Data Privacy Newsletter: EMERGING DATA PROTECTION LAWS IN INDIA – ARE YOU COMPLIANT?-May 21 – Vol.- 4
With a rising trend of various nations passing legislations governing the data protection practices and compliances, CISOs and security executives operating in globally operative organisations are left with a challenge of adopting a cross-regulatory compliance strategy in a limited time frame.
While the General Data Protection Regulation (“GDPR”) in the European Union turned out to be a baseline compliance for setting up a benchmark of standardising the data privacy compliances worldwide, the GDPR wasn’t the beginning, and certainly won’t be an end.
While at present India does not have a specific legislation governing the aspects of data protection, the data protection in India is currently governed by the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (the “Rules 2011”) which is an extension of the Information Technology Act 2000 (the “IT Act”). India also has certain sector-specific laws, as set out below.
1. Financial Sector: The Reserve Bank of India (the “RBI”) has issued Data Privacy and Data Security guidelines for financial entities under its purview. ‘Data Localization’ was introduced by the RBI in 2018 and the entire payments data now needs to be stored in India.1
2. Insurance Sector: The Insurance Regulatory and Development Authority (the “IRDIA”) has issued guidelines for cybersecurity and data privacy for insurers. The IRDIA regulations contain compliances related to confidentiality and protecting consumer data.
3. Telecom Sector: Telecom Regulatory Authority of India (the “TRAI”) has issued recommendations for privacy, security, and ownership of Data. 2 Apart from the recommendations, various compliances are incorporated in the Unified Licensing Agreements regime. Principles such as Encryption, consent, data breach notifications, data minimization and purpose limitation are recommended by TRAI.
Despite the foregoing, the Rules 2011 to a certain extent proved to be obsolete compared to laws like the GDPR, and being mindful of this gap in regulation, following the footsteps of the developed nations pertaining to their regulatory regime on data protection including the GDPR, India has been working on introducing an extensive data privacy legislation since 2017. The latest draft of the law, known as the Personal Data Protection Bill, 2019 (the “PDP Bill 2019”) is pending before the Joint Parliamentary Committee. The PDP Bill 2019 provides a glimpse of the future data privacy landscape in India, the final draft slated to release later in 2021. The PDP Bill 2019 and the GDPR are similar in many ways yet the peculiarities in Indian laws will have a deep impact on the compliance strategies for the India Inc. ‘Right to Data Privacy’ is a fundamental right recognized by the Supreme Court in the Justice KS Puttaswamy case. 4 In the absence of a specialised data protection framework, an individual can still approach the courts to uphold this right. Recently some entities have faced severe backlash in India over their privacy practices, it makes sense to be proactive and focus on prevention rather than a cure.
COMPARATIVE ANALYSIS BETWEEN THE EXISTING AND PROPOSED LAWS
1. Applicability and Scope
Rules 2011: The Rules 2011 apply to ‘body corporates’, the term includes any company, firm, sole proprietorship, an association of individuals engaged in commercial or professional activities and the obligations also extend to ‘any person on behalf of a body corporate.’
PDP Bill 2019: The PDP Bill 2019 aims to provide for protection of the privacy of individuals relating to their personal data (the “Personal Data”), protects the rights of individuals whose Personal Data are processed and creates a framework for organizational and technical measures in processing of the Personal Data. The key Stakeholders under the PDPD Bill 2019 are defined as a Data Fiduciary, Data Processor and a Data Principal who under the GDPR are similar to a Data Controller, Data Processor and Data Subject respectively.
2. Extra-Territorial Applicability
Rules 2011: The IT Act may apply to entities based out of India if they violate the law in connection with computer resources or networks located in India. The scope for extraterritorial applicability is narrow.
PDP Bill 2019: The PDP Bill applies to entities outside India processing Personal Data in connection with any business carried on in India or with respect to any systematic business activity in India and for activities that involve profiling Personal Data of individuals in India. The provision works similar to the GDPR’s scope of application and has a wide applicability as compared to the Rules 2011.
3. Definition and classification of Personal Data
Rules 2011: ‘Sensitive Personal Data or Information (“SPDI”) contains personal information such as passwords, financial information such as bank numbers and card details, health and medical condition, sexual orientation, biometric information. It includes any information collected by body corporates while providing service or information received for processing or storage in pursuance of a contract. The Rules 2011 do not apply to publicly available data.
PDP Bill 2019: Personal Data constitutes data about or relating to a natural person who is directly or indirectly identifiable. It includes online, offline identifiers and inferences drawn from Persona Data for the purpose of profiling. Personal Data is further classified into (1) ‘Sensitive Personal Data’ which includes eleven different categories such as financial data, health data, official identifiers, sex life, caste, or tribe, religious or political belief, etc. the government can add additional categories at a later stage and (2) ‘Critical Data’ will be notified by the government at a later stage.
4. Specific regulator/Data Protection Authority
PDP Bill 2019: The proposed Data Protection Authority (“DPA”) will act as a regulatory body and will be focused solely on matters related to data protection and has the powers to adjudicate and come up with new rules and codes.
PDP Bill 2019: The compliances under the PDP Bill 2019 are as follows: Obligations of Data Fiduciary are: (1) Consent must be taken for processing of Personal Data, (2) purpose limitation while processing, (3) data minimization while processing,(4) following privacy notice requirements, (5) maintain the quality of data, (6) specific clear lawful purpose for processing data. Transparency and Accountability obligations are: (1) implementing privacy by design, (2) transparency in processing, (3) security safeguards, (4) reporting of personal data breaches, (5) data trust scores, (6) grievance redressal mechanisms. Significant Data Fiduciaries: ‘Significant Data Fiduciaries’ will be notified by the DPA based on various factors such as volume of data, the sensitivity of Personal Data, turnover, risk of harm, etc. Significant Data Fiduciaries have an added burden of compliance such as ‘Data Protection Impact Assessment’, maintenance of records, third party audits and designation of Data Protection Officer. Individual Rights: The Bill empowers individuals with the right to data portability, the right to be forgotten, the right to confirmation and access, the right to correction and erasure. The data fiduciary must provide an adequate mechanism for such rights. Children’s Data: The Bill creates enhanced compliance for processing involving children’s data. The general obligations include age verification and parental consent. A special class of ‘Guardian Data Fiduciaries’ is created for entities that specifically target or deal with children’s data.
6. International data transfer
Rules 2011: The body corporate transferring ‘Sensitive Personal Data’ outside India must ensure the same level of compliance as provided in the Rules 2011, a contract for data transfer can be used to this effect. The transfer is allowed only if it is necessary for the performance of a contract and if the individual has consented.
PDP Bill 2019: Personal Data has no restrictions for international transfers. Sensitive Personal Data can be transferred outside India provided a copy has been stored in India. The transfer mechanism is based on explicit consent and approval of the regulator for contracts or intragroup schemes. The regulator may also approve certain entities or countries where it finds adequate regulatory protection. Critical Data cannot be transferred outside India and must be stored in India. Emergency and Government approval are the only two grounds for the transfer of critical personal data.
Rules 2011: Violation of the obligations under the Rules 2011 can result in a maximum of 3 years of imprisonment and/or a fine of up to 5 lakh INR. Compensation is awarded in cases where adequate security practices are not maintained.
PDP Bill 2019: The Bill has extensive provisions for penalties, the penalty can go up to Rs 15 crore or 4% of global turnover. Additionally, criminal and civil penalties are set out depending on the nature of violations.
DEVIATIONS : INDIAN DATA PROTECTION FRAMEWORK VS GLOBAL DATA PROTECTION LAWS
Some of the provisions under the PDP Bill 2019 may have far-reaching consequences on data transfers, compliance cost, issues related to regulatory uncertainty, fears of excessive government interference:
1. The PDP Bill 2019 envisages that the private entities may shave to share Personal Data, non-personal data or anonymised data to the government upon request. Thus, the Bill expands its material scope beyond Personal Data.
2. The PDP Bill 2019 widens the scope of “Sensitive Personal Data” to include financial data within its ambit and further additions can be made to the list by government notification.
3. The PDP Bill 2019 unlike other laws omits the performance of a contract as an outright lawful basis of processing.
4. The PDP Bill 2019 allows processing for “reasonable purposes” yet the burden to specify what is a reasonable purpose is left to the regulator rather than the data fiduciary.
5. The PDP Bill 2019 introduces a new concept such as consent managers, data trust scores and a specific class of social media intermediaries.
6. Data localisation is one of the key aspects of the PDP Bill 2019, a specific class of critical data cannot be transferred outside India. Sensitive Personal Data can be transferred outside India, subject to certain frameworks which ensure that the standards for privacy and security are adequate. The regulator has to approve your contract or other transfer mechanisms.
7. The PDP Bill 2019 provides the Data Protection Authority wide discretionary powers to create additional rules and codes of conduct.
THE PDP BILL 2019 WILL OVERHAUL THE PRIVACY COMPLIANCES IN INDIA. ORGANIZATIONS NEED TOPREPARE A WELL THOUGHT AFTER GOVERNANCE PLAN. AN EARLY PREPARATION FOR THE PDP BILL 2019 WILL CERTAINLY BE A GAME CHANGER FOR ANY ORGANISATION.
LegaLogic (www.LegaLogic.co.in) is a full-service law firm with more than a team of 50 people. Founded in 2013, LegaLogic has been advising corporates across multiple industry segments. It is a go-to firm for Corporate Commercial Matters, M&A, IP, Employment Law, Real Estate, Dispute Resolution and litigation, India Entry Strategy and Private Client Practice.