Data Protection Bill: Will it enforce strong data privacy in India? Here’s all you need to know about it

By Neeraj Dubey and Mallika Shekhar

In August of 2017, the apex court of the country affirmed the Right to Privacy as a Fundamental Right in the landmark judgment of Justice K.S. Puttaswamy v. Union of India. Since then, the judiciary has passed the baton to the government in the race to save privacy.

Recognising the need to have a legislation dedicated to privacy, the government acting through the Ministry of Electronics and Information Technology, appointed a Committee of Experts headed by former Supreme Court Justice B N Srikrishna to draft a law for the Indian context, namely the Data Protection Bill, 2018 (“Draft Bill”). The Draft Bill has largely borrowed principles from the European Union General Data Protection Regulation (“GDPR”) such as in relation to extra-territoriality and global turnover based penalties.

Extra-territoriality

Ubiquity of the internet, inter-dependency of global economies, digitalization of the world and the jurisdictional disputes arising thereof, have necessitated the determination of jurisdiction in data protection laws. In this regard, technology agnosticism becomes a key factor; for every law must be dynamic to change with the changing times.

Territorial application of a data protection law becomes extremely important in case of breach of contracts and litigations arising therefrom. The applicability of a member state’s law becomes a bone of contention in such situations.

While there is a need to have a clear law stating the extent of applicability, it is pertinent to note that it is not feasible to have a rigid law demarcating the boundaries for it needs to be borne in mind that the internet is boundaryless and its confinement will only hamper the flexibility of the law. Territorial application of any data protection law must be scrutinized from the perspective of its applicability to persons and corporates, addressing both private and public concerns and retrospective applicability of the law.

In today’s world, data is like fuel; where huge quantities of data, whether personal or not, relating to humans, research experiments, statistical data and financial data, are being processed by corporates, whether private or public, and disseminated across the world for ease of business, for provision of better services to humankind or for research or educational purposes. However, every coin has two sides and there is also a downside to such flow of data between territories from where data is originally collected, processed and eventually put to use. Bearing this in mind, the concept of “Data Nationalism” becomes antecedent to the growth of economies of scale, development and innovation.

The Draft Bill applies to the whole of India without carving out an exception for any state in India. Furthermore, the territorial scope of the Bill specifically includes:

1. Data processed within the territory of India; and
2. Personal Data processed by the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law.

This provision applies irrespective of whose data is being processed—be it an Indian citizen or a non-citizen. A valuable input of the Justice B N Srikrishna Committee Report was to exempt the processing of personal data of foreign nationals, within India or by an Indian entity, by the Central Government since this would exempt the processing done of foreign nationals in the outsourcing industry in India from the provisions of the law. The purpose of suggesting such an exemption was to avoid creating a conflict of law, as the processing of the data of such foreign nationals would already be the subject of their own law.

Not only does the Draft Bill apply across the territory of India, but also applies to processing of personal data by data fiduciaries or data processors beyond its boundaries. However, there is a limitation in so far as such applicability is concerned. The Draft Bill only applies in the following instances:

1. 1. in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
   2. in connection with any activity which involves profiling of data principals within the territory of India.

However, an exemption has been made for processing of anonymised data. It is pertinent to note that non-personal data is excluded from the scope of this law.

The Draft Bill also provides for certain categories of personal data, excluding sensitive personal data, which can be transferred beyond the territory of India. However, such transfer too is restricted by contractual clauses or intra-group scheme approved by the Data Protection Authority of India Further, the Draft Bill provides for permissible transfers to a particular country or organization prescribed by the Central Government or during a state of necessity followed by explicit consent of the data principal.

In respect of transfers to a particular country or sector within a country or to an international organization, factors that are considered in arriving at a decision are: adequacy of protection, applicable laws, effective enforcement in the transferee country.

To further widen the scope of cross-border transfer of data, certain exceptions have been carved out even to the category of sensitive personal data, by the Central Government when such transfer is for prompt action to a person or entity providing health or emergency services or where such transfer is deemed necessary for a particular class of data fiduciaries or principals provided enforcement is not hampered. All such transfers must conform to compliances to which they are subject to under the Draft Bill.

Therefore, the jurisdiction clause proposed under the Draft Bill is all-encompassing bearing in mind the principle of territorial nexus under the Indian Constitution. Such a comprehensive extra-territorial clause is crucial for ensuring protection to the people in today’s digitized world.

Penalties

In India’s journey towards a strong data privacy regime, the Justice B N Srikrishna Committee released a White Paper in December of 2017 highlighting its recommendations based on global best practices and outlined seven key principles within which the data protection law must be designed. Off these, the seventh principle known as ‘Deterrent Penalties’ aims to discourage acts of misuse of personal information.

The imposition of adequate penalties on wrongful processing is instrumental in ensuring deterrence and consequently, promoting adherence to the law.  While past legislations related to the subject lacked deterrent penalties, the Draft Bill has proposed it through the levy of cumbersome fines, which will compel Indian enterprises to be compliant with the law. Accordingly, it sets out strong penalties against data fiduciaries that breach the provisions of the Draft Bill or are non-compliant or has committed data-related offences.

The penalties are imposed depending up on the nature of violation and thereby, it prescribes different levels of penalties; corresponding to the severity of the violation. In cases of failure to adhere to security safeguards as prescribed in Section 31 of the Draft Bill, the data fiduciary shall be liable to the highest level of penalty that can extend up to 4% of its total worldwide turnover or INR 15 Crores, whichever is higher. Such maximum level of penalty shall also be imposed in situations where data fiduciaries have processed personal data of children in violation of the law or unlawfully transferred personal data outside India.

The Draft Bill has intentionally proposed the highest financial penalty for violating the foremost ideals imbedded in it; such as wrongful processing of sensitive personal data, personal data of children and unauthorised cross-border transfer of data. Likewise, a relatively lower penalty is also prescribed for failure to conduct data audits, inaction in response to a data breach and violating provisions related to data protection officers.

For such comparatively smaller contraventions, the data fiduciary is liable to pay a fine that can extend up to 2% of its total worldwide turnover or INR 5 Crores, whichever is higher. The Draft Bill aims to achieve a deterrent effect in the behaviour of data fiduciaries by imposing large fines and strong-arming them to remain compliant. Most body corporates in India that process personal data cannot ignore the compliance requirements, owing to the sheer weight of the burden placed on data fiduciaries by the Draft Bill.  

Furthermore, the current privacy framework i.e. Section 43A of the Information Technology Act, 2000 and Information Technology (Sensitive Personal Data) Rules, 2011, penalises companies only in the event that a wrongful loss or gain has occurred due to poor security practices. Unlike its predecessor, the Draft Bill proposes to penalise companies on merely failing to maintain reasonable security practices, irrespective of the injury caused. While the penalties proposed are akin to those in GDPR and therefore, it is a step in the right direction, the Draft Bill has not attended to the calculation of government and state actors’ penalty component.

Section 69 of the Bill which deals with penalties and remedies seems to ignore government bodies from its outline of interpretation. A quantity such as “total worldwide turnover” has a hollow meaning when speaking of governmental body or departments that may violate the data protection law.  An alternate calculation to penalise government institutions and other data fiduciaries (those incapable of being described in terms of worldwide turnover in a fiscal year) must be brought forth.

Neeraj Dubey is a Partner and Mallika Shekhar is an Associate, Corporate at law firm Lakshmikumaran & Sridharan. Views expressed in this article are the personal views of the authors.