3 August 2018

 PERSONAL DATA PROTECTION BILL, 2018 | AN OVERVIEW

A committed chaired by Former Supreme Court Judge – Justice B N Srikrishna Committee ("Expert Committee") was constituted on 31 July 2017 to study and identify key data protection issues and recommend methods for addressing them. On 27 July 2018, the Committee published their report titled, ``A Free and Fair Digital Economy, Protecting Privacy, Empowering Indians`` available here. In addition to the Report, the Committee also suggested a draft "Personal Data Protection Bill, 2018" (Bill) to address privacy and data protection in India. This update summarises some key provisions of the Bill.

Applicability: The Bill applies to the processing of data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information (Personal Data) where such data has been collected, disclosed or shared within the territory of India and processing of such Personal Data is undertaken by the State, any Indian Citizen or any company or body of persons incorporated or created under Indian Law.

The Bill also grants extra territorial jurisdiction in certain cases where processing of Personal Data is done outside India if such a processing is done in connection with any business carried out within India or in connection with any activity involving profiling of natural persons within the territories of India.

The Bill and all its provisions does not apply to the processing of anonymised data or non-personal data.

Consent: The consent of the natural person to whom the Personal Data refers to (Data Principal) must be acquired no later than the commencement of the processing.

Under this Bill, the definition of ‘Valid Consent’ is expanded from that under the Indian Contract Act, 1872 (Contract Act). The requirements of a valid consent under the bill are as follows:

1. Consent must adhere to the requirements under Section 14 of the Contract Act.
2. Consent must be informed by way of disclosure of information set out in Section 8 of the Bill to the Data Principal.
3. Consent must be specific, i.e. the Data Principal can determine the scope of the consent for the purpose of processing.
4. Consent must be clear and must be indicated by way of an affirmative action.
5. Consent must be capable of being withdrawn with the same level of ease with which consent was given.

The burden of proof to establish validity of consent shall lie solely on the person receiving / processing the Data (Data Fiduciary). Subsequently if consent is withdrawn wherein the consent forms a necessary part for the performance of a contract, all legal ramifications arising out of such an action shall be the sole liability of the Data Fiduciary. The Data Fiduciary cannot make the provision of any goods or services or the quality thereof, the performance of any contract, or the enjoyment of any legal right or claim, conditional on consent to processing of any personal data not necessary for that purpose.

Rights of the Data Principal: Right to confirmation whether the Data Fiduciary is processing / has processed Personal Data of the Data Principal and access to summary of Personal Data being processed along with another summary of processing activities undertaken upon the Personal Data. The said summaries must be provided in a manner that is easily comprehensible to a reasonable person.

Right to the correction of inaccurate or misleading Personal Data as well as the right to completion of incomplete data and updating of out of date data. Right to data portability in the sense that the Data Principal may instruct that such Personal Data may be transferred to another Data Fiduciary in a structured, commonly used and machine-readable format.

Right to be forgotten is a crucial right whereby the Data Principal can restrict the disclosure of Personal Data if it has served the purpose for which it was made or the consent has been duly withdrawn by the Data Principal.

Cross Border Transfer of Data: Every Data Fiduciary must ensure the storage, on a server or data centre located in India, of at least one serving copy of Personal Data to which this Bill applies. Personal Data other than those categories of sensitive Personal Data notified may be transferred outside the territory of India where:

1. The transfer is made subject to standard contractual clauses or intra-group schemes that have been approved by the Data Protection Authority of India (Authority); or.
2. The Central Government, after consultation with the Authority, has prescribed that transfers to a particular country, or to a particular international organisation is permissible; or
3. The Authority approves a particular transfer as permissible due to a situation of necessity; or
4. In addition to clause (a) or (b) being satisfied, the Data Principal has consented to such transfer of Personal Data or sensitive Personal Data.
   

The Central Government has the power to declare certain categories of Personal Data as “Critical Personal Data” and processing of such Data must be done only on servers or data centers located in India. 

Personal Data and Sensitive Personal Data: Sensitive Personal Data is a subset of Personal Data and the Bill provides for stricter a stricter degree of consent needed to be taken for the disclosure and processing of Sensitive Personal Data. `Explicit Consent` is required for processing Sensitive Personal Data which must first adhere to the expanded definition of “consent”, and over and above that, the consent must be specific, the Data Principal being given the choice of piece meal acceptance. Most importantly, the consent should be clear to such a degree that it can be understood without any inference in the conduct of the Data Principal.

``Sensitive Personal Data`` means personal data revealing, related to, or constituting, as may be applicable (i) passwords; (ii) financial data; (iii) health data; (iv) official identifier; (v) sex life; (vi) sexual orientation; (vii) biometric data; (viii) genetic data; (ix) transgender status; (x) intersex status; (xi) caste or tribe;(xii) religious or political belief or affiliation; or (xiii) any other category of data specified by the Data Protection Authority under Section 22 of the Bill.

Data Protection Authority: The Central government shall establish an authority to be called the Data Protection Authority of India. It shall be the duty of the Authority to protect the interests of the Data Principals, prevent any misuse of Personal Data and promote awareness of data protection. The Authority takes on both an advisory as well as managerial role in various aspects of the Bill. The Authority also has the power to issue directions to various data processors and Data Fiduciaries.

Penal Provisions: The penal provisions prescribed by the Bill are inspired from those enshrined in the EU GDPR and are dynamic in nature. The cap on the fines is varying in nature and based on the total worldwide turnover of the contravening party. More stringent punishments and penalties have been prescribed for contravention of the rules laid down for processing of Personal Data with fines extending upto 4% of the total worldwide turnover of the contravening party. Furthermore, the Data Principal has been given the right to claim compensation in case of any harm incurred from the contravening actions of the Data Fiduciary or the data processor.

MHCO Comment: The Bill proposed is just a draft and the Government would now need to deliberate on the provisions and ramifications of the Bill before a suitable law is introduced in Parliament. The Bill has unequivocally laid down certain rights conferred upon the Data Principals which are a good indicator of the nature and intent of the Bill whereby the Data Principal and his rights have been given a position of importance. Furthermore, the constitution of Authority bodes well for rights and interests of these Data Principals. The Bill has received mixed reactions with critics claiming that compliance with its provisions would result in cost escalation for bodies corporate to the detriment of their business. However, in line with the Supreme Court judgment in the Puttaswamy case, the Bill seeks to enhance the right to privacy and ensure that State and Non-State actors are equally responsible for the protection of Personal Data. Furthermore, in an article in the Economic Times dated 03 August 2018, a senior government official has stated that it is the aim of the current government to introduce the Bill in Parliament in the upcoming Winter Session after consultations within the Government. Time will tell whether the Bill is transformed into a binding statute.
The views expressed in this update are personal and should not be construed as any legal advice. Please contact us directly on +91 22 40565252 or legalupdates@mhcolaw.com for any assistance.