ASG Analysis: Personal Data Protection Bill Released in India
- The Personal Data Protection Bill was released in India’s Lok Sabha on December 11, 2019, after extensive consultations conducted by the Ministry of Electronics and Information Technology on the draft bill, which was published in 2018 by the Srikrishna Committee. The Bill has been referred to a Parliamentary Committee for further discussions.
- An early assessment reveals an overall dilution of the 2018 draft with the addition of several new ambiguous clauses. The newly-created Data Protection Authority (DPA) is charged with working out the details of those clauses. The ultimate impact of the Bill will be determined by the structure, authority, and transparency of the DPA.
- The process of deliberation by the Parliamentary Committee, subsequent introduction and passage of the Bill, and the formulation and operationalization of the DPA is expected to take anywhere between 18 and 24 months. The Government of India acknowledges that this version is not the last word, as there is expected to be extensive debate in the parliament and industry consultation.
- ASG will continue to monitor and provide updates as the implications of the ambiguous clauses become clear. The bill will have wide-ranging implications for companies across multiple sectors in India.
What We Know
Revised scope of the Bill: The definition of personal data was expanded to include data that can be used for the purpose of profiling. The Bill now allows the government to direct data fiduciaries to provide anonymized personal data or “non-personal data” to better target the delivery of services or create evidence-based policies. The Bill has defined non-personal data as any data other than personal data.
Requirements for notice and consent to process data: Data fiduciaries cannot process personal data without consent from the data principal. Consent must be explicit and conditions on how to properly gain consent must be met. Data fiduciaries are no longer required to demonstrate compliance.
Broadened grounds for processing personal data without consent: Personal data may be processed without consent to assist in the operation of search engines. The Bill charges the DPA with specifying additional safeguards and restrictions for the collection and profiling of sensitive personal data.
Relaxed requirements for storage and cross-border data flow: The Bill removes overarching restrictions around storage and cross-border flow of personal data included in the 2018 draft. The Bill proposes the following:
- Sensitive personal data must be stored in India. Sensitive personal data can be transferred abroad if the data principal provides consent and other conditions laid out in the Bill are met.
- Sensitive personal data includes: financial and health data, official identifiers, sexual orientation, transgender data, intersex status, biometric data, genetic data, caste and tribe, and religious or political affiliations. The government retains the right to identify additional data categories as sensitive personal data.
- Critical data must be processed in India. However, critical data may be transferred abroad when:
- The data transfer is related to health services or emergency services that require prompt action and where processing does not require consent;
- The data is being transferred to countries or entities within a country that have been identified by the Central Government as having adequate levels of protection as per Indian laws and international agreements.
Social media intermediates considered significant data fiduciaries: Significant social media intermediaries are defined as platforms with users above a certain threshold and whose actions will likely have significant impact on the Indian State, public order, electoral outcomes, and integrity of the country. These significant social media intermediaries must enable users to voluntarily verify their identities on their accounts.
- Social media intermediaries are defined as platforms that primarily enable online interaction between two or more users and allows them to create, upload, share, disseminate, modify, or access information.
- The following entities are excluded from qualifying as social media intermediaries: Those that undertake commercial or business-oriented transactions, provide access to internet, search engines, on-line encyclopedias, e-mail services, or online storage services.
Penalties remain largely the same: The Bill retains the penalty clause included in the 2018 draft. Minor violations of the Bill’s provisions will result in penalties of INR 5 crore or two percent of total global turnover. Major violations will be penalized with INR 15 crores or four percent of total global turnover. The Bill retains the provision for imprisonment in case of de-anonymization of personal data by a data fiduciary or data processor without the consent of the individual. The Bill no longer contains penal provisions for obtaining, transferring, or selling personal data and sensitive personal data.
Expanded grounds for exemptions: The Central Government has the power to exempt any government agency from the application of the Bill. “Small entities” continue to receive exemption from the Bill. The DPA has been entrusted to classify “small entities.” The Bill also exempts Sandboxes created for AI, machine-learning, and other emerging technology in the public interest. Data fiduciaries will need to apply to the DPA to be included in the Sandbox.
Introduction of “consent manager”: The Bill recommends a “consent manager” – a data fiduciary that enable a data principal to gain, withdraw, review, and manage consent through an accessible, transparent, and interoperable platform. The consent manager must be registered with the DPA.
Inclusion of the right to erasure: The Bill includes the rights to erasure and correction of personal data.
Albright Stonebridge Group (ASG) is the premier global strategy and commercial diplomacy firm. We help clients understand and successfully navigate the intersection of public, private, and social sectors in international markets. ASG’s worldwide team has served clients in more than 120 countries.