicial nature, is unclear.
- While appeals against the Board’s orders are to lie to the High Court, this provision will need to be clarified to determine whether the Board will have branches in each state (and whether orders issued by it will be appealable to the respective High Courts), or whether appeal will lie to a different court.
- Additionally, the Board has the power to prescribe alternative dispute resolution, and accept voluntary undertakings in relation to compliance. While these types of provisions have also been proposed in relation to the Indian Telecommunications Bill, 2022, they may be relatively less beneficial for a legislation which is to govern a far more diverse set of users and service providers. Even otherwise, it will be important to ensure that the mechanism of undertakings is transparent, to prevent any discrimination between similarly situated parties and/or potential for corrupt practices.
- Unlike the previous drafts, the Bill is to have overriding effect in case of a conflict with any other law. The Bill also omits the concept of MoUs which were to be employed to enable regulatory co-ordination. This will make it imperative for standards under the Bill to be aligned with sector regulation to avoid overruling them.
- In addition to changes to the Information Technology Act 2000, the Bill also proposes amendments to the Right to Information Act, 2005 to delete certain exceptions. It proposes to omit Section 43 A of the IT Act that stipulates “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected”. It further omits Clause (j) of sub-section (1) of Section 8 of the Right to Information Act which stipulates ” Exemption from disclosure of information.—(1) Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen,— (j) information which relates to personal information the disclosure of which has not relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information: Provided that the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.
- Thus, the Bill dilutes the security and strictness of compliance to be made by the entities in the interest of privacy and security of the personal data, especially the sensitive personal data.
- There are no fixed timelines to be adhered to and no provision of regulatory sandbox or small entity exemption.
The Counterfactual Theory of Value suggests that the value of something should be measured by the negative impact of its absence. In this regard, while this Bill has value in as much as it provides for some degree of protection to the personal data and provision of a regulatory framework for the business entities in the private sector, which have both gone for a toss with the closing in of the anarchic whirlwind of utter chaos in its absence, it would be more valuable if the processes are streamlined and certain practical provisions are incorporated.
If our Constitution could undergo 2000 rounds of amendments before it was enacted and adopted, a few more revisions to this Bill would surely do no harm.
After all, Data is the new Oil, right?
Yet another Lawyer who happens to indulge in the gratification of learning and expressing the Language of Law. Yet another Lawyer who is trying to be better than yesterday.