It has to be fine-tuned to clarify ambiguous provisions and address concerns related to localisation of personal data.
By Supratim Chakraborty & Aritri Roy Chowdhury
Tim Berners-Lee—the inventor of the World Wide Web—once stated “it’s difficult to imagine the power that you’re going to have when so many different sorts of data are available.” This seems to be especially significant in light of the growing importance accorded to data by businesses and the debates surrounding protection of personal data.
India lacks legislation focusing solely on data privacy and protection. While we have the Information Technology Act, 2000, it has not been able to address all the concerns around privacy and protection of personal data of individuals. Increased instances of data theft, unauthorised sharing of personal data and illegal data harvesting have made the government recognise the need to have a comprehensive law to combat these issues. The existing legal framework
The IT Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, stipulate certain procedures for entities processing a specified class of personal data, i.e. sensitive personal data or information. However, despite debates surrounding misuse of Aadhaar data and other types of sensitive personal data, the same has not been protected under the Rules, which identify limited personal data (passwords, financial information, physical, physiological and mental health conditions, sexual orientation) as “sensitive personal data or information” (SPDI).
The laws have also failed to accord special protection to personal data of children. The IT Act largely prescribes “consent” from the individual whose personal data is being processed as the limited ground for processing. This requirement, in fact, has been widely misused by entities who have reduced such requirement to an “I agree” button that does not allow an individual the option of providing informed and meaningful consent. Further, the IT Act is ill-equipped to handle instances of data breach and prescribe appropriate mechanisms to curb the same.
Under the IT Act, the failure to maintain reasonable security practices in relation to SPDI does not attract deterrent penalties and only mandates “compensation” to an individual who has been affected. Also, the current laws lack a centralised dedicated authority to oversee enforcement of data protection laws and redress related grievances.
Personal Data Protection Bill
The Supreme Court, in KS Puttaswamy vs Union of India, held right to privacy as a fundamental right; the government has identified having a stronger law in relation to protection of personal data. A committee of experts was appointed under chairmanship of Justice BN Srikrishna and entrusted with the task of identifying the lapses in current laws and drafting a new comprehensive data protection law. The committee published the Personal Data Protection Bill, 2018, which attempts to identify shortcomings of the IT Act and the Rules.
The Bill envisages a centralised Data Protection Authority of India responsible for, inter alia, protecting the interests of individuals whose personal data is processed, enforcing of the provisions of the Bill and preventing misuse of personal data. The Bill has attempted to define “personal data” and expanded the scope of the definition of SPDI to include personal data such as “official identifier” (such as Aadhaar number), “transgender status”, “religious or political belief or affiliation”.
The Bill has provided special protection to personal data of those below 18 years of age, stating that processing of such data should be in a manner “that protects and advances the rights and best interests of the child.” While the Bill states that “appropriate mechanisms” should be implemented for age verification and parental consent to process data of children, it has not prescribed any quantifiable threshold for determining such mechanisms.
It has vaguely stated that such “appropriate mechanisms” are to be determined on the basis of the volume of personal data processed, proportionate share of children’s personal data in the volume of personal data processed, possibility of harm to children that may be caused due to such processing, and any other factor that may be determined by the authority.
The Bill has identified grounds apart from consent to process personal data (such as processing of personal data for functions of the state, for compliance with applicable laws and for purposes related to employment), and has specified that “consent” as a ground for processing personal data should be free, informed, specific, clear and capable of being withdrawn. However, it is silent on the mode of obtaining such consent. The Bill has also identified the need for having a reporting mechanism for breach of personal data.
However, it falls short of prescribing a comprehensive mechanism for reporting such breach, as it states that reporting should be made when “breach is likely to cause harm” to the person to whom the data belongs, thus allowing the entity responsible for processing the personal data to determine whether a breach is “likely to cause” harm.
To ensure compliance, the Bill has introduced deterrent penalty provisions including fines of up to `15 crore or 4% of the total worldwide turnover of the entity in breach of certain provisions of the Bill. While such penalties may induce compliance with the provisions of the Bill, the penalty amounts may be considered quite steep for Indian business houses.
While it may be easy to calculate such worldwide-turnover-based penalties for private entities, implementation of the same in relation to functionaries of state have not been duly envisaged. The Bill introduces data localisation requirements, subject to certain exceptions. While these requirements are useful for ensuring protection of personal data, they may prove to be counterproductive for entities that rely on cloud-based technologies to sustain their businesses and would generally increase the cost of doing business in India.
Overall, the Bill has taken cognisance of the debates and issues in relation data privacy and data protection, and has attempted to address the same. However, while this is a step forward, the Bill still has to be fine-tuned to clarify ambiguous provisions, remove the wide discretionary powers granted to the authority, and address concerns related to localisation of personal data. It can be expected that once the ministry of electronics and information technology has obtained views from the general public on the Bill, the loopholes therein will be identified and attempts will be made to plug the same.
Chakraborty is associate partner and Chowdhury is associate, Khaitan & Co