SUMMARY
After over three years of deliberations and multiple amendments, India’s Personal Data Protection Bill is finally likely to be tabled in Parliament during the ongoing budget session
Experts have flagged Clause 35 of the bill, which empowers the central government to give a blanket exemption to law enforcement and other agencies from requiring the consent of data owners
Besides the exemptions, startups are concerned about rising costs owing to requirements of data localisation and lack of clarity around the policies for critical personal data
“You must start somewhere to get anywhere”, goes the oft-repeated quote for inspirational purposes. That Supratim Chakraborty, a partner in the corporate and commercial practice group of law firm Khaitan & Co said those words while talking about India’s Personal Data Protection Bill, 2019, evinces the spectacularly long-drawn process from the bill’s ideation, drafting, to its probable passing in Parliament during the current budget session.
Chakraborty, an expert on data privacy regulations, who has attended several consultation meetings to discuss the PDP Bill’s formulation, expressed worry that the present version of the bill seems to have steered away from what was conceptualised by Justice B.N. Srikrishna Committee, which was given the mandate by Law Minister Ravi Shankar Prasad to draft the legislation back in 2017.
Chakraborty told Inc42 that the Srikrishna Committee had wanted the bill to be equally applicable to both private players and government agencies. But Clause 35 of the PDP Bill, 2019, empowers the central government to exempt any government agency from the application of the act, in the interest of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states and public order.
That clause remains the biggest point of contention for those keenly watching all developments in relation to the bill.
‘Blanket Exemption For Government Is Unconstitutional’
According to a special report by policy think-tank Observer Research Foundation (ORF), “blanket exemptions and lack of executive or judicial safeguards will fail to meet the standards laid out by the Supreme Court in the KS Puttaswamy v. Union of India case (2017), where it ruled that measures restricting the right to privacy must be backed by law, serve a legitimate aim, be proportionate to the objective of the law, and have procedural safeguards against abuse. Vague grounds that trigger exemptions, the absence of procedure in granting exemptions and lack of independent oversight are major concerns.”
Chakraborty also asserted the same, expressing hope that it could be one of the amendments in the final version of the bill.
“Clause 35 and 36 enhance the surveillance technology of the government and gives it the authority to access personal data without restrictions. We expect the government will recognise that unfettered access to personal data, without safeguards, is potentially unconstitutional,” Prasanth Sugathan, legal director at Software Freedom Law Centre or sflc.in told Inc42.
But Clause 35 isn’t the only major amendment to be expected in the PDP Bill. Recent media reports suggested that the joint parliamentary committee, headed by Bharatiya Janata Party’s Meenakshi Lekhi, which has been discussing the bill since 2019, has in its final report, suggested as many as 89 amendments and one new clause be added to the bill.
Judicial Representation Critical For Data Protection Authority
Chakraborty had some ideas about what these amendments could be, or ought to be.
“Clause 42 of the bill talks about the selection committee that will decide the composition of the Data Protection Authority. The bill states that this selection committee will have three members, all secretary-level officials from the central government. This needs to be corrected and some representatives from the judiciary need to be included in the committee too,” he told Inc42.
A more divisive issue in the bill is how it trifurcates personal data. The umbrella group is all personal data — which can be used to identify an individual. Some types of personal data are considered sensitive personal data (SPD), which the bill defines as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more. Another subset is critical personal data, which hasn’t been defined in the bill.
Chakraborty felt that the sub-classification of data in three categories could make life cumbersome for multinational companies which have been operational in India for years.
“These companies would already have huge amounts of data from their Indian customers. To ask them to divide all data into these categories, and place restrictions on offshore processing, could add to their regulatory woes here,” he said, adding that industry voices have expressed the need to prevent the internet in India from becoming ‘splinternet’.
Will PDP Bill Increase Compliance Costs?
This sub-classification of personal data could have deeper ramifications for data localisation and storing sensitive personal data. SPD can be transferred offshore only for processing, with the explicit consent of the data principal or the user. Even then, it will continue to be stored in India. Critical personal data, which remains undefined in the bill, cannot be processed offshore, except in special circumstances.
Khaitan & Co’s Chakraborty felt that though critical personal data remains undefined, it could mean data pertaining to active personnel of the Indian Army or the Indian government.
“Localisation is one aspect that could see amendments, given how debates have intensified about how foreign companies have allegedly been utilising the data of Indian citizens,” he added.
SFLC’s Sugathan hoped the requirement of storing and processing critical personal data in India would be done away with. “Since the government hasn’t defined critical personal data, the bill shouldn’t leave it up to the whims and fancies of the executive to define what it means and accordingly, restrict the cross-border flow of data,” he said.
Previous media reports have already delved into how data localisation requirements could increase compliance costs for multinational companies, which have globally distributed data centre operations, synced together for efficiency. But Indian internet giants such as Paytm and Reliance Jio have backed data localisation.
Notably, several provisions of the bill, including the obligations of a data fiduciary — which collect, store and process data — towards the data principal, will not apply to small entities for whom the processing of personal data is not automated.
Who Is A Child?
Chakraborty also flagged Clause 28 of the bill, which states that social media intermediaries, classified as significant data fiduciaries should provide users with the option of voluntarily verifying their accounts in a manner as may be further prescribed by the government. Users who choose to voluntarily verify their accounts would be provided with a visible mark of verification, possibly a tick alongside their profile header, similar to the one currently employed by several mobile apps. Authorities have stated that this would decrease anonymity on social media and consequently, guard against online trolling and cyber abuse.
“There has been some push to make this verification of users on social media mandatory. Whether that happens and what means of verification are made available by the government remains to be seen. Ideally, this legislation should not delve into this aspect. This will be better suited as a provision in the IT Act, especially when we are looking to tackle cyber abuse,” Chakraborty added.
Another suggestion made in consultation meetings on the bill was about reconsidering the age limit for classifying a user as a ‘child’. The PDP Bill states that for users below 18 years of age, data fiduciaries would have to obtain the consent of their parent/guardian before processing their data. However, as pointed out by Chakraborty, usage of tech platforms and mobile apps is common among teens. Experts have said that children are equipped with the technical prowess to navigate the waters of the internet. For authorities, the concern is rising cases of cyberattacks against children.
“In consultation meetings, people suggested that a child should be defined as someone below the age of 16, instead of the current 18, at par with the legal age in the data privacy legislation for the European Union (EU). But the Srikrishna Committee didn’t budge from its decision,” Chakraborty said.
Given that the bill places certain restrictions on how the data of children is to be dealt with, a high age limit could make compliance unfeasible.
It’s Been Too Long
With concerns around user privacy continuing to be amplified, owing to a spate of data breaches as well as a contentious privacy policy update by Facebook-owned messaging platform WhatsApp last month, the need for the PDP Bill continues to be felt.
Tech experts have previously told Inc42 that the slow progress of the PDP Bill has meant that matters relating to data privacy of Indian users are subjected to an exhausting process of PILs filed by members of the public, growing paranoia on social media about privacy violations, and the government overstepping its bounds for the regulation of technology.
But the Indian government can barely claim the moral high ground in safeguarding personal data privacy. Consider the various data breaches that have left millions of user Aadhaar records jeopardised. Or the fact that the central government approved its Health Data Management Policy — for collecting citizens’ data as part of the National Digital Health Mission — before the passing of the PDP Bill.
“We have to start somewhere. This bill has been in the works for a long time. The passing of the bill, with or without the needed amendments, would spark a debate about what needs to be added. Experts and civil society organisations will spring into action and the courts will do their work. The bill will continue to evolve,” Chakraborty summed up.
