The Srikrishna Committee submitted the draft of the Personal Data Protection Bill, 2018, to the government for its action on July 27, 2018. Opinions have started flowing in, but we need to interpret the essence of the draft ‘A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians’.
The foundation: The draft Bill calls out data protection obligations with fair and reasonable processing as the core principle. This may serve as the guiding factor to determine the rightful and lawful processing of data. The data fiduciary/entity is identified as the party responsible for compliance, and bears the onus of ensuring that data processors fulfil their contractual obligations. However, with no direct regulatory obligation on the data processor, the level of expected compliance will only be as strong as the contract.
The pillars: It identifies the grounds for processing personal data, which cover a gamut of lawful purposes. Consent is identified as one of the primary grounds for processing, and is aimed at providing individuals control over processing of their personal data. The draft Bill clearly identifies that consent, coupled with performance of a contract, will provide a greater degree of control to individuals. Also, lack of consent should not lead to denial of goods or services. Unlike many international data privacy laws, the draft Bill provides clarity on a much-debated topic—the imbalance of power between an employee and employer. Is consent a valid basis for processing employee personal data from an employment perspective? To address this, the draft calls out a separate legal ground for organisations to process employee personal data that is necessary for purposes of employment.
The vulnerable: It emphasises on the importance of protecting personal and sensitive data of children. This vigilance, which is above par compared to other data privacy regulations, is a strong move to safeguard the interests of an impressionable and vulnerable section of the population from a data-hungry world. But these stringent requirements will have an impact on edtech companies, social media organisations, healthcare institutions catering to children, targeted advertising firms, etc.
Individual rights: In a move to empower data principals/individuals and provide them with more control over their own data, the Bill grants them certain rights, such as right to confirmation and access, right to correction, right to data portability and right to be forgotten. Basic rights such as right to seek confirmation, access and rectification are exempt from fees, thus promoting transparency. But there are a few shortcomings:
– The right to be forgotten under the proposed Bill is not the same as the right to erasure proposed under global privacy standards and laws. In the case of the Bill, this right provides for ‘restriction of processing’ and not erasure.
– It is is silent on individual rights around processing activities involving automated profiling and decision making.
– The right to portability is a key step that enables consumers to freely choose and migrate data across service providers.
The boundaries: The Bill proposes that data fiduciaries/companies save a local copy of all personal data that is stored outside the boundaries of India. Although this move could have negative consequences, it would ensure effective enforcement of law, reduce bottlenecks in dealing with foreign jurisdictions, and protect national security and interests. To protect national interest and contain the risk of surveillance from foreign states on critical data, the draft Bill prevents data fiduciaries from sending ‘critical’ personal data outside the territory of India. But what constitutes personal data and ‘critical’ personal data is a decision that has been left to the authority. While the intentions are good, maintaining data locally will have an impact on businesses across industries that are today Cloud-led. This will increase the general cost of doing business across industries.
The excluded: The Bill suggests exempting certain entities from requirements based on turnover (less than Rs 20 lakh), volume of personal data processed (less than 100 data principal records per day and less than 100 data principals on any day in the past year), etc. Considering the Indian context, with the presence of a large number of SMEs, mom-and-pop stores, kiranas, marts, etc, this move appears to be aimed at ensuring that the burden of compliance does not impede the economic growth of a fragile grass-roots Indian economy. However, the proposed thresholds for exempting small entities may be too low and impractical.
-Siddharth Vishwanath is Partner and Cyber Advisory Leader, PwC India