Introduced to Parliament on 11 December 2019, the Personal Data Protection (PDP) Bill is intended as a cornerstone for the future of India’s digital economy and the protection of privacy for its citizens.
However, its categorisation of data as personal data (PD), sensitive personal data (SPD), and critical personal data (CPD) are inconsistent with this expectation. The concerns stem from the lack of clarity as to which data qualifies under each category, creating uncertainties and challenges for companies lacking the required visibility to take necessary precautions.
In turn, an unclear categorisation of data exposes users to privacy risks by impeding the determination of security controls appropriate for data protection. The implications of this categorisation, especially on startups, need to be carefully considered as a joint committee of parliamentarians reviews the bill.
A Broad Definition For Sensitive Personal Data
A subset of personal data SPD consists of financial data, health data, biometric data, genetic data, data indicating religious/political beliefs/sexual orientation or caste/tribe status. The regulatory uncertainty created by this list can create challenges, for example, treating all financial data/data revealing caste or religion as SPD can attract additional restrictions on cross border transfers and processing of data.
‘Financial data’ continues to be defined broadly under the PDP Bill. For instance, names collected by companies offering financial services may be categorized as SPD. Further, including payment identifiers necessary for peer-to-peer transactions within the scope of ‘financial data’ would require users to comply with the bill’s SPD obligations. It is also bound to pose problems for operations such as risk management and fraud detection. Moreover, the inclusion of health data and biometric data is also problematic.
On the face of it, the definition of biometric data may impact voice-activated assistive services while health data is bound to alter the practices of startups offering diagnosis services and also those offering nutritional advice, among many others.
The SPD classification can also have impractical effect for the everyday use of publicly-available information such as surnames or any information revealing political/religious information. For instance, companies require a user’s explicit consent to process SPD — meaning that they will have to inform them of the consequences of processing their data in addition to the regular notice and consent requirements.
As such, in a country like India, companies collecting an individual’s name that reveals caste/religion would be forced to comply with all of the SPD requirements under the bill. On the other hand, shortening the list of SPD along the lines of the EU’s GDPR or even categorising SPD on the basis of specific risk carried by the ‘purpose’ of processing may mitigate these concerns.
Regulatory Uncertainty Can Make Compliance Difficult
The PDP Bill neither defines CPD or provides a basis for this classification. It also empowers the central government to notify new categories of SPD. Both of these provisions create regulatory uncertainty and make compliance difficult. The absence of any clear criteria only compounds this uncertainty- especially for smaller companies who are anxious over collecting a type of data that has not even been defined in law, yet has higher compliance attached to it.
Allowing the central government to specify CPD without specific guidance accords it with excessive powers that it may not have the necessary expertise to perform. Most concerning is that it will not be required to consult with the data protection authority (DPA) or the industry in the classification process, severely deterring business predictability and giving rise to concerns regarding misuse.
However, mandating the central government to conduct transparent DPA and industry consultation before notifying CPD (and new categories of SPD) can address these concerns. As my colleagues have written previously, greater transparency in law-making allows businesses to plan and be future-ready, while opaque law-making processes tend to act as market entry barriers resulting in expensive litigations.
Restrictions On Cross-Border Transfers
The broad definition of SPD practically results in a requirement to store almost all kinds of data in India. Further, as most data is collected and stored as a mixed dataset, consisting of both PD and SPD, it will be impractical to separate SPD or PD from such datasets. These restrictions will impede the operations of startups who need to share data with overseas entities or those who plan to expand globally, which can cut into profit margins, reduce productivity and undermine competitiveness.
However, since the transfer of SPD is already regulated, local storage restrictions may be diluted. Also, given that the PDP Bill permits the transfer of data to ‘permissible’ countries, bilateral and multilateral data transfer frameworks should be encouraged.
In conclusion, the ambiguity in the definitions for SPD and CPD, and the restrictions based on those definitions, presents a serious constraint for companies planning their business operations and compliance measures, which in turn causes a watering-down of user privacy. Instead, to mitigate the open-ended nature of the existing categorisation, the bill should enable the development of clear criteria for classification based on robust industry consultation.
Further, additional categories of SPD and CPD should only be notified after taking stakeholder inputs. Consultative approaches are likely to increase industry trust and buy-in, institute a well-informed regulator and increase all-round accountability.