Justice Sri Krishna Committee released the much awaited first draft of the Personal Data Protection Bill, 2018. Following a structure which combines Europe’s General Data Protection Regulation and India’s Information Technology Act, 2000, the Bill runs into 112 sections.
These include positive features like broader definitions, horizontal application, extra-territorial jurisdiction and steep penalties for violations, as well as negative features like data localization requirements, many exceptions to state related processing. Amendments are proposed to the Right to Information Act and Information Technology Act, though no amendments are proposed at present to the Aadhaar Act.
Top level highlights from the bill include:-
Obligations – Strong obligations that apply to both private companies and the government, including purpose limitation, collection limitation, data security, documentation, and a general duty to process data in a way that’s “fair and reasonable” and “respects the privacy” of the person. This law applies to Indian residents’ data wherever it may be processed.
The Data Protection Authority – Creation of an independent Data Protection Authority with expansive powers including investigatory, adjudicatory, and punitive powers, as well as a separate Adjudicating Officer to take complaints, impose penalties, and mete out compensation to individuals. However, the independence of the adjudicatory authority and appellate tribunal responsible for legal proceedings related to data protection violations is severely lacking. The qualifications and nominations of those serving in these bodies are entirely prescribed by the government, as are the procedures of the bodies themselves. The system as it currently stands has far too much delegated authority to the Central Government. The power of setting qualifications and procedures and nominating individuals to serve in the adjudicatory authority and appellate tribunal should be reserved for the DPA, which operates independently of the government.
High standard for consent – For consent to be valid it must be free, informed, specific, clear, and capable of being withdrawn. This sets a high bar for companies seeking to validate their actions on the basis of consent. “Explicit consent” is required for processing of sensitive data.
Grounds for Processing – The bill allows for data processing for “reasonable purposes”. While similar in intent to the GDPR’s “legitimate interest” ground, the bill limits the potential for abuse by providing conditions on the basis of which data may be processed, as well as an illustrative list of categories that fulfil these conditions. We think this is an improvement on the GDPR standard, which as we noted in our submission, can “easily be abused by companies” who may argue that “innovation” itself is always a reasonable pursuit, even where it may put the privacy of users at risk.
Biometric Data – Biometric data and the Aadhaar identification number are included in the definition of sensitive personal data which comes with stricter obligations. The bill includes a generally inclusive and progressive list of sensitive personal data including data related to religious or political belief, sexuality, transgender, and intersex status. Section 106 bars processing certain forms of biometric data as determined by the Central Government, unless the processing is explicitly permitted by law. This provision could be used to curtail the lax limitations on the handling of Aadhaar data.
Individual Rights – Individuals are provided comprehensive rights of correction, updation, and data portability. However, rights to deletion and to object to processing, which are guaranteed by other data protection laws around the world including the EU’s GDPR, are notably missing. Users may have to pay for certain rights, which could entrench existing inequalities and create haves and have-nots for privacy.
Data Processing for Security – Data processing for security, intelligence, and law enforcement purposes must be “necessary and proportionate”, and must be authorised by a law passed by Parliament. While a quick reading of this bill might look like there are exceptions for “security of state” data processing and the potential for mass surveillance, Section 42.1 actually provides substantive protections. For the number of intelligence and security agencies that currently operate in a legal vacuum, this bill would necessitate regulation, and one that meets the standards of “necessary and proportionate”. The “necessary and proportionate” standard is a critical part of international human rights law around surveillance, as well as the Puttaswamy judgement, and prevents this bill from ushering in mass surveillance. Section 42.1, if enacted, will necessitate a public debate about the appropriate limits of Indian government surveillance — data processing for security, intelligence, and law enforcement purposes cannot happen in the absence of such a debate and subsequent law.
Cross-border Data Transfer – Cross-border data transfer is made possible through a variety of means, but rejects consent alone as sufficient for transfer, and conditions transfers on having a high level of data protection in place