The GDPR (General Data Protection Regulation) completely focuses on data security and protection and on user control of data. The Chinese Cybersecurity Law veers towards lending the state an upper hand in data processing. India’s draft Personal Data Protection Bill 2018 walks the middle path, seemingly wanting to empower both users as well the state (giving benefit of doubts) as far as personal data protection is concerned.
However, companies processing data of Indian citizens have been left in the deep end, with the draft mandating that at least one copy of all personal user data be stored in India.
Justice B N Srikrishna, under whose leadership the draft has been formulated, likened the report and the draft Bill to “buying new shoes. It will be tight in the beginning but will be comfortable later” — meaning that data fiduciaries (data operating/processing entities) would take some time to adapt to the new rules.
On July 27, the Justice Srikrishna Committee, after working for almost a year on the Data Protection Bill, while releasing the draft along with a separate committee report on data protection, explained the intent of the bill: “We have created the draft on the Personal Data Bill keeping the vertices of the triangle in mind. While the citizens’ interests have been kept at the top vertex. A fine balance has been struck between the other two vertices — keeping the trade and industries’ interests as well as the state’s, intact.”
The draft Bill was submitted to the Ministry of Electronics and Information Technology (MeitY), which will review it and consider the next steps to initiate the parliamentary procedure. The parliamentary procedure will take its own course, as the Bill will first be introduced in the Lok Sabha and then the Rajya Sabha. The draft Bill, with recommendations from the Rajya Sabha, will then be reintroduced in the Lok Sabha for approval. Once approved, the Bill will be sent for approval to the President of India, who is free to send it back with or without his recommendations.
The Personal Data Protection Bill draft puts an emphasis on “informed user consent” for processing of personal data and enshrines the Right to be Forgotten (though not quite the GDPR way). It also prescribes steep penalties and even a list of non-bailable and cognizable criminal offences for violation of the law, recommends the setting up of a data protection authority to deal with all data-related issues in the country, and wants all large data fiduciaries to appoint data protection officers.
Even amid the increasing importance being accorded to data, its safety and security, data frauds are proliferating in India as much as across the world. One of the main aims of the Personal Data Protection Bill was to maintain privacy of data and minimise frauds. The current draft is a step in the right direction as far as this is concerned.
Commenting on the Bill from a fraud investigation perspective, Jayant Saran, Partner, Forensic-Financial Advisory, Deloitte India, said, “The Bill has placed emphasis on defining various stakeholders and participants such as fiduciary (entity requesting processing of personal data), the processor (analyser of said personal data), and principal (individual to whom the personal data belongs). This is a welcome move considering several other developed economies already have stringent data protection laws,”
The Bill also proposes significant financial penalties for noncompliance, which will compel organisations to relook at how they treat personal data and take appropriate measures to remain compliant, he adds.
“Specifically, in the context of corporate fraud investigation and related scrutiny of transactions, the Bill covers the rights of ‘data principals’ even during allegations of fraud and subsequent investigations,” said Saran.
Although more than 80% of the critical content of the draft almost matches the GDPR in principle including the privacy by design, the maximum penalty for data fiduciaries (which is exactly the same as in GDPR) there are some huge differences in terms of the approach of the EU regulation and the Indian Personal Data Protection Bill.
The intent of this article is to understand and analyse these differences of approach, understanding, and impact of the Bill from its EU and Chinese peers.
Justice Srikrishna Committee: Starting From Scratch
Although the 67-page draft on Personal Data Protection Bill and the 213-page report of the committee of experts have been submitted separately, the Bill can’t be reviewed in isolation, as the report suggests some key amendments in existing Acts such as Aadhaar and RTI, and the amendment bills will be introduced along with the draft of the main Bill.
And while a comparison of the GDPR, India’s Personal Data Protection Bill, and China’s cybersecurity law (Data Protection 2018) is inevitable, processing extreme and opposing inputs from stakeholders and drafting a contemporary data protection bill was no less than a rocket science.
Here, it’s worth noting that the GDPR evolved from the-then Directive 95/46/EC. However, in India, the 10-member Justice Srikrishna committee had to start from scratch, as there’s no existing government circular or Act (apart from the RBI’s circular which is applicable to limited organisations) that could have helped the Committee know the current standing of the nation.
The Committee, chaired by Supreme Court (SC) Justice B N Srikrishna, comprised the following members — department of telecom secretary Aruna Sundararajan, Unique Identification Authority of India (UIDAI) head Ajay Bhushan Pandey, MeitY additional secretary Ajay Kumar, IIT-Raipur director Rajat Moona, national cybersecurity coordinator Gulshan Rai, IIM-Indore director Rishikesha Krishnan, Vidhi Centre for Legal Policy’s Arghya Sengupta, and Data Security Council of India’s Rama Vedashree.
Data Protection: Confused Wording Dilutes Scope And Intent Of Bill
In its very first sentence, the draft Bill, like the GDPR, recognises that “the right to privacy is a fundamental right”. However, the draft Bill in the same sentence uses the word “necessary” instead of “essential” while referring to protection of personal data.
However, the GDPR is crystal clear in its approach, right from the beginning. It says: “The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her. The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular, their right to the protection of personal data.”
The intention of the Indian draft Bill gets even more confusing in the very next sentence: “WHEREAS it is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation.”
Partly derived directly from the GDPR, which in its article 7 advocated “A strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market.” However, in the same paragraph, it also reiterated, that “users should have the control of their personal data,” something that the draft Bill missed.
If the intent of the draft Personal Data Protection Bill is to protect personal data of Indians, why does it dilute its focus to fostering a “free and fair digital economy” (while “respecting” one’s personal data and omitting certain keywords such as justice, security and social progress as mentioned in GDPR) — a topic that could have been dealt with anywhere but a Personal Data Protection Bill?
This could have been termed a small aberration. However, the Indian minister of law and justice, Ravi Shankar Prasad, while releasing the draft along with the committee of experts, said, “India generates lots of data and has immense potential for data analysis.”
This statement by the minister raises another doubt over the Centre’s intent regarding the draft Bill. Why is the government interested in the analysis of personal data of its citizens?
However, the third paragraph of the draft brings the intent of the Bill back on track.
“AND WHEREAS it is expedient to make provision: to protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organisational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorised and harmful processing, and to establish a Data Protection Authority for overseeing processing activities.”
The way the draft has been worded creates a confusion over the very scope and intent of the Bill. By contrast, observe the clarity in the way the GDPR is worded:
“This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.”
Further, “The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.”
The draft, in Justice Srikrishna’s words, aims at “maintaining a fine balance between users’ right to privacy without hindering the trade and industry in India.” However, considering that the primary purpose of the Bill was to address concerns regarding users’ personal data, it could have been drafted in a much clearer manner.
Indian Data Protection Bill: Data Is A Matter Of Trust, Not Property
Unlike the GDPR, where data has been clearly defined as “property” and clarified that one’s personal data belongs to him or her, the draft Indian Personal Data Protection Bill treats data as a matter of “trust”.
Justice Srikrishna said, “We haven’t treated data as property here. It’s a matter of my trust in somebody and he’s answerable to it. That’s how we have treated it. That’s why we haven’t used data subjects which some others like GDPR have treated, but data principals, the ones who have agreed to share their data with data fiduciaries.”
So, how should one treat data — as a “matter of trust” or as “property”? It’s a matter of another discourse. By using the term “data subjects”, the GDPR has treated data more like a currency of trust, bringing a more intelligent, automated approach to data governance. However, in the case of draft Bill, this approach is lacking. For instance, to exercise the ‘Right to be forgotten’, one will have to go through a lengthy process of filling in a long form and justifying why he or she doesn’t want to continue consent over the use of their date data. This defeats the very purpose of the right.
Here’s the “intelligent” and “automated” approach — to regulate the GDPR, every member state of the EU has constituted its own data authority, hence as data volumes are lower for member states as compared to the entire EU and there are multiple regulatory bodies, regulation won’t be an issue.
The GDPR focuses on ‘data governance’. In Estonia, a data subject can log into his/her resident ID at any time and access a log file containing the entire list of personal information that has been fetched after the subject provided consent for data use, and when and by whom it has been accessed.
However, India generates much more data with just one proposed regulatory body to overview the entire regulation. In the current draft Indian Personal Data Protection Bill 2018, the focus is apparently on data monitoring and control (in certain aspects). Further, neither the draft Bill nor the report has delineated the technology aspect of the framework — how the Right to be forgotten, Right to access, and other rights being extended to data principals will be exercised.
Unlike Estonia, which has deployed blockchain for such purposes, no technology has been underlined by the Committee, and to entertain users’ rights under the bill is going to be a tedious, manual, and costly affair for many data fiduciaries.
Similarly, since data is a matter of “trust” for India, the draft hasn’t used the phrase ‘Right to erase’ (for Right To Be Forgotten) but the ‘Right to restrict or prevent’
Wide Applicability Of Bill But Ambiguity Over Data Storage
In line with the GDPR, the scope of applicability of India’s Personal Data Protection Bill 2018 is wide. Apart from India-based data processing companies, it is equally applicable to data fiduciaries that are not present in Indian territory but are somehow connected with Indian data principals.
However, there is currently some confusion over the provisions for data storage in the Bill. The Srikrishna Committee appeared to be accommodative of extreme views when it comes to data storage and hence is a little raw in its approach, a nightmare for many big data, artificial intelligence (AI), machine learning (ML), and IT companies.
Besides bound to entertain the users’ rights such as right to access, right to be forgotten and right to correct, as per the draft bill, “Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving a copy of personal data to which this Act applies.”
In the GDPR, storage of data outside the EU has been perceived as data transfer. For instance, if one uses a server in India but accesses the data stored on it from France then, as per the GDPR, this will be treated as a transfer of data and must comply with the EU regulation.
As far as data localisation is concerned, China’s Cybersecurity Law, too, has conditions similar to the Indian draft Bill. The Article 35 of Chapter III of the Law states, “The operators of key information infrastructures shall store within the territory of the People’s Republic of China citizens’ personal information and critical business data collected and generated during their operations within the territory of the People’s Republic of China. Where such information and data shall be exported for business purpose, security assessment shall be gone through pursuant to the measures formulated by the state network and IT authorities together with competent departments of the State Council, unless otherwise provided in laws and administrative regulations.”
Now comes the question: How does the draft address the information being served by a website established outside India but accessible to Indians?
Technology policy experts Amba Kak, Jochai Ben-Avie, and Naomi Shiffman at Mozilla, opined, “Data localisation is bad for business, users, and security. Notwithstanding the protections on processing in the interest of the security of the state, it’s hard to see that this provision is anything but a proxy for enabling surveillance.”
Justice Srikrishna, on his part, explained why the decision of data mirroring was taken, “There were extreme views regarding data localisation. Some suggested all the personal data must be stored locally, some suggested it must be freely movable. We have taken a three-fold attitude. There are circumstances when data must be stored here and here only. Then, data could be stored outside too, with a copy stored in Indian territory.”
This is not the only confusion data fiduciaries are facing as far as data localisation is concerned. While stating that “critical personal data shall only be processed in a server located in India” the Bill further widens the ambiguity by saying that the central government will decide and classify what should come under “critical personal data.”
This is important as the draft has handed all power over to the Centre, a data fiduciary itself, and one of the beneficiaries and stakeholders in the data processing game.
Further, the draft remains agnostic about sector-centric data, and fails to provide clarity on it. For instance, once enacted the Bill will overpower the Trai’s recommendations as well as the RBI circular. However, the draft doesn’t address the concerns of the RBI about critical banking data and Trai’s concerns about telecom data management.
How Does The Draft Personal Data Protection Bill Deal With Data Breaches?
The draft Personal Data Protection Bill has outlined different penalties, fines for data breaches, non-compliance, and other data-related offences. For instance, if a data fiduciary contravenes certain provisions such as the obligation to take prompt and appropriate action in response to a data security breach under section 32 of this Act, it will be liable to a penalty which may extend up to INR 5 Cr or 2% of its total worldwide turnover of the preceding financial year, whichever is higher.
The draft Bill has prescribed a maximum penalty of $2.19 Mn or 4% of the worldwide turnover, whichever is higher, to be imposed on a data fiduciary or individual misusing any personal data, similar to the penalties defined in the GDPR.
The draft has also defined separate fines and penalties for individuals, group of individuals and large data fiduciaries found guilty of misutilisation of personal data, and it leaves gaps for large data fiduciaries to define the data breach as a mistake made at a personal level and not at the company level.
When it comes to notifications of data breaches, the Bill again leaves scope for ambiguity by saying that data breach notifications are to be made by the data fiduciary to the DPAI “as soon as possible” in case they pose potential “harm” to data principals, without saying how soon.
“The data fiduciary shall notify the Authority of any data breach related to personal data as soon as possible and not later than the time period specified by the Authority, following the breach after accounting for any time that may be required to adopt any urgent measures to remedy the breach or mitigate any immediate harm,” says the Bill.
By contrast, the GDPR clearly states, “As soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
Confusion, Chaos, And Criticism Apart, The Draft Bill Is A Good Place To Start
The Srikrishna Committee has already faced its fair share of criticism on many issues, right from delay in tabling the draft to addressing personal data concerns, including its classification, localisation, and definition. However, processing thousands of inputs from diverse stakeholders, many of which are extreme and contradictory couldn’t have been an easy job, particularly when one had to start from scratch.
At the same time, considering that many draft bills, despite having brilliantly addressed the issues at hand, have never seen the light of day thanks to parliamentary procedure, committees need to take into an account of the shortcomings of our parliamentarians while drafting Bill.
And the Srikrishna Committee has kept this in mind with Justice Srikrishna being open to modification of the draft as he said: “This is the first step, as things progress as technology keeps changing in this world, it might become necessary to fine tune the law to overcome the technological challenges.”
Someone once gave this sane piece of advice: “Choose your battles wisely.” The Justice Srikrishna Committee seems to have taken this advice seriously while shouldering the huge and contentious task of drafting the Indian Personal Data Protection Bill 2018.
If may be far from perfect, it may be ambiguous, it may seemingly ignore the concerns of some stakeholders while trying to strike the “fine balance between users’ right to privacy without hindering the trade and industry in India”, and companies may feel left out in the cold for a bit. But it strives very hard to achieve that fine balance and empower both data principals (individuals) when it comes to data privacy and rights.
And the best part is that it is open to fine-tuning while striving to achieve that fine balance. A big first step, after all.