By Prashant Phillips
A joint committee of the Parliament has proposed significant amendments to the 2019 draft of the Personal Data Protection Bill. It expanded the ambit of the legislation to include non-personal data, apart from personal data, and suggested renaming the legislation as the Data Protection Bill, 2021 (the Bill).
The Bill provides for a comprehensive framework for protection of personal data and provides for constitution of a seven-member (including the chairperson) Data Protection Authority (DPA).
While data fiduciary, which exercises decisional control over the processing of personal data of the data principal, includes the state, wide exemptions have been granted to the state:
(a) Exemption to any of its agencies in the interest of sovereignty and integrity, security, public order, incitement to commission of cognizable offences;
(b) Exemption from substantial obligations, where information is processed in the interest of prevention, detection, investigation and prosecution of offences or contraventions or where processed by courts or tribunals in dispensation of judicial functions; and
(c) Exemption from procuring consent where personal data is processed in the course of provision of services or benefits from the State, issuance of certificates, compliance with law, judgment or order or where responding to emergencies, outbreaks or other issues of public safety.
These exemptions may have the effect of creating two worlds of protection and compliance, with very little safeguards provided in cases of processing of data by the state. It may also shield mass surveillance programmes by government agencies, under the umbrella grounds of public order or state security. While access to information on similar grounds is also permissible under existing laws, certain safeguards such as determination of validity of directions by another authority remain absent or unclear.
The Bill categorises certain social media platforms crossing specified user thresholds and which are likely to have demonstrable influence on events such as outcome of electoral activities, or which are engaged in dissemination of information threatening security or public order, as significant data fiduciaries. This makes them subject to more stringent obligations around conducting periodic data audits, data protection impact assessments and maintenance of records, apart from extending to users an option to voluntarily verify their accounts, with a publicly visible verification sign.
The committee, in its report, recommended that platforms which do not act as intermediaries must be treated as publishers and held liable for content on their platform, specifically content posted by ‘unverified’ users.Such measures should have been sought through a separate legislation for social media platforms rather than force fitting it into a data privacy legislation.
The report does not address if any additional compliances would be applicable to social media platforms on processing personal data, such as restrictions on profiling and targeted display of posts, transmission of promotional or sponsored posts, permissibility of sharing personal data with processors and data aggregators, wherein such activities would be based on processing of personal data. Furthermore, the report does not highlight obligations resultant from such activities and the impact that such processing activities may have in categorising platforms as intermediaries or publishers. These aspects may create issues at later stages, particularly in the context of digital platforms providing multiple services.
The Bill introduces de novo obligations for international data transfers, with localisation mandates, for sensitive personal data and a yet undefined category of critical personal data. Transfers of sensitive personal data have been conditioned upon specific grounds such as contracts, intra-group schemes approved by the DPA and adequacy findings, similar to the EU’s General Data Protection Regulation. In addition, the Bill requires storage of a mirror copy of sensitive personal data within India, while critical personal data may be processed within India only, with very limited exceptions.
The Bill introduces reporting obligations for personal data breaches to the DPA in a prescribed format within 72 hours of becoming aware of such breach. The DPA may direct data fiduciaries to take remedial actions, make appropriate disclosures and even report such breach directly to the data principals. In contrast to the 2019 draft, the Bill enables DPA to take necessary steps in case of breach of non-personal data too. It proposed that in the interest of protecting privacy, especially in situations involving large mixed datasets, the DPA be tasked with handling personal and non-personal data regulation (and breaches), and proposed incorporation of provisions to regulate non-personal data, as and when finalised, as part of the Bill itself.
Pending such regulation, the committee enabled the government to frame policies for handling of non-personal and anonymised data, while retaining the contentious provision which enables issuance of directions to solicit such data for targeted delivery of services or formulation of evidence-based policies. Such directions are proposed to be included as part of the Annual Report laid before Parliament.
The author is Partner, Lakshmikumaran & Sridharan Attorney
Co-authored with Sameer Avasarala, Senior Associate, Lakshmikumaran & Sridharan Attorneys
