

Why India Needs to Care About Privacy and the PDP Bill
A revised version of the Personal Data Protection Bill, 2019 (the “PDP Bill”) was recently tabled in the Lok Sabha on December 11, 2019. Its first draft was submitted by Justice B.N. Sri Krishna Committee pursuant to the Hon’ble Supreme Court of India’s judgment in Justice K.S. Puttaswamy v Union of India[1] (the “Right to Privacy Judgment”), which directed the Government of India to formulate a law on data protection.
Why India Needs the PDP Bill Quickly
The digital economy in India has grown rapidly with proliferation of e-commerce, over the top content providers and other digital services.
The European Union and several countries have enacted comprehensive legislations like the General Data Protection Regulation (“GDPR”) to specify obligations of data fiduciaries and rights of individuals whose data is being collected and handled (the “Data Principals”). In India, the PDP Bill seeks to change the way various players in the digital eco-system (the “Data Fiduciaries”), handle user data and bring in a comprehensive mechanism to replace the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”).
Differences Between the SPDI Rules and the PDP Bill
S.No.Point of distinctionSPDI RulesPDP Bill 1. Nomenclature of parties Body corporate or any person who collects, receives, possess, stores, deals or handles information of provider of information. Data Fiduciary: person determining purpose and means of processing of personal data. Data Principal: natural person to whom personal data relates. 2. Data Fiduciaries classification No classification 3 types of Data Fiduciaries: a) Data Fiduciary; b) Significant Data Fiduciary; and c) Guardian Data Fiduciary. 3. Obligations of Data Fiduciary Person collecting, receiving, possessing, storing, handling or dealing in personal data must provide on its website: a) privacy policy; b) clear statement of practices and policies; c) types of personal and sensitive personal data collected; d) purpose of collection; e) grievance redressal; and f) reasonable security practices followed. PDP Bill provides for much higher obligations including: a) privacy by design; b) data protection impact assessment; c) data audit and trust score; d) data protection officer; e) purpose limitation, notice and quality of personal data; f) security safeguards like de-identification and encryption; and g) reporting of personal data breach. 4. Special safeguards for children No special safeguards for children Chapter IV provides special safeguards for children: a) Age verification and parental control mechanisms; b) Data Fiduciaries operating websites processing large volume of personal data of children classified as Guardian Data Fiduciaries; c) Bar on profiling, tracking, behavioural monitoring and targeted advertising. 5. Categories of Personal Data 2 categories a) personal data; and b) sensitive personal data. 3 categories a) personal data; a) sensitive personal data; and a) critical personal data. 6. Sensitive Personal Data Narrow definition Wider definition. It also includes: b) official identifier; c) sex life; d) transgender status; e) intersex status; and f) religious or political belief or affiliation. 7. Rights of Data Principals Providers of information may: a) review information and correct inaccurate or deficient data; b) opt not to provide data and withdraw consent. Data Principals have the right to: a) confirmation and access; b) correction and erasure; c) data portability; and d) right to be forgotten. 8. Restrictions on cross border transfers Transfer permitted if same level of data protection as mandated by SPDI Rules is ensured by transferee. a) Bar on transfer of critical personal data except to health and emergency services providers; b) Sensitive personal data may be transferred only under a contract or intra-group scheme approved by the Authority; and c) Critical and sensitive personal data may be transferred to countries or international organizations permitted by Central Government. 9. Exemption for Government Agencies Sensitive Personal Data may be shared with Government agencies upon their written request. Central Government may exempt any agency of the Government from all or any provisions, if it is in the interest of sovereignty, integrity of India, security of state, friendly relations with foreign states, public order and prevention of cognizable offences. 10. Other exemptions Disclosure of sensitive personal information requires prior consent unless: a) provided under or disclosure agreed in lawful contract; and b) compliance of legal obligation. a) Legal proceedings; b) Personal/domestic purpose; c) Journalistic purpose; d) Research, archiving or statistical purposes; e) Manual processing by small entities; and f) Sandbox for encouraging innovation in artificial intelligence, machine learning and other emerging technology. 11. Enforcing Body Central Government Data Protection Authority of India (the “Authority”) 12. Penalties Fine of upto Rs. 5 Lakhs or 3 years imprisonment Much stiffer penalties depending on gravity of offence: a) higher of Rs. 5 Crores or 2% of global turnover; or b) higher of Rs. 15 Crores or 4% of global turnover.
Consent under the PDP Bill
The PDP Bill stipulates that Data Principal’s consent must be obtained before obtaining and processing their data and such consent must be free, informed, specific, clear and capable of being withdrawn as easily as it was given. Data Fiduciaries must draw attention of Data Principal to purposes that may have significant consequences and consent must be meaningfully sought without relying on conduct in context and be sought separately for each purpose, operation and for different types of sensitive personal data. The PDP Bill permits processing personal data without consent if processing is undertaken in any of the following situations:
- performance of State functions;
- under any law in force made by Parliament or State Legislature;
- compliance of any order or judgment of any court or tribunal;
- responding to medical emergency involving Data Principal or any other individual;
- providing treatment during an epidemic, disease outbreak or other threat to public health;
- ensuring safety or provide assistance during any disaster or breakdown of public order;
- employment purposes; or
- other reasonable purposes including prevention of fraud, whistle blowing, mergers and acquisitions and debt recovery.
New Measures under the PDP Bill
The PDP Bill introduces several new measures such as:
- Privacy by Design which involves reviewing and suitably amending organizational practices to ensure privacy is maintained from collection to deletion of data;
- Data Protection Impact Assessment is a mandatory requirement when a Data Fiduciary seeks to undertake processing involving new technologies or large-scale profiling or use of sensitive personal data or any other processing that is likely to cause significant harm to the Data Principal. It contains a description of the processing operations, purpose and data being processed, assessment of potential harm to Data Principals and the measures proposed to mitigate such risks;
- Sandbox for fostering innovation in artificial intelligence, machine learning and other emerging technologies for inclusion of Data Fiduciaries, which shall be exempt from application of the PDP Bill for a maximum of 3 (three) terms of 12 (twelve) months each. The Authority may specify clear and specific purposes of processing personal data, limitations on collection and restriction on retention of personal data.
The Way Ahead for Privacy
The PDP Bill is the first serious effort to protect user privacy in India. However, the blanket power to exempt agencies of the Government from application of all or any provisions of the PDP Bill has attracted widespread criticism, as it requires only a written order by the executive specifying safeguards and does not involve any judicial oversight. Due to concerns raised from various quarters, the PDP Bill has been referred to a joint select committee of the Parliament. T
he views and opinions expressed in this article belong solely to the author and do not reflect the position of Tatva Legal Hyderabad.
[1]AIR20174161