After a long delay, the Union cabinet on Wednesday (December 4) gave its nod for the Personal Data Protection Bill, marking the country’s first step to lay down a policy framework on how organisations should handle and process individuals’ personal data. However, there are grey areas that remain to be addressed, with experts flagging concerns over issues relating to localisation of data, individual consent and penalising those breaching the privacy norms.
The draft bill, set to be introduced in the ongoing winter session of the Parliament, categorises data into three groups — critical, sensitive and general.
Sensitive data — financial, health, sexual orientation, biometrics, transgender status, religious or political beliefs and affiliation and passwords — can be stored only in India. The processing of data can be done by the companies only with the “explicit consent” of the individual.
Critical data will be defined by the government from time to time and has to be stored and processed in India. Any data that is non-critical and non-sensitive will be categorized as general data with no restriction on where it is stored or processed.
While the bill puts the onus on the data fiduciary (any entity processing personal data) to ensure that data is processed in a “fair and reasonable manner that respects the privacy of the individual”, it does not, however, specify any principles or guidelines for what constitutes a ‘fair and reasonable’ manner of personal data processing.
However, experts warn that the absence of guidelines could allow fairness and reasonability standards to vary across fiduciaries processing similar types of data and it may be unreasonable to expect the companies to demonstrate compliance.
On storing the data locally, a contentious issue in the light of objections raised by global internet and e-commerce giants, the legislation has several ambiguities. For instance, it states that every fiduciary shall keep a ‘serving copy’ of all personal data in a server or data centre located in India. The central government may notify certain categories of personal data as exempt from this requirement on grounds of necessity or strategic interests of the State.
“The provisions of the Bill go against the stand taken by the Reserve Bank of India (RBI) which said that all banking and payment data related to people should be physically stored in India. The proposed data protection bill says you do not need to keep the data in India – only keep a serving copy. I think this will not serve India better. And in all probability, it will hurt India’s sovereign interests,” says Pavan Duggal, a cyber law expert.
The bill is unclear what is meant by a ‘serving copy’ of data. It could be a live, real time replication of data on a server within India, or it could be a backup at a specified frequency. Also, the criteria for classifying data as ‘critical’ needs to be specified as this is necessary for the companies to prepare for the requirement of storing this data solely in India.
As per laws in the European Union (EU), Australia and Canada, storage of a copy of data within the country’s territory is not required.
“At present, the service providers are using Indians’ data with impunity and transferring them outside the territorial boundaries of the country. As a result, the government loses all control. This has a detrimental impact on the protection and preservation of people’s data privacy and personal privacy,” Duggal argues.
- Personal data can be processed or shared by any entity only after consent
- Penalties to prevent misuse of personal data
- All data to be categorised into three heads — general, sensitive and critical
- Government will have powers to obtain any user’s non-personal data from companies
- All financial and critical data has to be stored in India
- Sensitive data has to be stored in India but can be processed outside with consent
- Social media firms to formulate voluntary verification process for users
- Sharing data without consent will entail a penalty of Rs 15 crore or 4% of global turnover
- Data breach or inaction will entail a fine of Rs 5 crore or 2% of global turnover
The Justice Srikrishna Committee report, which formed the basis for formulating the legislation, advocated local storage of data, citing several benefits. It could simplify and accelerate the process of accessing data by law enforcement agencies for investigation. It could help prevent foreign surveillance of Indian citizens and also boost domestic research in artificial intelligence.
However, to meet this expectation, the companies would need to spend huge amounts on setting up local servers. The experts say this may become a big hurdle for existing companies to operate in India, and new ones to start their operations.
It will particularly impact foreign firms such as Facebook and Twitter, which already have millions of users in India but store their data at remote locations. While bigger entities may manage to muster the resources to meet this requirement, India will become extremely undesirable for smaller players.
“Mandating localisation of all personal data as proposed in the bill is likely to become a trade barrier in the key markets,” the IT industry body Nasscom said. The start-ups from India that are going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets.
The only discernible reason for such a requirement is to give law enforcement easy access to this data. This access to all personal data by the state poses an enormous threat to the right to privacy given the weak safeguards that exist in the country against State surveillance, experts argue.
“If the concern is about the possibility of a company mining the data to its benefits, how will localising the data help prevent it? If the concern is around data protection, then data localisation without appropriate data protection regime wouldn’t serve any purpose,” says Rana Gupta, vice-president at cybersecurity firm Gemalto.
There is certainly a need to strike a delicate balance between the imperatives of the country’s digital sovereignty and the realities of the global businesses.
Apart from data localisation, the law enforcement access to data and weak oversight are the other key issues over which there are genuine apprehensions.
The bill envisages constitution of an all-powerful Data Protection Authority (DPA) to supervise and regulate data fiduciaries. The seven-member national-level body is empowered to draft specific regulations for all data fiduciaries across different sectors, supervise and monitor their functioning and initiate enforcement actions. The DPA will have a separate adjudication wing to impose penalties and award compensation. The orders of the DPA can be appealed to an appellate Tribunal to be set up by the central government and appeals from the Tribunal will go to the Supreme Court.
However, there are concerns that the regulatory structure may not be sufficiently independent since the central government has significant control over it. The draft bill gives the central government the power to appoint members of the data protection authority upon the recommendation of an outside committee. The Centre also has powers to remove members of the authority.
The DPA has powers to impose penalties on data fiduciaries for violation of provisions of the law. However, it is not clear whether a court order would be required for the enforcement actions.
While the privacy laws in European Union, Australia and Canada don’t have criminal penalties, the draft bill proposes imprisonment up to five years for certain offenses.
The Bill states that the fiduciary shall inform the DPA in the event of a data breach. However, the key question is whether the companies will have the discretion to determine whether a data breach needs to be reported to the DPA. There is a possibility of selective reporting of breaches as companies may have economic interests in downplaying the risk of data breaches.
On the issue of consent, the bill states that the fiduciaries cannot process individuals’ data without their consent. However, the State may process data without consent for certain functions, such as for provision of services and benefits, and for issuance of certification, licences and permits. The Justice Srikrishna Committee had argued that the validity of consent given by the individual while availing State welfare benefits is questionable, given the imbalance of power between the citizen and the State.
The draft legislation allows for processing of individuals’ personal data without their consent if it is necessary for any function of the Parliament or state legislature. It is unclear what functions of the Parliament would necessitate such processing of data without the consent.
Onus on social media platforms
The bill proposes social media platforms to create a mechanism so that for “every user who registers their service from India or uses their service from India, a voluntary verifiable account mechanism has to be made”. The provision is largely aimed at checking social media trolling.
At present, there are no laws in the country on the use of personal data and preventing its misuse, although the Supreme Court upheld privacy as a fundamental right in 2017.
In September 2018, the apex court upheld Aadhaar’s constitutionality, saying the linking of the biometric-based identification card with PAN only involved minimal information to fulfil the larger public interest of the poor, who can use it to obtain benefits and subsidies. This judgement formed the basis for firming up rules and regulations for data protection and privacy norms.
As per the legislation, a company will have to cough up as much as ₹5 crore or 2% of its worldwide turnover, whichever is higher, in case there is a data breach or inaction by the fiduciary or a minor violation. In case of major violations such as data processed or shared without consent, there will be a penalty of ₹15 crore or 4% of global turnover. There is also a provision for jail term for major violations.