India presently has the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, issued by the Government of India pursuant to Section 87 (ob) of the Information Technology Act, 2000 (‘IT Act“) (power of the Government of India to make rules on the reasonable security practices and procedures and sensitive personal data or information under Section 43A of the IT Act), read with Section 43A of the IT Act (Compensation for failure to protect data) to deal with privacy matters (“Privacy Rules“). These Privacy Rules were meant to reasonably protect the privacy of personal data of individuals. However, Privacy Rules outlived their usefulness due to the rapid advancement in technologies and platforms, including big data applications, social media, search engines, and other technologies and platforms which enable use of personal data indiscriminately for a profit and such use critically effecting the privacy of individuals, including entailing monetary losses as a result of leak of data processors of the data. in a weak protection environment or deliberate leak by the data privacy related bill has been work-in-progress for quite some time and in the year 2019, the Government of India introduced the Personal Data Protection Bill, 2019 (“Privacy Bill”).
On July 31, 2017, the Government of India constituted a Committee of Experts on Data Protection chaired by Justice B.N. Srikrishna to study and provide a report on recommendations on data protection (“Report“). The Committee gave a Report to the Government of India on July 27, 2018. Subsequently, most of the recommendations appearing in the Report have been incorporated in the Privacy Bill.
The Privacy Bill, when enacted, is expected to impact all the businesses, both small and big, and would change the way some of the businesses are run in India in view of exemplary punishments enshrined in the Privacy Bill for non-compliance of requirements stated therein.
Considering the above, let us examine hereunder the key provisions of the Privacy Bill.
The statements and objects of the Privacy Bill are:
“to provide for protection of the privacy of individuals relating men personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the rights of individuals whose personal data are processed, to create a framework for organizational and technical measures in processing of data, laying down norms for social media intermediary, cross-harder transfer, accountability of entities processing personal data, remedies for unauthorized and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected therewith or incidental thereto”
The intention of the Government of India is to bring a strong and robust data protection framework for India and to set up a nodal authority, Data Protection Authority of India (“DPAI) for implementing the purposes stated in the object clause of the Privacy Bill and empowering the citizens with rights to protect their personal data and ensuring their fundamental rights privacy and protection of privacy of personal data.
Some of the important terms used in the Privacy Bill are as under:
Applicability of the provisions of the Privacy Bill, upon enactment into legislation (“Privacy Law“):
However, the Privacy Law will not apply to processing of anonymous data
Obligations, Notice and Consent
Personal Data may be processed only for any specific, clear and lawful purpose, in a fair and reasonable manner duly ensuring the privacy of the Data Principal.
A Data Fiduciary is required to notify the Data Principal about collection of Personal Data, at the time of collection or if the data is obtained from a third party, then as soon as practicable. The notice need not be given if such notice substantially prejudices the purpose of processing data for the performance of any function of the State authorized by law.
The notice would need to contain the information such as, the purposes for processing Personal Data, nature and categories of data, the identity and contact details of Data Fiduciary, right of Data Principal to withdraw the consent, the basis for processing, the source of collection of Personal Data, the persons with whom the Personal Data is shared, information on cross border sharing of data, the period of retention of data, procedure for grievance redressal and filing of complaints.
The consent of the Data Principal for the processing of Personal Data needs to be free, specific, informed, clear, and capable of withdrawal. In case of processing of Sensitive Personal Data, consent of Data Principal needs to be explicitly obtained after informing about the process, operation involved in the processing and risks of any significant harm to be caused to the privacy interests of the Data Principal and provide a choice to the Data Principal to choose from the categories of Sensitive Personal Data to be shared.
Processing of Personal Data without consent
Personal Data may be processed without the prior consent of the Data Principal (i) for the performance of any function of the Government under any law for the provision of any service or issuance of license or permit , (ii) under any law, judgment of any court/tribunal in India, (iii) in case of any medical emergency, or during an epidemic or other threats to public health and (vi) to undertake any safety measures to maintain public order (Clause 12).
Rights of Data Principal
The Data Principal has a right to (i) know from the Data Processor a summary of his/her Personal Data being processed in a clear, concise manner and in a structured and machine-readable format, (ii) correction and erasure of the Personal Data, (iii) be forgotten (restrict or prevent continuous use of Personal Data).
Privacy by design and transparency
The Government of India may, in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign states, and public order, may exempt from the provisions of the Privacy Law, processing of Personal Data by a Government agency or for research, archiving or statistical purposes.
Penalties and Offences
Upon an enquiry, the Data Fiduciary will be penalized if there is a failure to fulfill obligations under the Privacy Law. The penalties extend up to Rs. 15 crore or 4% of total worldwide turnover, whichever is higher. The Privacy Law also provides for penalty per day during default period.
Privacy laws in other prominent jurisdictions
EU GDPR came into force from May 2018. It is the most prominent legislation on data privacy protection. EU GDPR is not merely applicable to organizations processing data within European Union (“EU“), but also to organizations, whether situated within EU or outside EU, that may be processing any personal data of an identified or identifiable natural person of EU. In that perspective, EU GDPR has extra- and territorial jurisdiction. In comparison, the Privacy Law would be applicable for the activities of processing of Personal Data by Data Fiduciaries or Data Processors outside India for any business in India, or activity involving profiling Data Principles a within the territory of India. To this extent, even the Privacy for Law would be extra-territorial in its applicability.
The Privacy Bill borrowed several concepts from the EU GDPR. EU GDPR itself is evolving in view of the ever-changing needs of the society. There have been criticisms of the Privacy Bill that it allows numerous exemptions to law enforcement agencies and other government agencies. It is also criticized that independence of DPAI is questionable. Like EU GDPR, Privacy Law should also be allowed to evolve, instead of holding it up. In view of JPC providing its recommendation on the Privacy Bill, it is hopeful that the Indian Privacy Bill will see the light of the day sooner than later in the form of Privacy Law.