The Personal Data Protection Bill, 2019
-by Arju R. Jambhulkar
Historical Narrative of the bill
The narrative around data protection in India reached a crescendo during the hearings in the K.S. Puttaswamy vs. Union of India (2017) “right to privacy” case. In a landmark verdict, a nine-judge bench of the Supreme Court of India affirmed the Right to privacy as a fundamental right. During the case, the Indian government set up an expert committee to devise India’s data protection framework. After a public consultation on a white paper, the committee submitted a draft Personal Data Protection Bill and an accompanying report interestingly entitled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians.” Ultimately, the Personal Data Protection Bill was introduced into Parliament in December 2019.
What’s in the Bill?
Many of the consent-related provisions in India’s data protection bill sound quite similar to those enshrined in the European Union’s General Data Protection Regulation (GDPR). According to the new Indian bill, to collect personal data, those entities classified as data fiduciaries must obtain consent from the individuals whose data is in question. Data fiduciaries are essentially any entity determining the “purpose and means of processing personal data,” a wide definition that could encompass everything from ride-sharing apps to social media platforms to data brokers that buy and resell customer data.
Data collectors are also subject to various new reporting requirements. For example, the bill imposes additional requirements, such as a requirement to obtain parent or guardian consent for the collection of data belonging to children.
That said, the legislation’s text does carve out a number of exceptions for when data fiduciaries may not have to obtain consent in order to collect personal data on Indian citizens. For instance, there are consent exemptions for state or other entities complying with court orders, enforcing the law, providing public benefits or services, and treating medical emergencies. There are other “reasonable purpose” carve-outs for situations like whistleblowing, mergers and acquisitions, credit scoring, and the operation of search engines. Europe’s GDPR, by comparison, also contains consent exemptions in areas such as law enforcement data access and functions related to taxation, but the exemptions in India’s draft bill are defined a bit more vaguely.
The legislation also contains provisions giving rights to “data principals,” those about whom data are being collected, to request information from data fiduciaries about what is being collected on them. Similarly, data principals are given rights to correct or erase data stored by the fiduciary—a “right to be forgotten,” like in the GDPR. Data principals will also have the right to view the data itself in a clear and portable manner, with the data presented in a “structured, commonly used and machine-readable” format.
These protections demonstrate that the Indian government is interested in both safeguarding the rights of Indian data principals and chipping away at the gross power imbalance that currently exists between large technology firms and individual Indian citizens around data collection. But, again, it remains to be seen how that relationship will play out when it comes to individuals and the government, not just individuals and corporations. For example, the numerous vaguely defined exemptions on data regulation could potentially enable forms of surveillance, when government organs deem collection and use pertinent to state functions.
In fact, the biggest concern about the bill among academics and activists is the exemptions granted to the government for data collection. Section 35 states that exceptions can be made to collection rules, reporting requirements, and other requirements whenever the government feels that it is “necessary or expedient” in the “interests of sovereignty and integrity of India, national security, friendly relations with foreign states, and public order.” Most importantly, “necessary or expedient” has replaced the “necessary and proportionate” standard for government processing of data. The latter was a recognized standard in Indian constitutional and international law. Just last year, the right to privacy ruling had stated clearly that any intrusion into the right must be authorized by law, conducted in accordance with procedure established by law, and be necessary and proportionate to the objective being sought. The use of the term “necessary or expedient” does not impose an obligation to undertake the balancing act between the intrusion and the objective, thereby augmenting the government’s surveillance powers. This leaves a gaping regulatory vacuum around surveillance law in India and fails to adequately protect citizen privacy, as there are no clear rules that govern government use of data.
In a bid to regulate social media corporations, marking a departure from both the GDPR and the 2018 draft of the bill, the most recent bill proposes the creation of a special class of significant “data fiduciaries” known as “social media intermediaries.” These are defined as entities whose primary purpose is enabling online interaction among users (and does not include intermediaries that enable business transactions or access to the internet, or that are in the nature of search engines or encyclopedias). Essentially, a “data fiduciary” is a social media company. The bill includes vague language that stipulates that social media intermediaries allow for the voluntary verification of their accounts by any users who use their services from India or register from within India. However, the proof users need to submit to the social media intermediary to verify their accounts is unclear. No other country has the provision for a voluntary verification mechanism of this nature.
Despite adding layers of regulatory obligations, the revised version of the bill does provide some cheer to foreign technology companies. After protracted lobbying and pushback from foreign companies, diplomats, and heads of state (including President Trump), the bill narrowed the scope of a data “mirroring” requirement for all data, which was present in the earlier draft. This data mirroring requirement would have mandated that a copy of all data on Indian citizens be stored within India’s borders. Now, the legislation only requires that certain types of data must be stored in India. The first, “critical personal data,” must be stored and processed only in India. The second, “sensitive personal information,” must be stored within India but can be copied elsewhere provided certain conditions are met. This includes a provision that mimics the GDPR’s adequacy requirement: In order for data to be copied into a country, the destination country must apply sufficient privacy protections to the data and not impede Indian law enforcement access to the data.
Localized data storage requirements are also not entirely new to India. Rather, they would supplement measures that are already in place. Most important among the pre-existing protections is a Reserve Bank of India (India’s central bank) requirement for the local storage of payment data. Major technology firms such as WhatsApp Pay, Google Pay, Mastercard and other payment companies have made attempts to comply with the new Reserve Bank regulation.
Finally, the government made sure to add Section 91 —a provision clarifying that it reserves the right to interpret any policies for the benefit of India’s digital economy—as long as this does not involve the use of personal data that can be directly used to identify an individual. Section 91(2) states further that the government can direct data collectors to hand over anonymized personal information or other “non-personal data” for the purpose of “evidence-based policy-making.” Little clarity has been provided on what that might entail.