The Personal Data Protection Bill 2019 (PDP Bill 2019) was introduced to the Lok Sabha by Ravi Shankar Prasad, the Minister of Electronics and Information Technology, on December 11, 2019. This comes after more than two years of debate about the bill's provisions.
As of March 2020, the bill is being analyzed by a Joint Parliamentary Committee (JPC) in consultation with industry experts and stakeholders. The JPC which was established in December 2019 is headed by BJP Member of Parliament (MP) Meenakshi Lekhi.
While the JPC was tasked with a short deadline to finalize their report before the Budget Session of 2020, it has sought more time. The JPC report is expected to be submitted by the second week of the upcoming Monsoon Session of the Indian Parliament and to be passed in 2020.
The bill outlines mechanisms for the protection of sensitive personal data and proposes the establishment of a new independent regulatory authority called the Data Protection Authority (DPA). In addition, the 2019 bill has key provisions that were not in the 2018 draft bill, such as that the central government can exempt any government agency from the bill and an individual's right to erasure also known as the Right to Be Forgotten.
Like many data protection acts, the bill's implications reach beyond India and could impact any organization that does business in India. India, thanks to its population size, gross domestic product, and growing number of Internet users has a unique opportunity to shape global privacy law, much like the European Union has done with GDPR.
With that said, the bill has drawn criticism inside and outside of India for Orwellian, protectionist, and authoritarian-leaning provisions. Others have said the bill does not do enough to protect an individual's privacy.
Why Was the Personal Data Protection Bill 2019 introduced?
In August 2017, the nine-judge bench of the Supreme Court of India affirmed the right to privacy in the K.S. Puttaswamy vs. Union of India (2017) "right to privacy case". The Court cited the right to life and personal liberty under Article 21 of India's Constitution.
During the case, the Indian government set up a Committee of Experts, chaired by Justice B.N. Srikrishna, to examine various issues related to data protection in India. After public consultation of the white paper, the Committee submitted a draft Personal Data Protection Bill and an accompanying report titled A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians to the Ministry of Electronics and Information Technology in July 2018.
The Personal Data Protection Bill 2019 is based on recommendations from the Expert Committee and suggestions received from stakeholders inside and outside of the central government.
What is the Purpose of the Personal Data Protection Bill 2019?
The bill opens with its aim:
to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the fundamental rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected there with or incidental thereto.
It goes on to outline three key points:
- The right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy
- The growth of the digital economy has expanded the use of data as a critical means of communications between persons
- It is necessary to create a collective culture that fosters a free and fair digital economy, respecting the information privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion and for matters connected therewith or incidental thereto.
As outlined above, the bill was developed through continued engagement and consultation with a host of stakeholders, including India's law enforcement who want access to U.S.-stored data during investigations concerning national security, as well as its aversion to "data colonialism" of large Western technology firms like Google and Facebook.
The Bill proposes to supersede the Information Technology Act, 2000 (Section 43-A) by deleting the provisions related to compensation payable by companies for data breaches and data privacy failures.
What is in the Personal Data Protection Bill 2019?
Many of the consent-related provisions in the Personal Data Protection Bill are akin to those found in the European Union's General Data Protection Regulation (GDPR).
According to the bill, data fiduciaries and data processors must obtain consent from data principals prior to processing their data. Data fiduciaries are any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data. Similarly, data processors are any person, including the State, a company, any juristic entity or individual, who processors personal data on behalf of a data fiduciary.
Data collectors are also subject to new reporting requirements, such as requiring parental or guardian consent for the collection of data belonging to children.
The bill also provides right to data principals, those the data subjects whose data is being collected.
Should the bill come into effect, data fiduciaries and data processors will have to:
- Notify data principals about their data collection
- Seek consent prior to processing data about the data subject
- Collect and store evidence that a notice was given and consent was received
- Allow consumers to withdraw consent, as well as access, correct, and erase their data
- Allow consumers to transfer their data, including any inferences made by businesses on such data to other businesses
- make organizational changes to protect data, such as by following privacy-by-design principles and creating security safeguards
The bill also requires that all "sensitive personal data" be stored in India and that "critical personal data" not be transferred out of India. This has been criticized as protectionist as it will distort market-driven decisions and force companies' to use local data storage service providers.
The DPA can deem a data fiduciary or class of data fiduciaries as significant data fiduciaries based on:
- The volume of personal data processed
- The sensitivity of personal data processed
- Turnover of the data fiduciary
- Risk of harm by processing by the data fiduciary
- Use of new technologies for processing; and
- Any other factor causing harm from such processing.
Significant data fiduciaries must carry out additional duties such as data audits and the appointment of data protection officers.
The bill also has breach notification requirements. Data fiduciaries must notify the DPA of a data breach "as soon as possible" if it is "likely to cause harm to any data principal". The DPA can also direct the data fiduciary to post about the breach on its website (or may post on its own website).
That said, the bill does have a number of exceptions for when data fiduciaries do not have to obtain consent to collect personal information about Indian citizens. For instance, there are consent exemptions for the State or other entities complying with court orders, enforcing the law, providing public benefits or services, and treating medical emergencies.
There are other "reasonable purpose" exemptions for situations like whistleblowing, mergers and acquisitions, credit scoring, and the operation of search engines.
Finally, the bill includes rules about nonpersonal data. Under the bill, the government can require any business to share valuable nonpersonal data (such as aggregated mobility data collected by Google Maps or Uber) with the government.
What is Considered Personal Data in the Personal Data Protection Bill 2019?
Data can be broadly classified into two types: sensitive and non-sensitive data. Due to the introduction of general data protection laws globally, more and more personal data is now considered sensitive.
Personal data in the Personal Data Protection Bill 2019 is any such data that relates to characteristics, traits, or attributes that could be used to identify an individual.
In contrast, non-personal data is includes aggregated data that cannot identify an individual. For example, an individual's location would constitute personal data, while information derived from thousands of individual locations such as data to analyze traffic flows, is not considered personal data.
In addition to the above definition, the Bill makes further distinct for sensitive personal data which is financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, and religious or political beliefs.
How is Personal Data Currently Regulated in India?
The usage and transfer of personal data are currently regulated by the Information Technology Rules, 2011, under the Information Technology Act, 2000.
Under the current rules, the processing of personal data means companies can be held liable and must compensate impacted individuals if poor data security leads to the exposure of sensitive data.
The reason the Bill has been introduced is because the government believes the pace of development of the digital economy has caused existing regulation to become incomplete.
For example, the current definition of sensitive personal data is narrow and some of its provisions can be overridden by a contact. In addition, the Information Technology Act only applies to companies and not the Indian government itself.
When Does the Personal Data Protection Bill 2019 Come into Effect?
As of March 2020, the Bill is still being analyzed by a Joint Parliamentary Committee (JPC) in consultation with experts and stakeholders.
The JPC was established in December 2019 and was staked with a short deadline to finalize the draft law before the Budget Session of 2020, but has since asked for more time to study the Bill and consult stakeholders.
It is expected that the JPC will submit their report by the second week of the Monsoon Session of the Indian Parliament.
Who Will Have to Comply With the Personal Data Protection Bill 2019?
The Bill imposes data protection requirements on most businesses operating in India. The bill targets not only technology, e-commerce, and social media companies, but also brick-and-mortar, real estate, hospital, and pharmaceutical companies.
In addition, it also governs foreign companies if they deal with the personal data of individuals in India. This is akin to other general data protection regulations like GDPR, PIPEDA, CCPA, The SHIELD Act, and FIPA.
The only exempt are small entities like retailers who collect information manually and meet other conditions to be specified by the DPA.
What are the Penalties for Non-Compliance With the Personal Data Protection Bill?
The bill gives the DPA the power to fine any business that does not comply with the bill or regulations made by the DPA or Indian government.
The maximum penalty that can be imposed is 150 million Indian rupees (~$2.1 million) or 4 per cent of the global turnover of the firm for the previous financial year.
What are the Criticisms of the Personal Data Protection Bill 2019?
The biggest concern about the bill among academics and activists is the exemptions granted to the government. Section 35 states that exceptions can be made to collection rules, reporting requirements, and other requirements whenever the government feels it "necessary or expedient" in the "interests of sovereignty and integrity of India, national security, friendly relations with foreign states, and public order."
Justice B.N. Srikrishna, a former judge of the Supreme Court of India, has said that the bill could turn India into an "Orwellian State". In an interview with the Economic Times, Srikrishna said, “They have removed the safeguards. That is most dangerous. The government can at any time access private data or government agency data on grounds of sovereignty or public order. This has dangerous implications”.
Dvara Research, a financial systems policy research institution in India, echo Srikrishna's criticism identifying seven consumer protection concerns that could weaken the citizens' right to privacy.
In The Hindu, Apar Gutpa, Executive Director of the Internet Freedom Foundation, "Privacy is mentioned just once in this voluminous document — 49 mentions of ‘security’ and 56 mentions of ‘technology’".
And Foreign Affairs warns of India's growing surveillance state with "new technologies that threaten freedoms in the world's largest democracy".