Explained: India’s Personal Data Protection Bill

India’s Personal Data Protection Bill was approved by the country’s parliamentary committee on December 2. What is the Bill about, and what does it hold for data security and privacy in a country of 1.4 billion people? Here’s what you need to know.

The Indian Government’s Ministry of Electronics and Information Technology first introduced the Personal Data Protection Bill, 2019 in the Lok Sabha, the Lower House of the Indian Parliament, on December 11, 2019. In addition to supervising and regulating the collecting, processing, storage, usage and transfer of personal data of Indian residents as well as the organisations that process such data, the Bill also suggests the establishment of a new Indian regulatory body – Data Protection Authority (DPA).

What’s on the Bill?

Three-tiered structure of data

The Bill categorises data into three categories.

1. Information about an individual who can be identified directly or indirectly based on any characteristic, trait or attribute, comes under ‘personal data’.

2. ‘Sensitive data’ includes information on financials, health, sexual orientation, genetics, transgender status, caste, and religious belief.

3. Information deemed extremely significant by the government, such as military or national security data, is classified as ‘critical personal data’.

Cross-border transfer of data

The Bill specifies that all sensitive personal data and critical personal data shall continue to be processed and stored in India. The sensitive personal data will only be transferred where necessary prompt actions are required such as health or emergency services or where the Central Government has considered such a transfer permissible, and where such a transfer does not jeopardise the State’s security or strategic interests, in the opinion of the Central Government.

Grounds of processing of personal data

The Bill allows data to be processed by a data fiduciary – an individual who decides the means and purpose of processing personal data. Such processing will only be subject to certain purposes, collection and storage limitations. Personal data, for instance, can only be processed for specific, clear and lawful purposes. Additionally, all data fiduciaries must undertake certain transparency and accountability measures which include implementing security safeguards and exercising grievance redressal mechanisms. When processing sensitive personal data of children, they are also expected to have measures for age verification and parental consent.

However, in certain circumstances, personal data is allowed to be processed without consent, such as when the requirement is by the State for providing benefits to the data principal, legal proceedings and responding to a medical emergency.

Rights of the data principal

The Bill outlines certain rights of the principal – the individual whose data is being stored and processed. These include the right to be informed on whether their personal data has been processed, the right to update their personal data, the right to see which fiduciaries have access to their data and to restrict further disclosure.

Privacy by design policy

Under the Bill, data fiduciaries must develop a ‘privacy by design policy’ to ensure privacy, security and provide a transparent personal data process. It should also guarantee that the technology used to process personal data meets commercially acceptable or approved standards and privacy is maintained throughout the processing.

Exemption for government agencies

The Central Government has the authority, under the said Bill, to exempt any governmental agency from complying with its provisions, if it is deemed necessary or expedient in the interests of the sovereignty, integrity and security of India. It also exempt government agencies from any restrictions in instances of friendly relations with foreign states, public order, or to prevent the incitement of the commission of any offence relating to any of the above.

Sharing of anonymized data by government

An important addition to this Bill is that the Central Government may direct data fiduciaries to provide any anonymised personal data – data which has undergone the process of anonymisation, or other non-personal data to enable better targeting of delivery of services.

Who will have to comply?

The Bill applies to the processing of personal data collected, disclosed, shared, or otherwise processed within India’s territory and the processing of personal data by the State, any Indian company, any Indian citizen, or body of persons incorporated or created under Indian law. It also applies to foreign companies dealing with the personal data of Indian individuals.

What are the penalties for non-compliance?

The Bill gives power to the Data Protection Authority to take action against anyone who does not comply with the Bill or the regulations made by either the Authority or the government.

Processing or transferring personal data in contravention of the Bill is punishable by a fine of Rs 150 million, or 4 per cent of the annual turnover of the data fiduciary, whichever is higher.

Failure to conduct a data audit is also punishable by a fine of Rs 50 million, or 2 per cent of the annual turnover of the data fiduciary, whichever is higher.

Furthermore, re-identification and processing of de-identified personal data without consent are punishable by up to three years in prison, a fine, or both.

Does the Bill dilute the right to privacy?

Although the Bill establishes a number of rules and regulations for companies to follow, objections have been voiced against it, particularly by large multinational IT firms wishing to operate in Indian territory. One of the most serious concerns levelled at the Bill is that it invades citizens’ basic right to privacy.

In the interest of national security, the Bill authorises the Central Government to exclude any government agencies from any or all of the Bill’s provisions. Furthermore, data fiduciaries are not compelled to follow the principles of purpose limitation, limited data retention, and so on, when it comes to law enforcement, judicial obligations, and establishing legal claims. Critics fear that such exclusions will allow the government to conduct surveillance with no explicit protections.

According to some critics and lawyers, security and government access are not achieved by localisation. Even if the data is housed within the country, national agencies may not have access to the encryption keys.

Critics have also expressed concerns about the proposed design of the Data Protection Authority. This entity will be in charge of enforcing the Bill’s provisions, including systems for obtaining consent, limitations on the use of data and cross-border data transfers.

Since the Committee will be made up of senior public workers nominated by the Central Government, including the Cabinet Secretary, its independence has been questioned. The government’s capacity to select and remove members will also raise concerns about the government’s ability to sway this ‘independent’ organisation. As a result, the DPA’s governing committee will be devoid of an independent expert or a member of the judiciary.

The Personal Data Protection Bill is an important step towards establishing a data protection system, but certain clauses in it may undermine the fundamental right to privacy. It is very important that citizens’ privacy is prioritized as the ultimate goal of data protection. Perhaps this clarity could help policymakers in resolving the conflicting interests between the State’s surveillance agendas and the citizens’ right to privacy.