In December 2019, India’s Ministry of Electronics and Information Technology tabled the Personal Data Protection Bill, 2019 (PDP Bill) in the Lok Sabha. However, the PDP Bill, as drafted, raised several issues and challenges in implementing a robust data protection framework.
In December 2020, Parliament referred the PDP Bill to a Joint Parliamentary Committee. The Committee held extensive hearings and tabled its report on the PDP Bill in both houses of Parliament on December 16, 2021. This article analyzes the Committee’s report and recommendations in respect of the PDP Bill.
Applicability and scope of the law
In its original iteration, the PDP Bill intended to cover only personal data. However, as distinguishing between personal and non-personal data during the collection or transportation of mass data would be difficult, the Committee recommended that the new legislation deal with both, personal and non-personal data. To this end, non-personal data has been defined as “any data other than personal data.” Further, the Committee has recommended the establishment of a single Data Protection Authority (DPA) to handle issues concerning both personal and non-personal data.
The government always intended to regulate non-personal and personal data. However, the burden on the DPA will increase, and this will lead to more onerous and cumbersome compliance obligations on collectors and processors of non-personal data.
Timeline for implementation of the provisions of the PDP Bill
The Committee has recommended a phased implementation of the PDP Bill over period of twenty-four months from the date of notification of the new legislation.
A phased implementation of the PDP Bill is in line with the implementation of the GDPR in Europe. It will minimize business disruption and is necessary to ensure smooth compliance.
Consent requirement
The Committee has recommended certain clarificatory modifications in the provisions pertaining to consent. A new sub-clause in Clause 11(4) has been introduced in the PDP Bill to ensure that a data fiduciary is not denied the supply of goods or services on the basis of “exercise of choice.” Further, clarificatory language has been introduced to specify that consent of data principles must be obtained in clear terms without any reference to context or conduct.
Online service providers often require the acceptance of the privacy policy of the service provider before provision of the service. The details of the type of personal data collected and the purpose of such collection are also specified in the policy. As per the recommended changes, data fiduciaries will be required to give an explicit choice to the user and permit the user to select the data that the data fiduciary can or cannot process. That being said, the additional language introduced in Clause 11(4)(ii) restricting denial on the basis of exercise of choice appears to be redundant as Clause 11(4)(i) already provides that the provision of any services shall not be made conditional on the consent of the data principle towards the processing of any non-relevant data.
Rights of data principals
The Committee has analyzed and recommended changes to the rights granted to different categories of data principals. These changes are as follows:
Deceased data principals: The Committee has recommended that data principals should be entitled to: (i) nominate a legal heir to exercise their rights relating to their personal data; (ii) exercise the right to be forgotten; or (iii) amend the terms of any data processing agreement.
Right to be forgotten: In its original iteration, the PDP Bill provided a right to data principals to prevent and/or restrict continuing disclosure of personal data. The Committee has recommended that data principals should also have the right to restrict and/or prevent any further processing of personal data. Further, the Committee has recognized that an individual’s exercise of the right to be forgotten may not always be immediately and practically feasible due to, inter alia, technological or cost constraints. Therefore, the Committee has recommended that the DPA should frame appropriate regulations for the exercise of the right to be forgotten by data principals.
Children: As per the Committee’s recommendations, all social media platforms which process children’s data will be considered as significant data fiduciaries and will be subject to additional compliance requirements. The recommendations emanate from ongoing concerns of ed-tech and social media companies adversely influencing children. New age technology companies targeting products for teenagers will have to get ready for new compliance requirements.
Data portability: The PDP Bill originally permitted data fiduciaries to deny data portability on the grounds of technical non-feasibility or disclosure of trade secrets. The Committee has observed that these terms are broad and ambiguous. The Committee has recommended the deletion of trade secrets as a ground for denying data portability. Further, the Committee has recommended that technical feasibility should be strictly determined by the DPA and must be adhered to while denying data portability.
Disclosure of algorithms: The Committee has recommended that data fiduciaries should be required to maintain transparency in respect of the algorithm or method used for data processing. This requirement will benefit data principals who will have clarity on the manner in which their personal data is processed, especially in instances of targeted advertising. At the same time, companies are unlikely to be willing to disclose their algorithms or methods of processing data, as these methods often constitute trade secrets.
Social media platforms
The PDP Bill originally provided for governance of all social media intermediaries. However, the Committee has observed that various social media companies have escaped liability under the extant Information Technology Act, 2000, on account of being classified as intermediaries. Given this fact, the Committee has recommended that the term “social media intermediaries” should be replaced by “social media platforms.”
The safe harbour provided to intermediaries under the extant regime is often necessary as these entities merely act as conduits of information, which is, typically, published by users. It will be interesting to see whether these entities lose their protection as intermediaries if the recommendations are implemented, as it may mean that they are held responsible for data breaches by users on their platforms.
Data localization and cross-border transfers
The Committee has reiterated that data localization is important, and that sensitive and critical personal data in possession of foreign entities should be brought back to India in a time-bound manner. Further, the Committee has recommended that in case of all approvals granted by the DPA for contracts/intra-group schemes involving cross-border transfers of sensitive personal data, the DPA should consult with the Central government prior to granting such approval. Furthermore, the Committee has also recommended that each such approval should only be granted after ensuring that the object of the cross-border transfer is not contrary to the public policy of India.
The move to mandate data localization is similar to the Reserve Bank of India’s guidelines applicable to banks and other payment service providers mandating that all sensitive financial data be stored in India (see update here). However, it appears that the Committee has gone beyond the original principles in respect of cross-border transfers. Consultation with the Central government and evaluation of the objects of a transfer on a case-by-case basis will likely make the process of cross-border data transfer lengthy, inefficient and cumbersome.
Conclusion
The Committee’s report proposes significant changes to the PDP Bill and adds clarity in the interpretation of several provisions. At the same time, various concerns have been left unaddressed or have been subjected to subordinate legislation, namely, a high degree of leeway to government authorities on the use of personal data, retrospective applicability, lack of a concrete definition of sensitive personal data, and rights of data principles.
Given the extent of the recommendations, it is likely that the Committee’s report will be analyzed in detail by both Houses of Parliament, and any amendments will only be made after considering their implications on industry players. Therefore, it is likely that the PDP Bill may not be enacted in the immediate future. Nevertheless, global entities, social media companies, and other entities specifically collecting sensitive personal data in India, should be ready to put in place robust infrastructure to comply with the PDP Bill when it becomes the law.
Amrit Mehta is a Partner at Majmudar & Partners and would like to thank Associates Rahul Datta and Swati Agrawal for their assistance.
If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.