Data Privacy Newsletter: All you need to know about Privacy in India-Feb-2021

Introduction

India has been contemplating a comprehensive data protection legislation since the past three years, the year 2021 has kicked off on a resounding note with debates on privacy policies1 and contact tracing2 in every household. This paper is a “cheat-sheet” for you to understand the nuances of data privacy in India. The newsletter outlines the evolution of data privacy in India, provides a comparison across the globe and tells you exactly what is peculiar in India’s proposed law.

What is Data Privacy?

Data privacy refers to the handling of personal data while respecting an individual’s right to privacy. Data privacy consists of a set of privacy principles and rights which govern data collection, processing, data sharing, data transfers and use of personal data for profiling of individuals.

How did the principle of privacy get established in India?

The “Right to Privacy” was established in India as a fundamental right enshrined in the Constitution of India by a landmark judgement of the Supreme Court of India in August 2017.

What is the status of the proposed Law? Why is it taking so long to become an enforceable legislation?

Immediately after the landmark judgement an expert committee was formed under retired Judge Justice B.N. Srikrishna, the committee released a detailed whitepaper in July 2018 titled “A Free and Fair Digital Economy- Protecting Privacy, Empowering Indians”.4 The committee also released the first ever draft of the “Personal Data Protection Bill 2018.” The proposed draft was greatly inspired by ground-breaking General Data Protection Regulation (“GDPR”) in the European Union (“EU”).

The Ministry of Electronics and Information Technology revamped the bill and tabled it before the Lok Sabha in December 2019, this being the latest bill, known as the Personal Data Protection Bill, 2019.5 (“PDP Bill 2019”) The PDP Bill 2019 is undergoing review by a Joint Parliamentary Committee (“JPC”) since December 2019, the JPC received a significant response for its stakeholder feedback and received over 200 written submissions and depositions by companies like Facebook, Microsoft, Apple, Amazon, IBM, etc., prominent industry bodies like United States Council for International Business, Japan Electronics and Information Technology Association, ASSOCHAM, NASSCOM, etc.6 Reports suggest that as of January 2021 after the extensive discussions, the JPC is in the final stage of completing its submission; the submission is supposed to contain numerous changes. 7 The JPC is anticipated to table the report in the first week of March during the budget session. The delays and extensive process followed while shaping the PDP Bill 2019, is a manifestation of its anticipated impact on the digital landscape.

What is the current legislation governing data privacy in India?

Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 8 (“SPDI Rules 2011”) are an extension of the Information Technology Act 2000(“IT Act”). The SPDI Rules 2011 provide a basic privacy framework and apply to corporate entities that collect “sensitive personal data.” The definition for sensitive data is limited and the compliances required for collection, processing and sharing are minimal. Key features of the SPDI Rules 2011 are: 1. Requirement of a privacy policy. 2. Consent and notice requirements while collecting data. 3. Obligations based on privacy principles: lawful purpose for collection, purpose limitation to data collected, data retention, review, maintenance of accuracy of data and grievance redressal mechanisms. 4. Compliance for data sharing requires consent and adequate contractual protection. 5. Compliance with industry standards to ensure reasonable security practices. 6. The penalty for contravention flows from the IT Act and includes imprisonment up to two years and a fine up to INR 1 lakh. As it stands today, the protection afforded by the SPDI Rules 2011 is inadequate considering the rapid advancements in the digital landscape.

A quick summary of the PDP Bill 2019

The Personal Data Protection Bill, 2019 has envisaged clauses inspired from the GDPR, some key aspects are- • Wide scope and extra territorial application of the law • Classification of data based on sensitive personal data, critical personal data with added levels of compliance • Establishment of a data protection authority • Increased compliance with privacy principles along the lines of GDPR • Increased compliance where children’s data is involved • Rights of individuals regarding their personal data • Frameworks for cross boundary data transfers/ data localisation requirements • Sharing of personal and non-personal data with the government • The designated authority and government will have greater power in coming up with codes of conduct and deciding the ambit of critical data • Hefty penalties for contravention of the law.

How does the proposed Indian data protection framework standout in comparison to laws across the globe?

The status of comprehensive data protection laws globally

The GDPR promulgated by the European Union is the frontrunner of privacy laws across the globe. The GDPR came into effect in May 2018 followed by a rush of activity as businesses moved attain compliance with the law. Over the past few years Singapore, Australia, Brazil, Japan, South Korea, Thailand, South Africa already have brought into force GDPR inspired data protection laws.9 China, Canada, and few other countries have proposed revamped and comprehensive privacy laws. United States does not have an overarching federal privacy law, the laws at the federal level are sector specific or aimed at government handling of data. California has taken the lead in enacting a state specific comprehensive data privacy framework.

The trends peculiar to India

The GDPR has a major influence on the PDP Bill 2019, yet the India takes a different approach on certain key aspects. Listed below are the aspects where the PDP Bill 2019 has chosen to innovate in its framework1. The PDP Bill 2019 envisages a clause where private entities may have to share nonpersonal data or anonymised data to the government upon request.10 Thus the PDP Bill 2019 expands its material scope beyond personal data. 2. Personal data is defined broadly in the PDP Bill 2019 and includes- “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline” and any other inferences that are drawn from profiling.3. The PDP Bill 2019 widens the scope of “sensitive personal data” to include financial data within its ambit and further additions can be made to the list by government notification.12 4. The PDP Bill 2019 refers to the data controllers as data “fiduciaries” indicating a relation of trust.13 5. The PDP Bill 2019 unlike other laws omits performance of a contract as an outright lawful basis of processing.14 6. The PDP Bill 2019 allows processing for “reasonable purposes” yet the burden to specify what is a reasonable purpose is left with the regulator. 15 7. Processing of sensitive personal data requires specific consent, the regulator has powers to specify “significant data fiduciaries”, who are subject to additional compliances and independent audits.16 8. Data localisation is one of the key aspects of the proposed law, a specific class of critical data cannot be transferred outside India.17 Sensitive personal data can be transferred outside India, subject to certain frameworks which ensure that the standards for privacy and security are adequate.18 The timeline for the PDP Bill 2019 to transform into a law is uncertain at this point in time; yet the recent events indicate the need to self-regulate and stay ahead of the curve. Implementing the best privacy practices is necessary to maintain a privacy conscious image. Reach out to us to get a privacy compliance – action plan for your business in India.