Feature: Personal Data Protection Law in India

Introduction

On 2nd September, 2020, the Ministry of Electronics and Information Technology (MEITY), Government of India invoking its power under section 69A of the Information Technology Act read with the relevant provisions of the Information Technology (Procedure and Safeguards for Blocking of Access of Information by Public) Rules 2009 and in view of the emergent nature of threats, blocked 118 mobile apps. As per the notification issued by MEITY, these apps were engaged in activities which are prejudicial to sovereignty and integrity of India, defence of India, security of State and public order. Further, MEITY had received many complaints from various sources including several reports about misuse of some mobile apps available on Android and iOS platforms for stealing and surreptitiously transmitting users’ data in an unauthorized manner to servers which have locations outside India. The compilation of this data, its mining and profiling by elements hostile to national security and defence of India, which ultimately impinges upon the sovereignty and integrity of India, is a matter of very deep and immediate concern which required emergency measures. This move by MEITY was to safeguard the interests of crores of Indian mobile and internet users. This decision is a targeted move to ensure safety, security and sovereignty of Indian cyberspace.

This decision by MEITY has yet again opened up the discussion on the urgent need to have strong Data Protection Laws in India.

As per a report published by Statista, presently there are nearly 700 million internet users in India. This figure is projected to grow to over 974 million users by 2025. In fact, India was ranked as the second largest online market worldwide in 2019, coming second only to China.

In this digital age, people knowingly or unknowingly share sensitive personal data on various digital platforms such as e-commerce sites, mobile apps, webinar platforms, net banking, e-wallets etc. The users of these platforms give permission to use the personal data by simply ticking on ‘I agree with the terms and conditions’ with or without reading the Privacy Policy. This security vulnerability leaves millions of users susceptible to hackers and various threat actors.

Right to privacy is a fundamental right in India

Right to privacy is a fundamental right under Article 21 of the Constitution of India, which lays down our fundamental rights. This was affirmed by a nine-judge bench of the Supreme Court in Justice K.S. Puttaswamy vs Union of India in its historic judgment dated 24th August 2017 wherein they declared ‘the right to privacy’ as an integral part of Part III of the Constitution of Constitution of India.

One would wonder why this question of whether the right to privacy is a fundamental right or not, was brought before a bench with nine-judges. In 2017, a bench of five judges in the Supreme Court which was hearing the case on Aadhaar Card and the right to privacy, said that they wanted a nine-judge bench to first decide if privacy is a fundamental right, before deciding on the main Aadhaar case. The Attorney General in the Aadhaar case had then argued that although several Supreme Court judgments had recognized the right to privacy, however, they had refused to accept that the right to privacy was a fundamental right in the Kharak Singh judgment (passed by a six- judge bench in 1960) and M P Sharma judgement (delivered by an eight-judge Constitution bench in 1954). It was therefore necessary to constitute a nine-judge bench to decide whether or not right to privacy is a fundamental right.

This broad interpretation by the Supreme Court led to a stream of initiatives by the government towards Personal Data Protection laws.

Current laws prevalent in India

India does not have a stand-alone personal data protection law to protect personal data and information shared or received in a verbal or written or electronic form. Though, protections are available, they are contained in a mix of statutes, rules and guidelines.

The most prominent provisions are contained in the Information Technology Act, 2000 (as amended by the Information Technology Amendment Act, 2008) read with the Information Technology [Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information] Rules, 2011 (SPDI Rules). It is the primary law in India dealing with cybercrime and electronic commerce. SPDI Rules, as the name suggests, only cover data and information which is exchanged in an electronic form and not those received through non-electronic communication form.

When this IT Act, 2000 came into force on October 17, 2000, all the laws and procedures in reference to the given Act lacked the protection and provisions required to protect one’s sensitive personal information provided electronically. This eventually led to the introduction of the Information Technology Bill, 2006 in the Indian Parliament which then led to the Information Technology (Amendment) Act, 2008 whose provisions came into force on October 27, 2009. It inserted Section 43A in the Information Technology Act, according to which, if:

a corporate body possesses or deals with any sensitive personal data or information, and is negligent in maintaining reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected.

Also Section 72A, according to which:

the punishment for disclosure of information in breach of lawful contract and any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both, in case disclosure of the information is made in breach of lawful contract.

Penalty for the same is mentioned in Section 72 of the IT Act. The Section provides that:

any person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, discloses such electronic record, book, register, correspondence, information, document or other material to any other person, shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to Rs 1,00,000, (approx. US$ 3,000) or with both.

Section 75 mandates that provisions of this Act shall also apply to an offence/contravention committed outside India by any person if the conduct constituting an offence involves a computer/computer network located in India.

However, the scope and coverage of the IT Act and Rules are limited. Majority of the provisions only apply to ‘sensitive personal data and information’ collected through ‘computer resource’. The provisions are restricted to corporate entities undertaking the automated processing of data and consumers are only able to take enforcement action in relation to a small subset of the provisions. There is no provision on data localisation which was the major concern and reason for the ban of the Chinese apps in India.

In order to address these limitations, India needed a comprehensive data privacy law.

The Personal Data Protection Bill, 2019

After the Supreme Court’s landmark judgment in the Justice KS Puttaswamy case, which held that privacy is a constitutional right, the MEITY formed a 10 member committee lead by retired Supreme Court judge B.N. Srikrishna for making recommendations for a draft Bill on protection of personal data. After working on it for a year, the committee submitted its report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians ” along with the draft bill on personal data protection. The revised Personal Data Protection Bill, 2019 (Bill), was introduced by Mr. Ravi Shankar Prasad, Minister for Electronics and Information Technology, in the Lok Sabha on December 11, 2019. Currently, the Bill is being examined by a 30-member team of the Joint Parliamentary Committee (JPC) and is asked to present its report in the winter session of the Parliament in December 2020.

The Salient features of the Bill

Post the ban of Chinese apps, an individual would naturally be concerned whether their personal data floating around, was secure. An individual would want to know what safeguards, norms are imposed under the Bill on collecting and processing of data, as well as the cross-border transfer of such data:

1. Application of the Act to processing of personal data – The Bill governs the processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India by;

i. Government, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law;

ii. Data fiduciaries or data processors not present within the territory of India, if such processing is— (a) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or (b) in connection with any activity which involves profiling of data principals within the territory of India.

iii. However, it will not apply to anonymised data. Anonymisation in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority; Anonymised data means data which has undergone the process of anonymisation;

2. Kinds of personal data- The Bill has categorised data under three broad heads– Personal Data, Sensitive Personal Data, and Critical Personal Data.

i. Personal data includes data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual, collected online or offline.

ii. Sensitive Personal data includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.

iii. Critical Personal Data means such personal data as may be notified by the Central Government to be the critical personal data.

3. Obligations of data fiduciary– ‘Data Fiduciary’ (knowns as Collector under GDPR) means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data;

‘Data Principal’ means the natural person to whom the personal data relates.

i. Prohibition of processing of personal data – Personal data can be processed only for specific, clear and lawful purpose.

ii. Limitation on purpose of processing of personal data – Every person processing personal data of a data principal shall process such personal data— (a) in a fair and reasonable manner and ensure the privacy of the data principal; and (b) for the purpose consented to by the data principal or which is incidental to or connected with such purpose, and which the data principal would reasonably expect that such personal data shall be used for, having regard to the purpose, and in the context and circumstances in which the personal data was collected.

iii. Limitation on collection of personal data- The personal data shall be collected only to the extent that is necessary for the purposes of processing of such personal data.

iv. Requirement of notice for collection or processing of personal data – Every data fiduciary shall give to the data principal a notice, at the time of collection of the personal data, or if the data is not collected from the data principal, as soon as reasonably practicable, containing the following information, namely:— (a) the purposes for which the personal data is to be processed; (b) the nature and categories of personal data being collected; (c) the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable; (d) the right of the data principal to withdraw his consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent; (e) the basis for such processing, and the consequences of the failure to provide such personal data ( f ) the source of such collection, if the personal data is not collected from the data principal; (g) the individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable; (h) information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable; (i) the period for which the personal data shall be retained or where such period is not known, the criteria for determining such period; and any other information as may be specified by the regulations.

v. Quality of personal data processed – The data fiduciary shall take necessary steps to ensure that the personal data processed is complete, accurate, not misleading and updated, having regard to the purpose for which it is processed.

vi. Restriction on retention of personal data – The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of the processing.

vii. Accountability of data fiduciary – The data fiduciary shall be responsible for complying with the provisions of this Act in respect of any processing undertaken by it or on its behalf.

viii. Consent necessary for processing of personal data – The personal data shall not be processed, except on the consent given by the data principal at the commencement of its processing. The Data Principal can withdraw its consent anytime. The burden of proof of having obtained consent is on the Data Fiduciary.

4. Restriction on transfer of Personal Data outside India

i. Personal Data can be processed and stored outside India

ii. Sensitive Personal Data should be stored in India and may be transferred outside India for processing, if explicitly consented to by the data principal for such transfer and subject to certain additional conditions such as:

a. the transfer is made pursuant to a contract or intra-group scheme approved by the Authority and it has made provisions for effective protection of the rights of the data principal under this Act, including in relation to further transfer to any other person;

b. the Central Government, after consultation with the Authority, has allowed the transfer to a country or, such entity or class of entity in a country or, an international organisation on the basis of its finding that— (i) such sensitive personal data shall be subject to an adequate level of protection, having regard to the applicable laws and international agreements; and (ii) such transfer shall not prejudicially affect the enforcement of relevant laws by authorities with appropriate jurisdiction; and

c. Critical personal data can only be processed and stored in India. Any critical personal data may be transferred outside India, only where such transfer is— (a) to a person or entity engaged in the provision of health services or emergency services where such transfer is necessary for prompt action or (b) to a country or, any entity or class of entity in a country or, to an international organisation, where the Central Government has deemed such transfer to be permissible under clause (b) of sub-section (1) and where such transfer in the opinion of the Central Government, does not prejudicially affect the security and strategic interest of the State. (3) Any transfer under clause (a) of sub-section (2) shall be notified to the Authority within such period as may be specified by regulations.

5. Exemptions– The central government can exempt any of its agencies from the provisions of the Act: (i) in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, and (ii) for preventing incitement to commission of any cognisable offence (i.e. arrest without warrant) relating to the above matters. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as: (i) prevention, investigation, or prosecution of any offence, or (ii) personal, domestic, or (iii) journalistic purposes. However, such processing must be for a specific, clear and lawful purpose, with certain security safeguards.

6. Offences– Offences under the Bill include:

i. Any person who, knowingly or intentionally— (a) re-identifies personal data which has been de-identified by a data fiduciary or a data processor, as the case may be; or (b) re-identifies and processes such personal data as mentioned in clause (a), without the consent of such data fiduciary or data processor, then, such person shall be punishable with imprisonment for a term not exceeding three years or with a fine which may extend to two lakh rupees or both.

ii. Offences under this Act shall be cognizable and non-bailable.

iii. Offences by companies: every person who, at the time the offence was committed was in charge of, and was responsible to, the company for the conduct of the business of the company, as well as the company, shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly.

iv. Offences by State: the head of such department or authority or body shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly.

7. Penalties

i. Penalties for contravening certain provisions of the Act is punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and

ii. Failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher.

8. Amendments to other laws

The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data (Section 43A).

Conclusion

The Bill, as stated in its preamble, provides for protection of the privacy of individuals relating to their personal data, specifies the flow and usage of personal data, creates a relationship of trust between persons and entities processing the personal data, protecting the rights of individuals whose personal data are processed in order to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing such personal data. The Bill also seeks to provide remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected therewith or incidental thereto.

The underlying principles of the Bill are broadly similar to those in the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

In the present COVID-19 situation, people are compelled to maintain social distancing and necessitating them to stay home and work from home. This situation has triggered a huge dependence on digital platform. Under these circumstances, India urgently needs to fast track the clearance of the new Personal Data Protection Bill. When and how the said Bill gets enacted, and the way in which it is enforced is yet to be seen and the same shall determine the fate of data of millions of Indians.

To read the published article, click here

Disclaimer