Answering all your questions on the recent personal data protection bill released by MeitY, India.
- What is included in the latest draft of the data protection bill?
As the name of the bill suggests, only personal data that is identifiable with an individual is included. The bill however suggests that such personal data shall be included only when it is ‘digital’.
The term ‘digital’ used here connotes that the personal data is collected from Data Principals online; and/or such personal data which has been collected in an offline mode but is digitised.
AKP Comments: From the present interpretation of the bill, the meaning of personal data shall include personally sensitive and financially sensitive information presently defined in the regulations under the Information Technology Act, 2000. However, the meaning of personal data, in this case, is wider in the ambit as it also includes profiling for targeted advertisements and content.
- What is Profiling?
The bill defines ‘Profiling’ as any form of processing of personal data that analyses or predicts personal behaviour or attributes of an individual (Data Principal). Profiling will be covered only when personal data attributable directly to a person is used to create trends that can be used to target advertisements, services, or content to a specified person based on data extracted from that specific person.
AKP Comments: Some real-life use cases are content suggestions by social media sites and purchase suggestions by e-commerce websites. It is important to note that, only profiling where aggregation of anonymised data to create trends is intended, is excluded.
- What is the treatment of Anonymised Data?
AKP Comments: Interestingly, the bill does not acknowledge the existence of anonymised data and thus anonymised data is not regulated by this bill. Any data that is anonymised and aggregated to create trends or to predict behaviour patterns to a certain set of people having similar parameters shall not be covered under the provisions of this law as per its present draft.
- What has been excluded in the latest draft of the data protection bill?
Non-automated processing of personal data, offline personal data, personal data processed by an individual for any personal or domestic purpose or personal data about an individual that is contained in a record existing for at least 100 years.
The Central Government may also exempt government and its instrumentalities on the grounds of protecting the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign states, maintaining public order or preventing incitement or if such personal data is not to be used to take any decision relating to the Data Principal.
- Who are the key stakeholders in the latest personal data protection bill?
Data Principal | Any person or individual who is giving their personal data and in case such person is a child then her parents or lawful guardian.
AKP Comments: From the definition only, data collected from natural persons are protected. So, for example, lending data of a sole proprietorship, partnership or company is not covered within the definition of the data principal. |
Board | Data Protection Authority mentioned in the previous bill has now been replaced by the Data Protection Board of India. It shall be established by the Central Government of India and shall be an independent, statutory body.
AKP Comments: The powers of the Board are at a lower pedestal as compared to the erstwhile proposed authority. The Board only has enforcement and adjudication authority and power to issue rules, regulations and notifications. However, it is anticipated that the Data Fiduciaries and Data Processors shall be expected to be registered with the Board and also report various other relevant details to the Board such as the volume and nature of data being processed and the exact mode of action undertaken to process such personal data. |
Consent Manager | The bill provides that a Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager. Here, the term Consent Manager means a Data Fiduciary that provides an accessible, transparent and interoperable platform to a Data Principal to manage or withdraw her consent. Such Consent Manager is accountable to the Data Principal and shall act on behalf of the Data Principal. Such Consent Manager shall be registered with the Board.
AKP Comments: It is expected that there will be a notified type of person like an insolvency professional who will be registered with the Board and will be allowed to provide the services of a Consent Manager. |
Data Fiduciary | This is any person who is involved in the decision-making related to for what purpose the data will be collected and by what means the data will be processed.
AKP Comments: Only a Data Fiduciary is allowed to appoint a Data Processor. The onus of compliance, stakeholder mapping and data tracking primarily rest with the data fiduciary. The data fiduciary is the ‘owner of the collected personal data’ from the perspective of compliance and deciding what it shall be used for and who shall have access to it. |
Data Processor | Any person who only processes data shall be deemed a Data Processor.
The bill defines ‘processing’ as an automated operation on personal digital data which may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or making available, restriction, erasure or destruction. AKP Comments: Although the bill uses the word ‘processing’, the term is all-encompassing. Any treatment of data shall be covered by this term. Processing has a wide impact and ambit. However, a Data Processor is always expected to work on the instruction of a Data Fiduciary and cannot undertake any activity on personal data except as instructed by a Data Fiduciary and agreed by them in writing. |
- Transfer of data outside the jurisdiction of India; what does the bill says?
AKP Comments: One of the key reasons behind the anticipation of the latest bill was the provision for the transmission of data outside India. In present times, as per RBI notifications, all payment systems including debit cards, credit cards, e-wallets, prepaid instruments and any person undertaking digital lending in India is required to store any digital personal data collected by them on servers located in India. Even data mirroring outside India is considered a grey area. That’s why this bill was anticipated. In the bill, the government has decided to notify certain countries where transfer shall be allowed. It is important to note that transfer shall be allowed only by a Data Fiduciary and not a Data Processor as of now. However, the room has been left to issue further rules and regulations in this regard. It is pertinent to note here that the law has extra-territorial jurisdiction over any processing of personal data outside the territory of India if the processing is in relation to profiling.
There is a gap in the present bill on what is the extent to which the provisions shall apply to personal data transferred outside India for purposes other than profiling.
- What are the grounds for processing digital personal data?
The bill provides the following grounds for the processing of digital personal data-
- in accordance with this Act and Rules made thereunder;
- for a lawful purpose;
- for which the Data Principal has given or deemed to have given her consent.
- What are Notice and its role in obtaining the consent of the Data Principal?
The bill has obligated the Data Fiduciary to provide an itemised notice to a Data Principal on or before requesting such Data Principal for her consent. Such notice should be given in a clear and plain language which should contain the description of the personal data that the Data Fiduciary is seeking and the purpose behind processing such personal data.
Data Fiduciary shall give an itemised notice:
- in clear and plain language;
- containing the description of personal data that has been previously collected
- the purpose behind the processing of such personal data
Here the term “notice” means:
- a separate document; or
- an electronic form
- or it can be a part of the same document through which personal data is sought from the Data Principal
- or in any other form that may be prescribed.
The term “itemised” means-
- a list of individual items.
It is pertinent to note that all such notices shall be served either in English language or the languages mentioned in the 8th schedule.
- What is the meaning and importance of consent in the bill?
Consent means an indication by a Data Principal which has been given freely, is specific and informed and is unambiguous in nature with a clear affirmative action to allow or agree to the processing of her personal data for a specified purpose. Specified purpose under this clause means the purpose that has been mentioned in the notice (discussed in previous clauses) given by the Data Fiduciary. If any part of such consent infringes or is against the spirit and nature of the provisions of this Act, such consent shall be invalid to that extent.
REQUEST FOR CONSENT:
The Data Fiduciary shall present a request for consent to a Data Principal in a clear and plain language, which should contain details of a Data Protection Officer or any other person authorised by the Data Fiduciary in order to respond to any communication from the Data Principal for the t. purpose of the exercise of her rights under this Act. Request for consent to be provided to Data Principals either in English or the languages under the 8th schedule.
RIGHT TO WITHDRAW CONSENT:
The Act intends to provide the right to withdraw consent that has been given by a Data Principal and such consent is the basis for the processing of her personal data. Data Principal can make this withdrawal at any time.
DEEMED CONSENT:
The bill determines 8 situations under which a Data Principal shall be deemed to have given her consent for the processing of her personal data. These situations include:
- Voluntary giving of personal data or reasonable expectation of providing such personal data.
- Performing any function under any law which is in the benefit of the Data Principal or for issuance of any certificate, license or permit.
- Compliance with judgment or order issued under any law.
- A medical emergency such as a threat to life or immediate threat to the health of DP or any other individual.
- To take measures for providing medical treatment/health services to any individual during any epidemic, outbreak of disease or any other threat to public health.
- To ensure safety, provide assistance or services to any individual during a disaster or breakdown of public order.
- Employment purpose, preventing corporate espionage, trade secrets confidentiality, intellectual property, classified information, recruitment, termination of employment, benefit or service provision sought by a Data Principal who is an employee, verification of attendance and assessment of performance.
- In the public interest, including fraud prevention & detection, M&As or similar combinations or corporate restructuring under applicable laws, network & information security, credit scoring, search engine operation for the processing of publicly available personal data, processing of publicly available personal data, debt recovery, or any fair or reasonable purpose as may be prescribed.
- What are the additional obligations concerning the processing of the personal data of children?
The bill lays down certain additional obligations on the Data Fiduciary in cases involving a child. Such obligations are:
- Obtain verifiable parental consent (Manner of obtaining such consent to be prescribed later) (Parental consent includes the consent of a lawful guardian)
- Shall not undertake any such processing of personal data that may cause harm to a child.
- Shall not undertake tracking or behavioural monitoring of children or targeted advertisement directed at children.
- Provisions stated under (1) and (3) shall not be applicable to the processing of the personal data of a child for purposes that may be prescribed later.
- What is a Significant Data Fiduciary?
The Central Government to hold the power to assess Data Fiduciary and then notify any Data Fiduciary or class of Data Fiduciary to become a Significant Data Fiduciary. (“SDF”).
The assessment will be based on the following relevant factors:
- Volume and sensitivity of personal data processed
- Risk of harm to the Data Principal
- Potential impact on the sovereignty and integrity of India
- Risk to electoral democracy
- Security of the State
- Public order
- Such other factors as it may consider necessary.
The SDF shall have the following key obligations:
- Appoint a Data Protection Officer who shall represent the SDF under this Act and should be based in India. The Data Protection Officer shall:
- Be an individual responsible to the Board of Directors or similar governing body of the SDF.
- Shall be the point of contact for the grievance redressal mechanism.
- Appoint an Independent Data Auditor who shall evaluate the compliance of the SDF with the provisions of this Act and
- Undertake measures such as Data Protection Impact Assessment and periodic audits in relation to the objectives of this Act (such measures to be prescribed later)
Find the complete analysis of the bill in Part II.
Authored by:
Ms Kritika Krishnamurthy, Partner