#StartFromScratch: An Explainer on the Personal Data Protection Bill, 2019

Donate to help sustain our work

Tl;dr

It’s here! As promised, part 2 of our series on the data bill will explain the basics of the Personal Data Protection Bill, 2019. In it, we provide an introduction to the main definitions, explain what the Data Processing Authority is, detail what rights users will have and how these rights will be ensured in practice, and lastly, explain the exemptions provided to the government.

A Recap and an update

Last time, we discussed the need for a data protection bill and indicated new threats such as data breaches, malicious hacks, and governmental and corporate surveillance that have emerged as our world becomes more and more digital. We also provided some historical context to the Personal Data Protection Bill, 2019 and hinted at some of the concerns that have been raised about the Bill.

Regarding the report of the Joint Parliamentary Committee on the Bill, we have an update that reports had emerged that the Committee would postpone the submission of the report. Indeed, this came true, as on the 25th of March a motion was moved to extend the time for the presentation of the report and was adopted the very same day. Thus, as it stands, the report of the Committee shall be presented in the first week of the Monsoon Session of 2021.

We have time. So this means that it is even more important for the public to engage with the bill, understand what it proposes, and critique its weaker aspects so that public pressure can be applied and India implements a stronger data protection bill.

A Glossary

The most important definitions vis-à-vis the data bill are:

  1. Data principal i.e. you, the user. A data principal is essentially the person to whom the data ‘belongs’
  2. Data fiduciary i.e. the entity that controls the storage of the data and defines the permitted ways it can be processed
  3. Data processor i.e. the entity that processes that data collected by a data fiduciary

Suppose you use a certain social medium (eg. Facebook or Twitter). In this case, you are the data principal, the social medium is the data fiduciary (since it collects data about you and your activity on its medium), and the entity that processes your data for, say, advertising purposes is the data processor (this may be an authorised third party entity or even the social medium itself).

Next, we need understand the categories of data:

  1. Personal Data: This refers to data that may contain information about any characteristics or traits of a person and can be used to identify said person.
  2. Sensitive Personal Data: This refers to certain categories of data such as: financial data,  health data, official identifiers; data on sexual orientation and activity, biometric data, genetic data, transgender status, intersex status, caste or tribe status, and religious or political belief or affiliation.
  3. Critical Personal Data: Any data notified by the Central Government to be critical data. The important thing here is that critical data can only be processed within the country.

But who will enforce the law? A Data Protection Authority

The Bill (Chapter IX) proposes the creation of a Data Protection Authority (DPA). Essentially, the DPA will be the main regulator with respect to the processing of data. The Bill’s Statement of Objects and Reasons states that role of the DPA would be to:

“protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of the proposed legislation and promote awareness about the data protection”

The Authority shall consist of one Chairperson and a maximum of 6 other full-time members, of which at least one shall have experience in law. The chairperson shall be appointed by the Central government and shall be responsible for directing the workings of the DPA.

Now, given the central role of the Authority, several important functions have been delegated to it, including:

  • Monitoring and enforcing application of the provisions of this Act
  • Taking prompt and appropriate action in response to personal data breach in accordance with the provisions of this Act
  • Examination of any data audit reports and taking any action pursuant thereto
  • Specifying codes of practice to promote good practices of data protection and facilitate compliance
  • Promoting awareness and understanding of the risks, rules, safeguards and rights in respect of protection of personal data amongst data fiduciaries and data principals
  • Promoting measures and undertaking research for innovation in the field of protection of personal data
  • Advising Central Government, State Government and any other authority on measures required to be taken to promote protection of personal data and ensuring consistency of application and enforcement of this Act

Apart from these, the Authority also has the power to:

  • Issue directions to any data fiduciary or data processor (who are bound to comply with the orders)
  • Ask data fiduciaries or data processors to provide any relevant information
  • Conduct an enquiry about any data fiduciary or data processor if it believes that it has conducted its activities in a manner that infringes upon the digital rights of users or if it believes the entity has contravened any of the provisions of the Act

Thus, as one can see, the Data Protection Authority will play a vital role. But what will be the regulatory environment that DPA will protect and regulate? Read on.

User consent is recognised as a key component of data protection frameworks, and this is recognised in clause 11 of the Bill, which lays down that personal data cannot be processed without obtaining the consent of the user. Furthermore, such consent is valid only if it is: a) freely given, b) on the basis of an informed decision, c) specific in nature, d) clearly expressed, and e) capable of being withdrawn. Users must also be informed about any harms that might result as a consequence of providing consent, while the provision of services cannot be made contingent upon the provision of services or the fulfillment of a contract.

There are, of course, certain exemptions. For example, if the processing of certain personal data is without consent may be allowed for the prevention and detection of any unlawful activity including fraud, whistle blowing, network and information security, and the operation of search engines. Additionally, there are certain exemptions that are provided to governmental agencies. More on this below.

Along with a consent framework, the Bill, in Chapter V, lays down certain rights that each data principal has:

  1. Right to confirmation and access: Users have the right to obtain their personal data as well as a summary of activities performed upon their data in a clear and concise manner.
  2. Right to correction and erasure: Users have the right to correct, complete, and update their personal data. Users also have the right to erase their personal data after it is no longer necessary for the purpose for which it was processed
  3. Right to Data Portability: Users have the right to receive and have transferred to any other fiduciary their personal data as well as any data generated during the provision of services.
  4. Right to be Forgotten: Users have the right to restrict or prevent the disclosure of their personal data if it is no longer necessary for the purpose for which it was collected or if they withdraw their consent.

Here too however, these rights are not absolute, in the sense that certain limits, technical and otherwise, are imposed upon them. For example, in the case of the right to correction and erasure, a data fiduciary may, after providing the user with an explanation, choose to reject their application, though the user can make the fiduciary tage the data as disputed. Alternatively, in the case of the right to be forgotten, all requests need to go through an Adjudicating Officer appointed by the Data Protection Authority, who will judge whether any such request is valid.

Interregnum - What about non-personal data?

You may have noticed that most of these provisions seem to deal with personal data, and so you may ask: what about non-personal data? Well, clause 2 of the Bill says that the provisions of the Bill shall not apply to anonymised data, while clause 91 empowers the Central government to: a) ask data fiduciaries and data processors to provide anonymised personal data or non-personal data to improve service delivery and b) frame policies with respect to non-personal data (as an aside, we will mention here that government released the second version of the draft non-personal data governance framework on 16th December last year, which we have written about here).

Obligations & Transparency Measures

Another important part of a robust data protection framework is the regulation of the data collection and processing. For this purpose, chapter II of the Bill  lays down certain obligations on data fiduciaries. Firstly, personal data shall only be processed for clear and lawful purposes that a user has consented to, and the privacy of the user shall be ensured while processing. Data can be processed only to the extent that is necessary for the intended purpose, and a notice containing all the relevant information must be sent to the user before collecting their data. The fiduciary must also take the necessary steps to ensure that the personal data processed is complete, accurate, and up to date. Additionally, data fiduciaries must respect the digital rights of users and retain their personal data beyond the time necessary for fulfilling the original purpose of processing, after which such data must be deleted.

To complement these obligations, the Bill (Chapter VI) mandates certain procedural measures that data fiduciaries must implement. Each data fiduciary must implement a comprehensive privacy-by-design policy that explains how the privacy of users and the security of their data is going to be ensured throughout processing, they can get to be certified by the Data Protection Authority if it is found to be sufficiently robust. Fiduciaries must also certain information available in a transparent manner, such as:

  • the categories of personal data generally collected and the manner of such collection
  • the purposes for which personal data is generally processed
  • any categories of personal data processed in exceptional situations or any exceptional purposes of processing that create a risk of significant harm
  • the existence of and the procedure for exercise of rights of data principal under Chapter V and any related contact details for the same

Some data fiduciaries will also end up being classified as significant data fiduciaries based on factors such as the volume of data processed and the turnover of the fiduciary. Such classification will bring with it additional obligations, such as the need to conduct data protection audits and impact assessments as well as the need to have a designated data protection officer.

Both data fiduciaries and processors shall implement necessary security safeguards, such as:

  • The use of methods such as de-identification and encryption
  • Take steps necessary to protect the integrity of personal data
  • Take steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data
  • Undertake periodic reviews of their security safeguards

They must also have in place an effective grievance redressal mechanism, in which complaints must be disposed of within 30 days of their receipt.

The data protection Bill also specifies behaviour in case a breach occurs: data fiduciaries must inform the DPA about any breaches of personal data, detailing the type and nature of the data involved and the number of persons affected. The DPA shall then decide whether the breach should be reported to the users. The DPA may also direct the fiduciary in question to take certain actions.

Exemptions, governmental and otherwise

The Bill provides for a variety of exemptions and these are some of its most criticised sections. For example, chapter III of the Bill states that personal data may be processed without consent in certain situations, including:

  1. The performance of any State function, such as the provision of a service or statutory benefit
  2. In compliance with any order or judgement of a Court or a Tribunal
  3. In case of a medical emergency for the data principal
  4. For the provision of public health services to combat a pandemic or any other threat to the public health
  5. By an employer with respect to a data principal who is an employee

Chapter VII of the Bill provides even broader exemptions to the government: the Central Government can, in the interest of national security and the prevention of incitement to any cognizable offence, exempt any government agency from any of the provisions of the Bill. The Centre can also exempt data processors that process the data of users outside India from the provisions of the Bill.

This is the second blogpost in our series on the Data Protection Bill; read part 1 here. Join us next week in part 3, where we explain the litany of concerns that have been raised about the Data Protection Bill.

Important Documents

  1. The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
  2. Essential Features of a Rights Respecting Data Protection Law dated February 28, 2020 (link)
  3. IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
  4. The SaveOurPrivacy Campaign (link)