The Justice BN Krishna Committee has recently submitted the Personal Data Protection Bill, 2018 to the Indian Parliament and in all likelihood we will see a new Data Protection Law in India very soon (either based on the Bill as is or with modifications). With mounting concerns worldwide regarding the protection and need for legal regulation of an individual’s personal data/ information in the face of various scandals such as Cambridge Analytica’s allegedly unauthorised harvesting and use of personal data as well as the changes made by the European Union to its Data Protection law (General Data Protection Regulations), the need for a similar legislation is paramount in India where data driven services and transactions in the digital economy is ever increasing but correspondingly the personal data of Indian nationals sees very little protection. Data is everywhere, being collected, processed and used. The current Bill outlines the contours of how data is to be collected, processed, used and protected.
Below is a gist of India’s Personal Data Protection Bill that every Start-up working in the B2C space should know and plan and make provision for:
- The Bill is applicable to entities within India who process personal data as well as to those entities which are set up outside India, but process data belonging to Indian nationals for the provision of goods/ services to Indian nationals. “Processing” has been defined to mean an operation or set of operations such as collection, recording, storing, adaptation, alteration, retrieval etc. As one can see, the definition is wide enough to cover all web apps or mobile apps or IOT devices which collect any (India-located) user related personal information including through servers located outside India.
- The Bill defines every entity who determines the purpose and means of processing the
personal data as the “data fiduciary” and every entity who actually processes the data basis instructions from a data fiduciary as a “data processor”. The Bill casts the primary onus on the data fiduciary to ensure compliance with this Bill but has subsidiary obligations that are cast on the data processor as well. Typically, every app developer or website operator or any entity which develops, operates and controls the app and determines the reason for collection and processing of data will be regarded as a “data fiduciary” while if a part of the data is shared with a vendor or a third party service provider for processing, then such entity will be the data processor. - The Bill introduces a “purpose limitation” within its ambit, where any entity collecting or processing “personal data” must identify the purpose for the collection and processing the data. Such entity must process personal data as identified in the purpose. For e.g., if the purpose is to offer goods/ services, then data cannot be processed for any other purpose such as say “offering other services” unless such purpose is clearly indicated upfront to the data subject. Therefore every data fiduciary will have to identify the purposes for which the data will be collected, processed within the privacy policy at the time of collection of such data. If the data fiduciary proposes to process data for any purpose which has not been indicated, let’s say for “big data analysis”, then it would be necessary that a separate consent be obtained from the data subject for such processing.
- Every individual whose “personal data” is being processed will need to be given a notice at the time of collection of personal data which will have to include, among other things: the purpose of data collection, the types of data to be collected, the identity and contact details of the data fiduciary, the right of the data subject to withdraw his/ her consent, etc.
- “Consent” has become paramount under the Bill. Consent of the data subject re his/ her personal data will have to be free, informed, specific in terms of the purpose of data processing, clear and capable of being withdrawn. One must note that “Consent” will necessarily have to be “opt-in” for every service for which the personal data is being collected. Moreover consent must be obtained at the time the personal data is being collected. The Bill does not indicate the requirement of a separate consent and an “affirmative” act of say using of the app/service itself can potentially be treated as consent, subject to satisfying all other criteria described above and that consent will have to be an “opt-in” in terms of a default setting.
- The Bill has defined a separate category of personal data, which is “sensitive personal data” which can be processed only with “explicit consent” of the data subject. “Explicit consent” would entail that the data subject is aware that his/ her sensitive data is being collected and that it is being processed for purposes which are specified by the processor and the users consent is not inferred from her conduct (for instance in using the app or services). “Sensitive personal data” includes passwords, financial data, health data, genetic data, biometric data, transgender status, caste or tribe, etc. The standard of care for categories of “sensitive personal data” is higher. Therefore start- ups in the medical services space or financial services space will have to have robust systems which ensure ‘explicit consent’ capturing and that any sensitive personal data in their possession is kept safe from data breaches.
- The Bill provides for a “data storage limitation”, where an entity can store data only for so long as the purpose for which it is collected is satisfied, unless any law mandates a longer storage period.
- All data subjects have the right, under the Bill to request the data fiduciary for a brief summary of their data being processed along with a summary of the processing activities that are being carried out. The data subject also has the right to make requests to rectify any errors, or inaccurate or misleading information. All of the above is basis an application made by the data subject for review and rectification by the data fiduciary.
- Every data subject has a right to get his/ her data in a portable form which is structured using commonly used machine readable format. The data subject can request for his/her personal data to be transferred to any other data fiduciary in the commonly used machine readable format and the data fiduciary is under a legal obligation to do so but could charge a reasonable fee. Once the fee is paid, the portability must be ensured as soon as possible but definitely within the timelines that may be specified by the Data Protection Authority. Till such time that the Data Protection Authority prescribes a timeline, start-ups may consider setting out a reasonable timeline such as 30-45 days in the privacy policy itself to meet the legitimate expectations of the data subject and so that the data fiduciary gets ample time to process the request.
- The data subject’s right to be forgotten is also included in the Bill where an individual can prevent any continued disclosure and use of his/ her personal data after he/ she has completed use of any service and where such disclosure of data has completed the purpose of use or where the data subject has withdrawn consent. This is referred to worldwide as the “right to be forgotten”.
- Except for the right of access, confirmation and correction of the data subject’s own personal data, the data fiduciary can charge a reasonable fee for the other services such as data porting.
- The Bill mandates “Privacy by Design” where data fiduciaries are essentially required to (i) implement such policies and measures which are designed to protect a user’s personal information, in a consistent and cognizant manner at every stage of engagement with personal data and (ii) ensure that technology used in processing personal data is commercially accepted and upto certified standards. The overarching principle that is followed is that personal data needs to be protected from data breaches. This provision is important for AR/ VR device manufacturers, IoT device manufacturers in particular.
- Every corporation who is a data fiduciary must appoint a “Data Protection Officer” whose qualifications are set out in the Bill.
- The Bill mandates that at least one copy of all personal data of Indian nationals must be stored on servers in India. This would mean that all overseas companies and service providers who provide services to Indian nationals must store one copy of such data within India. This is one of the contentious provisions in the Bill and we will have to wait and see if this condition gets approved.
- The law mandates a Data Protection Authority which will be the adjudicating authority who will monitor the working and enforcement of the law and take action including levying compensation as well as ordering search and seizure notices in the event of data breaches.
- Last but not the least are penalties, which are staggering. The penalty for any breaches of personal data are INR 5 Crore or 2% of global turnover of the entity whichever is higher. Also, the Bill permits any data subject who has suffered harm as a result of any violation of the Bill or any regulation under it, by a data fiduciary or a data processor, to seek compensation from the data fiduciary or the data processor, as the case may be. Typically only data fiduciaries will be held liable, except where a data processor has acted outside the terms of its contract with the data fiduciary or has been negligent in the protection of personal data.
- All criminal offences under the Act are cognizable and non-bailable. Criminal offences range from “obtaining, transferring or selling personal data in contravention of the Act, which carries a punishment by way of imprisonment for a term not exceeding 3 years or a fine of INR 2 Lakhs or both. If the data that is obtained, transferred or sold in contravention of the Act is sensitive personal data, the offence is punishable with imprisonment of upto 5 years or fine of upto INR 3 lakhs or both. The power to investigate offences under this law are with a police officer not below the rank of an inspector.
In summation, we believe that once this Bill becomes law, businesses will have to comply with each of its requirements and the best way for that is to be informed and be prepared.
We at TLA have a separate privacy practice vertical and will help Start-ups in complying with India’s proposed law on data protection, as and when it comes into being and gets notified. In the meantime it is our endeavour to keep updating you with the latest news and practices in the world of data privacy.
Please contact us at vidyut@tlaindia.com or sheahan@tlaindia.com for any queries on the above.