India and other large economies like Japan and the European Union are taking significant steps in enacting comprehensive and progressive privacy laws. Did the General Data Protection Regulation (GDPR) move India’s citizens to demand a right to privacy? Not necessarily. While the GDPR certainly did inspire countries worldwide to rethink data protection, privacy in India was brought to the forefront in a lawsuit against the central government in August 2017 in a ‘right to privacy’ legal case which allowed for privacy as a fundamental right of an individual. Following this, a committee was set up to develop a data protection framework which released a draft of the first Personal Data Protection Bill (PDPB). Since then, the bill has been hugely debated in Parliament for the last two years.
Due to the ruling majority the current government has in both houses (the council of states and the house of people), the bill is likely to pass in late 2020 or early 2021. Once regulated, it will have far-reaching implications globally, particularly given the number of multinational technology companies present in India.
The bill may undergo additional changes before it is passed, so this blog reflects information current at the time of writing.
Why it All Matters
Once enacted, despite its regional nature, the changes mandated in the bill impact the global digital market as India has attracted a vast pool of global players over the last two decades. In a 2019 study conducted by McKinsey and Company on India’s role in the global digital market, India is well under way to harness a trillion-dollar valuation in the digital economy by 2022.
These companies not only want to harness the digital talent and leverage the thriving business process management industry, they are eager to meet India’s domestic digital needs. It is clear, given both the sheer magnitude of online users, India’s role in research and innovation and its rapid but uneven progress in digitizing its own businesses, the global market is on the receiving end of harnessing these opportunities. This means global operations within the borders and outside across industry sectors like Google, Microsoft, Facebook, Novartis, HSBC, to name a few will have to comply with the bill. This vast, ubiquitous, digital landscape has further underscored that a progressive privacy framework is the need of the hour.
A Brief History of the Bill
In 2009, the Indian government developed what has been referred to as the ‘Aadhaar scheme’, to bring forth fair access to government benefits, subsidies, and services to communities at large. However, the scheme lacked reliable authentication means to manage Aadhaar’s identification cards issued to citizens. The system was fraught with duplication and forgery leading to misuse and leakage of benefits. In March 2016, the Aadhaar Act, a legal framework supporting the provisions of Aadhaar scheme was passed. The system involves providing unique identification cards to individuals which includes an individual’s biometric (fingerprints and eye scans) and demographic information recognized as the world’s largest and most sophisticated biometric system.
However, this led to the civil liberty case brought forth by K.S. Puttaswamy in 2017 questioning the validity of the Aadhaar scheme in the Supreme Court. The judge challenged the Aadhaar scheme on various grounds including privacy, surveillance, and exclusion from certain welfare benefits. This landmark verdict affirmed privacy as intrinsic to the freedom and liberty of an individual.
Shortly after this case was decided in 2018, a committee stood up by the central government issued the draft PDPB. It was updated in December 2019 and is currently under review by a Joint Parliamentary Committee (JPC) in advance of the winter parliamentary session to be held in December 2020.
A Few Key Definitions
While there are a number of definitions within the text of the bill, here are a few key definitions we want to anchor for the purpose of introducing the core model of the bill:
- Data fiduciary: The entity that determines the legal purpose and means of processing personal data and establishes the relationship with consumer or employee.
- Data principal(s): The natural person to whom the personal data relates.
- Data processor: On behalf of data fiduciary, the data processor takes on the processing of personal data through contractual agreement.
- Personal data and related categories: Within the context of the bill, personal data means data about or relating to a natural person who is directly or indirectly identifiable. The bill further categorizes certain types of personal data into sensitive personal data and critical personal data.
According to the text of the bill, few examples of sensitive personal data include financial data, health data, biometric information, religious or political beliefs. On the other hand, critical data is left to the discretion of the government of India to define and is not currently mentioned in the bill.
The bill seeks to protect the privacy of Indian residents relating to the personal data, transfers of data and usage of personal data.
The provision of this act applies to:
- Entities that collect, disclose, or share personal data processed by the government of India or companies incorporated in India.
- Entities located outside of India that collect, disclose, or share personal data of Indian residents.
- Irrespective of the location of the concerned Indian residents the law will apply within its context to the data fiduciary and/or data processor.
What Companies Must Do
Whether a company acts as a data fiduciary or data processor, they face substantive cross-functional obligations. Similar to the GDPR requirements, companies collecting, disclosing, or sharing personal data across various departments are subjected to numerous obligations. Data fiduciaries are expected to undertake measures to implement:
- Required safeguards to show transparency and accountability.
- Adherence to data retention and international transfer rules for sensitive and critical personal data subject to narrow exclusions.da
- Processing of sensitive personal data may leave the country only after an explicit consent has been obtained for such a transfer and requires data to be stored in India. On the other hand, critical personal data shall only be processed in India.
Several other notable provisions include various types of lawfulness of processing, comprehensive individual rights, affirmative consent requirements, protection of children’s data and data processor agreements. The bill provides fiduciaries an option to further demonstrate their commitment to privacy by implementing and certifying a ‘privacy by design’ policy through the Data Protection Authority (DPA).
Under the bill, certain classes of data fiduciaries are designated as a “significant data fiduciary.” These are identified by the DPAs after meeting certain threshold criteria. The criteria are based on the number of personal data processes, sensitive nature of personal data processed, turnover of data fiduciary, risks of new technologies for processing and other factors causing harm from such processing. Significant data fiduciaries must appoint a Data Protection Officer (“DPO”) who is based in India and must register with the DPA. Significant data fiduciaries will be subject to more detailed compliance obligations such as carrying out data protection impact assessments, ongoing audits, etc. where the government is empowered to assign ‘trust scores’ based on audit results.
What it Means to Data Principals
With India’s supreme court declaring the right to privacy as a fundamental right protecting individual privacy, the bill outlines significant rights to data principals:
- The data can be processed by a data fiduciary only after a clear consent is received
- Ability to seek correction of inaccurate, incomplete, or out-of-date personal data
- Expectation of clear categorization of personal data – by personal data, sensitive personal data, and critical personal data
- Restrict disclosure of their personal data if it is no longer necessary or consent is withdrawn
- Prevention of misuse of data with strict penalties
Offenses under the bill include:
- Processing or transferring personal data in violation of the bill, punishable with a fine of Rupees 15 crore (~$ 20 Million USD) or 4% of the annual turnover of the fiduciary, whichever is higher, and
- Failure to conduct a data audit, punishable with a fine of Rupees 5 crore ($ 0.7 Million USD) or 2% of the annual turnover of the fiduciary, whichever is higher,
- Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.
Critics and its Readiness
The most widely debated topic of this bill has been whether the initiative can support implementation of safeguards to ensure data protection without stifling the country’s opportunity for digital growth. The Joint Parliamentary Committee charged to review and approve the bill has been asked to ensure interoperability in its design nimble enough to support international data transfer rules. Critics further argue that the bill provides overreaching powers to central government in exercising the bill for national interests.
No official date has been released for the enforcement of this cross-sectoral legislation. However, given our substantive reasons under the Why it All Matters section above, and because enactment of this Bill will put PDPB on par with the GDPR from its complexity of obligations and global scale, we will track its approval progress and be prepared to support affected companies.
The proposed regulation is not final and may further undergo some changes however, they do provide a perspective on what business can expect. Protiviti has partnered with clients, cross-industry, to stand up strategic data privacy programs, governance structures, technology implementation efforts, and specific privacy processes to assist with regulatory expectations. In that spirit, we will continue to monitor global privacy developments, and support enterprises on their compliance journey to meet regulatory expectations.