More than a year after the Government of India’s Committee of Experts released a draft Personal Data Protection Bill in July 2018 (the “2018 draft”), India is one step closer to passing a comprehensive data privacy law. On December 11, 2019, India’s Minister for Electronics and Information Technology introduced an updated draft of Personal Data Protection Bill (the “Bill”) in the Lok Sabha, India’s lower house of Parliament. The Bill was referred to a Joint Select Committee composed of parliamentarians from both the lower and upper houses.
The Joint Select Committee is due to report back to the Lok Sabha before the 2020 Budget Session of Parliament, which, although dates have not yet been set, usually runs from February to March. At that point, the government is likely to table the Bill for discussion in Parliament either in the Budget Session or in the Monsoon session, which usually runs between July and September.
The updated Bill retains the core structure of the previous draft, which closely adheres to the model provided by the GDPR. There are, however, noteworthy changes in this most recent Bill, including to some of the more controversial features of the 2018 draft, such as data localization requirements and provisions carrying criminal penalties. The Bill also includes requirements that did not appear in the first draft, such as an enhanced right to erasure, obligations that attach to “anonymous data,” and specific requirements for “social media intermediaries.” A new requirement for rulemaking by the data protection authority (“DPA”) could provide additional opportunities for public consultation.
Below we summarize the key changes in this most recent draft of the Bill. To see all the changes from the 2018 draft, please click here.
- Data localization and data transfer restrictions are relaxed, but remain for sensitive and critical personal data
The 2018 draft required “data fiduciaries” (or controllers, as they are known under the GDPR) to maintain a copy of all personal data in India, except where the government exercised its authority to designate “certain categories of personal data” as exempt from the local storage requirement.
Notwithstanding the requirement to maintain a copy in India, under the 2018 draft, personal data could also be transferred outside of India only where data fiduciaries had put in place additional mechanisms, such as model clauses approved by the DPA and intra-group data transfer arrangements, or where the relevant individual (termed the “data principal” in the Bill) provided consent or the government found the receiving country to provide “adequate” protection. Critical personal data, which was to be defined by the government, generally could not be transferred outside of India.
The Bill maintains a similar structure, but would significantly reduce the scope of localization and data transfer restrictions by applying such requirements only to sensitive and critical personal data. In effect, the Bill would establish a three-tiered structure:
- Personal data: Under the Bill, no localization or data transfer restrictions apply to personal data that is not considered “sensitive” or “critical.” This type of personal data may be stored entirely outside of India and no transfer restrictions would apply.
- Sensitive personal data: The rules for sensitive personal data under the Bill broadly mirror those of the 2018 draft. Under the Bill, “sensitive personal data may be transferred outside of India, but such sensitive personal data shall continue to be stored in India.” While the Bill proposes similar contractual mechanisms to facilitate transfers, in most instances, data fiduciaries must obtain “explicit consent” in addition to making use of the enumerated mechanisms. Sensitive personal data includes many of the “special categories of personal data” as defined under the GDPR — including data relating to health, religion, sex life, political beliefs, and biometric and genetic data — but unlike the GDPR, financial data is considered to be sensitive. Notably, passwords have been removed from the definition in this draft of the Bill.
- Critical personal data: As with the 2018 draft, the Bill permits the government to define certain personal data as “critical personal data,” without providing any limitation on the government’s power to make such designation, which generally may not be transferred outside of India. However, the Bill would create an exception to this strict localization requirement for transfers to countries or organizations deemed to provide an adequate level of protection (and where the state’s security or strategic interests will not be prejudiced), or in limited circumstances to protect vital interests.
- Heightened accountability requirements limited to “significant data fiduciaries”
The 2018 draft introduced a series of heightened accountability mechanisms which would only apply to data fiduciaries meeting certain thresholds. These mechanisms broadly aligned with those that would be familiar from the GDPR, such as requirements to conduct data protection impact assessments, maintain records of processing and appoint data protection officers, but also included a novel requirement for the data fiduciary to audit its processing activities annually.
The Bill is likely to narrow the scope of organizations that will be subject to such requirements by specifying that they would apply only to “significant data fiduciaries.” Like the 2018 draft, the Bill does not define “significant data fiduciaries,” but rather leaves it to the DPA to notify data fiduciaries or class of fiduciaries that they qualify based on factors such as the volume and sensitivity of personal data processed, the risks to data principals, the organization’s revenue, and the use of innovative technologies.
- Social media intermediaries must permit identity verification
A new aim of “laying down norms for social media intermediar[ies]” is added to the Bill’s preamble, and several provisions are directed specifically at such entities. Significantly, the Bill would require social media intermediaries to “enable the users who register their services from India, or use their services in India, to voluntarily verify their accounts” in a manner prescribed by the government. Verified accounts would need to obtain a “demonstrable and visible mark of verification.”
The Bill also permits the government, in consultation with the DPA to designate social media intermediaries as “significant data fiduciaries.” As set out above, this designation would bring with it heightened compliance obligations.
A social media intermediary is defined as “an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, hare, disseminate, modify or access information using its services.” Internet service providers, search engines, encyclopedias, email and storage services, and certain e-commerce platforms are specifically excluded.
- Adjustment to legal grounds for processing
A notable feature of the 2018 draft is that it did not include a ground for processing based on contractual necessity. The Bill does not change this position, but adjustments to the “reasonable purposes” legal ground may provide greater comfort for processing in certain situations where required to perform a contract.
In line with the 2018 draft, the Bill permits data fiduciaries to process personal data without consent for reasonable purposes, taking into account factors such as a balancing of the interests at stake, including public interests, and the reasonable expectations of data principals and the context of the processing. However, whereas the 2018 draft required such purposes to be enumerated by the DPA, the Bill states that the reasonable purposes “may be specified by regulations.” The Bill also extends the list of examples of reasonable purposes to include “the operation of search engines.”
In the employment context, however, the Bill’s grounds for processing are narrower than those set out in the 2018 draft as data fiduciaries would no longer be permitted to process sensitive personal data for employment purposes.
- New privacy by design requirements
While “privacy by design” featured in the 2018 draft, the Bill would formalize the requirement — and effectively outlaw “privacy by accident” — by requiring data fiduciaries to “prepare a privacy by design policy.” The Bill also creates a mechanism by which, subject to future regulations, the DPA could certify privacy by design policies, in which case the policy would be published on both the data fiduciary’s and the DPA’s website.
- Anonymized data added to the Bill’s scope
In line with growing interest in India around creating rules for non-personal data, the Bill would add a new definition for “anonymized data” that would allow the DPA to establish standards of anonymization through which data could be rendered no longer personal data. However, the Bill would also grant the government the power to “direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government.”
The Bill’s inclusion of this new power follows a proposal, which first surfaced in a draft e-Commerce Policy in February 2019, for the government to promulgate rules surrounding the use of so-called “community data” to strengthen the competitiveness of India’s e-commerce sector.
- Criminal penalties are relaxed
The penalty provisions of the 2018 draft attracted significant attention due to the number of criminal offenses that would have been created, such as for obtaining, transferring or selling personal data in violation of the bill or for re-identifying de-identified data.
The Bill would eliminate most forms of criminal liability, except where a person “knowingly or intentionally re-identifies personal data which has been de-identified by a data fiduciary or a data processor” without the consent of the data principal or the party that de-identified the data. Violation of this provision could still carry stiff penalties, including the up to three years of imprisonment. Where the offense is committed by a company, the Bill would permit penalties to be imposed on any person who “was in charge of, and was responsible to, the company for the conduct of the business of the company.”
- Expanded individual rights
Although the 2018 draft would have provided individuals with many of the rights set out in the GDPR, the proposed “right to be forgotten” was significantly narrowed than the corresponding GDPR right: data fiduciaries were required only to “restrict or prevent continuing disclosure of personal data” where the right applied, but not to delete such data.
The Bill would strengthen individual rights in two ways. First, the Bill would introduce a right to erasure, embedded within the right to correction, where personal data “is no longer necessary for the purpose for which it was processed.”
Second, the Bill would heighten a data fiduciary’s disclosure obligations as part of an access request — potentially beyond what is required by other data protection laws — by granting individuals “the right to access in one place the identities of the data fiduciaries with whom his personal data has been shared by any data fiduciary together with the categories of personal data shared with them.” The Bill would permit the DPA to specify in regulations how such disclosure is to be provided.
- Rulemaking authority
As noted above and in our previous posts, both the Bill and the 2018 draft would grant the DPA with authority to clarify definitions and provide additional rules regarding many key provisions. The Bill, however, would clarify that the DPA’s input in these circumstances will be in the form of regulations, which may offer the opportunity for further public consultation before any such regulations are crafted.
Not only would the Bill permit the DPA to promulgate regulations on important issues, such as the standards of anonymization, the definition of “significant data fiduciaries,” the period of time required to notify a breach, the safeguards that may apply to profiling, but the Bill would also require the DPA to craft regulations to clarify the application of certain provisions. For example, the DPA is required to define standards for mandatory annual audits and developing “trust scores” for data fiduciaries. The regulations would also need to define which organizations would be considered a “guardian data fiduciaries” such that additional obligations would attach for children’s data.
As was already provided in the 2018 draft, the DPA would be required to develop “codes of practice” by regulation to aid organizations in complying with the Bill.
- Regulatory sandboxes
Finally, drawing from regulatory innovation in a number of countries, the Bill would require the DPA to establish a “sandbox . . . for the purposes of encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in public interest.” Participation in the sandbox would exclude data fiduciaries from obligations to have a “specific, clear and lawful purpose” for processing as well as from certain purpose limitation, data minimization and storage limitation requirements.
Eligibility for participation in the sandbox would be limited to data fiduciaries that have their privacy by design policies certified by the DPA.