India’s Personal Protection Bill of 2019
India’s Personal Data Protection Bill is a comprehensive data privacy law that was passed in India in 2018. The Personal Data Protection Bill was passed in response to the Indian Supreme Court’s landmark decision in K.S. Puttaswamy v. Union of India in 2017, ruling that privacy was a fundamental right. What’s more, the Indian Supreme Court also invited the government to construct “a regime for data protection.” The law sets forth data protection and privacy standards in regard to citizens of India, as well as introduces mandatory annual data audits. As is the case with many privacy laws that have been passed in countries around the world, the Personal Data Protection Bill is also closely aligned with the EU’s General Data Protection Regulation or GDPR.
What is the jurisdictional scope of the Personal Protection Bill?
While the Personal Data Protection Bill is similar in nature to the EU’s GDPR, the Personal Data Protection Bill places obligations on businesses entities and organizations that in many cases exceed that of the GDPR. To this end, the application of territorial or jurisdictional scope under the Personal Data Protection Bill is potentially broader than that of the GDPR, as the Personal Data Protection Bill applies to both entities located within and outside of India. More particularly, the Bill applies to:
- The processing of personal data and information that is collected, shared, disclosed, or otherwise processed within the territory of India.
- The processing of personal data and information on the part of Indian citizens, companies, or any other person, body, or entity incorporated under Indian law.
- The processing of personal data or information on the part of “data fiduciaries” that are not present within the territory of India, if said processing is in connection with a business entity in India, the systematic offering of goods and services within India, data principals within India, or the profiling of data principals within the region.
How is personal data defined under the Personal Protection Bill?
Another way in which the Personal Protection Bill differs from the GDPR is the way in which the Bill defines personal information. Under the Personal Protection bill, definitions for the terms “personal data” and sensitive “personal data” are both provided. Moreover, the Bill also protects the “critical personal data” of Indian citizens, though this definition for this term is at the sole discretion of the Indian government. As such, The definitions for “personal data” and “sensitive personal data” reads as follows:
- The Bill defines personal data to mean “data “about or relating to a natural person who is directly or indirectly identifiable”. However, the Bill does not take into account the “reasonable likelihood” that an individual will be identifiable in relation to their personal data, unlike the GDPR. Furthermore, data inferences related to an individual’s personal data are also included in the definition of personal data under the Bill, if said inferences are used in the context of profiling. Under this definition, inferences of personal data can also be considered personal data under the Bill, even if such inferences do not permit the identification of any specific individual.
- The Bill defines sensitive personal data to include data relating to health, religion, sex life, political beliefs, and biometric and genetic data. Notably, financial data is considered to be sensitive personal data under the Bill.
What are the requirements of data fiduciaries under the Personal Protection Bill?
Under the Personal Protection Bill, data fiduciaries are defined as a person or entity that “alone or in conjunction with others determines the purposes and means of processing personal data”. The Bill also mandates that the personal data of Indian citizens may not be processed except for a “specific, clear, and lawful purpose.” The Bill also sets forth the legal grounds for which personal data can be processed. These legal grounds are as follows:
- Legal Obligations.
- Medical emergencies involve a threat to an individual’s life or a severe threat to their health.
- The provision of medical treatment or health-related services.
- Protecting the safety of an individual during a disaster.
- Employment-related purposes.
- Other reasonable purposes that may be specified by legal regulations within India.
When processing the personal data of Indian citizens, data fiduciaries must adhere to the following framework in accordance with the Personal Protection Bill. This framework includes the following:
- Consent– Under the Bill, “valid consent must be free, taking into account whether it complies with Section 14 of the Indian Contract Act, informed, specific, clear, and capable of being withdrawn”. Section 14 of the Indian Contract Act states that consent is free when it is “not caused by coercion, undue influence, fraud, misrepresentation, or mistake”. Under the Bill, data fiduciaries are not required to obtain separate consent for each processing purpose.
- Reasonable Purposes– Under the Bill, the personal data of an Indian citizen may be processed without their consent, if the processing is for “reasonable purposes” as defined by India’s Data Protection Authority or DPA. Examples of such reasonable purposes include information security, fraud prevention, personal data that may be shared in the context of business acquisitions or mergers, and processing personal data that has already been made publicly available.
- Sensitive Personal Data– Under the Bill, when consent is required for the processing of sensitive personal data, data fiduciaries are mandated to obtain consent “ explicitly and not inferred from other conduct, separately from other processing, and after informing the data principal of the purpose for processing that is likely to cause significant harm.” The Bill also states that sensitive personal information may not be used for employment purposes without the consent of the said individual.
The Personal Protection Bill also required data fiduciaries to develop and implement a series of internal measures that take into account the risks involved in data processing, as well as accountability and compliance with the Bill. These internal measures must include the following provisions:
- Significant Data Fiduciaries– Under the Bill, data fiduciaries are permitted by the DPA to designate a class of data fiduciaries defined as “significant ” based on criteria such as the volume of personal data processed, the sensitivity of personal data processed, turnover of the data fiduciary, the risk of harm posed by processing, the use of new technologies for processing, and any other factor causing harm from such processing”. Data fiduciaries that have been designated as significant must follow additional accountability requirements, as outlined below.
- Audit requirements– Significant data fiduciaries must also work with an independent auditor that can be selected from a list that is pre-approved by the DPA to conduct an annual audit of said data fiduciaries’ processing activities. Based on this, auditors may assign a “data trust score” based upon their findings in relation to a data fiduciary. This data trust score would then need to be disclosed to all applicable data subjects. The DPA also retains the right to direct data fiduciaries to conduct an audit, if the DPA considers a data fiduciaries’ processing to be likely to cause harm to data subjects.
- Data Protection Officer and DPA Registration– Under the Bill, significant data fiduciaries are also required to appoint an Indian-based Data Protection Officer or DPO, who will represent the data fiduciary under the law. Significant data fiduciaries must also be registered with the DPA.
- Privacy by Design Policy– The Bill mandates that all data fiduciaries develop a “privacy by design policy” that details the “managerial, organizational, business practices and technical systems designed to anticipate, identify and avoid harm,” among other things.
- Data Processor Agreements– All contracts between data fiduciaries and processors must specify that said processor will process all personal data in accordance with said data fiduciaries’ instructions or requirements. Personal data must also be held in confidence, and sub-processors or third parties may not be appointed without approval.
- Security and Breach Notifications– Data fiduciaries and processors must also go about implementing necessary security safeguards to protect the personal data of data subjects. This includes “methods to de-identify and encrypts data, as well as prevent unauthorized access to or destruction of personal information”. Under the Bill, data fiduciaries must also notify the DPA in regards to any data breaches. This notification must take place “h “as soon as possible” if it is likely to cause harm to any data principal, but gives the DPA discretion to determine the timing of subsequent breach notifications. The DPA may also direct the data fiduciary to post a notification of the breach on the DPA’s or business’s website. No breach notification obligation applies directly to data processors (though presumably, data fiduciaries may impose such an obligation by contract)”.
Data subjects are also afforded a number of rights under the Personal Protection Bill. These rights include the right to transparency, access, portability, and correction in relation to personal data. Additionally, there are a variety of penalties that can be imposed as a result of non-compliance with the Personal Protection Bill. The penalties include criminal liability that can lead to up to three years of imprisonment and a fine of up to $3000, administrative fines that can total up to $2 million dollars or 4% of business entities’ annual global revenue, injunctive penalties such as the ability to block processing, and both individual and group redress.
The Personal Protection Bill of 2018 will do a great deal to secure the data privacy of Indian citizens for the years to come. As privacy has become a greater concern to many countries and governments around the world, laws such as the Personal Protection Bill will continue to be passed as time goes on. While the EU’s General Data Protection Regulation or GDPR was undoubtedly an influence on the bill, as it has been on many other privacy laws that have been passed in recent years, the Personal Protection Bill is in many ways more restrictive than the GDPR. As such, Indian citizens can rest assured that everything is being done to secure their personal privacy.