To
The Chairperson,
Joint Parliamentary Committee,
Personal Data Protection Bill, 2019,
Lok Sabha Secretariat,
Ground Floor, Parliament House Annexe,
New Delhi – 110001
Madam Chairperson,
In response to a call for public suggestions issued vide the Press Communique of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019, dated February 04, 2020, we have provided our comments and suggestions below on the PDP Bill.
Who We Are
GameChanger Law Advisors is a boutique corporate commercial law firm based in Bengaluru and New Delhi. The Firm has been in existence since October 2011, and is currently a team of corporate, commercial and technology lawyers who have extensive experience in representing clients across a wide range of industries on a range of legal and compliance matters. We have developed a specialised practice for the Technology, Media and Telecom industries. We advise clients across industries on data protection issues on a regular basis.
Summary of Comments and Suggestions
Given the broad application of the Personal Data Protection Bill, 2019 (“PDP Bill”), its scope is of relevance to a significant number of our clientele. We welcome India’s shift to a robust data protection regime and believe that principles of privacy and data protection must be balanced with an adequate emphasis on transparent processes, procedural fairness and commercial viability in any data protection legislation. While many of our clients and technological companies which work with customer data will be impacted by the PDP Bill, the intention is always to comply with the law of the land and provide whatever support we can as lawyers, towards achieving the larger goal of better data protection and privacy for the citizens of India.
Our key suggestions, highlighted in detail in the note (“Note”) below, are as follows:
(a) The Bill must prescribe a transition period for businesses to suitably implement its provisions;
(b) The discretionary powers of the Central Government under the PDP Bill are broad and overarching, and must be limited;
(c) The exemptions available to the Central Government and government agencies under the PDP Bill must be limited by application of principles of necessity and proportionality;
(d) The concept of ‘Social Media Intermediaries’ is superfluous and must be omitted from the PDP Bill; and
(e) The governance of anonymised data is beyond the scope of the PDP Bill and must be left to the purview of a distinct legislation on non-personal data.
We thank you for providing us with this opportunity to outline our comments and suggestions on the PDP Bill.
In the event that you require any clarifications on any aspect of the Note, please feel free to contact Amrut Joshi (amrut@gamechangerlaw.com).
For GameChanger Law Advisors,
Amrut Joshi
Founding Partner
NOTE CONTAINING GAMECHANGER LAW ADVISORS’ COMMENTS AND SUGGESTIONS ON THE PERSONAL DATA PROTECTION BILL, 201
1. No explicit transition period provided for under the PDP Bill
1.1. Observations –
1.1.1. Section 1(2) of the PDP Bill stipulates that different portions of the PDP Bill will come into force on the date on which they are notified in the Official Gazette.
1.1.2. The Justice Srikrishna Committee, in its draft of Personal Data Protection Bill (“JSC Bill”) provided for a timeline where different chapters/sections of the JSC Bill would come into force.
1.1.3. As proposed by the JSC Bill, the following sections would come into effect on the date of notification –
(a) Chapter X of the JSC Bill – Dealt with the constitution and functioning of the
Data Protection Authority of India (“DPA”).
(b) Section 107 and 108 of the JSC Bill – Granted the DPA the power to make
rules and regulations.
(c) Section 40 of the JSC Bill – Restrictions on cross border transfer of personal
data.
1.1.4. Under the provisions of the JSC Bill, the Central Government was to constitute the DPA within 3 (Three) months of the date on which the JSC Bill was notified.
1.1.5. Within 12 months from the date on which the JSC Bill was to be notified, the DPA was to:
(a) Formulate regulations relating to reasonable purposes for which personal data could be processed (covered under Section 14 of the PDP Bill).
(b) Formulate codes of conduct and notices pertaining to – data quality, storage limits, processing of personal information and sensitive personal information, security safeguards, research purposes, exercise of data principal rights, methods of de-identification and anonymization, and transparency and
accountability measures.
1.1.6. Finally, Section 97 (8) of the JSC Bill stipulated that the remaining provisions of the JSC Bill would become effective within 18 (Eighteen) months of the date on which the JSC Bill was notified.
1.1.7. Currently, the primary regulation in India on data security is the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011) (“SPI Rules”). However, the PDP Bill places a much greater obligation on processors when compared to the SPI Rules (for example, there are territorial restrictions on processing certain categories of
personal information in the PDP Bill, whereas such restrictions are not present in the SPI Rules).
1.1.8. In such a scenario, processors in India will need to make operational changes, invest in new technology and amend their products and processes in order to ensure that they are compliant with the PDP Bill. These activities will take time and hence, a transition period must be provided to these businesses to achieve effective compliance with law. In the event a transition period is not provided, business entities may be forced to temporarily suspend operations till such time they are compliant with the obligations stipulated under the PDP Bill, and this can have an immensely chilling effect on business in India.
1.1.9. It has been global best practice to provide a transition period in comprehensive data protection bills. For instance, the European Union provided a 2 (Two) year transition period for the provisions of the General Data Protection Regulation (“GDPR”) to take effect. The transition period for the GDPR commenced on April 14, 2016. The GDPR came into effect on May 25, 2018.
1.2. GLA Recommendation –
1.2.1. In its current form, if the PDP Bill is notified in its entirety, it will result in an un-implementable law until such time that the DPA can be constituted and made operational. A milestone-based staggered timeline, with sufficient time being given to implement each step, is necessary so that the institutional enforcement framework under the DPA is put in place. Thereafter, specific regulations or codes of practice can be formulated in consultation with various stakeholders. This will also allow stakeholders to put in place their compliance mechanisms to ensure that as and when the law comes into force and regulations and codes of practice are prescribed by the DPA, they are in a position to be compliant with the law.
1.2.2. The breadth of functions assigned to the DPA (See Section 49 of the PDP Bill) and to data fiduciaries and data processors (See Chapters II to VII of the PDP Bill) to whom the law will be applicable is substantial. Hence, we would recommend incorporating a method similar to the method adopted in Section 97 of the JSC Bill, that of enabling a milestone based staggered timeline, with longer time periods prescribed for compliance with operational aspects of the PDP Bill. We recommend
that only after the codes of practice and regulations are put in place by the DPA, should any time period apply for applicability of the PDP Bill, rather than the date of notification of the PDP Bill itself.
2. Social Media Intermediaries under the PDP Bill
2.1. Observations –
2.1.1. The explanation to Section 26(4) of the PDP Bill defines a Social Media Intermediary (“SMI”) as “an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services”, and specifically excludes intermediaries which enable business or commercial transactions, provide access to the internet, and search engines, email service providers, online encyclopedias and storage services.
2.1.2. This categorization of who a SMI is, is superfluous for the following reason. Even in the absence of this distinct category, entities that fall within the definition of an SMI as provided under the PDP Bill, shall all be “data fiduciaries”, who must obtain consent, provide notice and set out its purpose of data processing under Section 7 of the PDP Bill. They will similarly be obligated to obtain explicit consent from data principals, under Section 11 of the PDP Bill, for the processing of any sensitive personal data.
2.1.3. If such entities are found to process significant volume of sensitive personal data, with a high risk of harm to data principals, the DPA may designate such entities as significant data fiduciaries, even in the absence of a categorization as an SMI. In such an event, these entities would also mandatorily be required to meet further obligations such as conducting a data protection impact assessment (Section 27 of the PDP Bill), maintenance of records (Section 28 of the PDP Bill), and a data audit (Section 29 of the PDP Bill). Therefore the entities intended to be brought within the definition of SMI and regulated separately are by data fiduciaries already governed by the PDP Bill and there is reasonable purpose achieved by defining them and regulating them distinctly from other data fiduciaries or significant data
fiduciaries as the case may be.
2.1.4. It is pertinent to note that in the case of any other significant data fiduciary other than an SMI, Section 26 (1) of the PDP Bill gives the power and the authority to the DPA to notify any data fiduciary, or any class of data fiduciary, as a significant data fiduciary, based on its assessment of the volume of data processed, sensitive personal data processed, risk of harm, and other factors. However, in the case of SMIs under Section 26(3) of the PDP Bill, it is the Central Government, in consultation with the DPA, who has the power to designate such SMIs as significant data fiduciaries.
2.1.5. Further, under Section 26(4) of the PDP Bill, SMIs which are above a certain user threshold, and which are likely to have an impact on “electoral democracy, security of the State, public order or the sovereignty and integrity of India” may be designated by the Central Government as significant data fiduciaries. On a plain reading of Section 26 of the PDP Bill, it is clear that the Central Government wishes to have complete control over who is classified as a social media intermediary and the power to decide the same lies with the Central Government itself. Further the criteria for such determination being electoral democracy, security, public order, sovereignty and integrity of India is disconnected to the entire purpose of the PDP Bill which is the protection of personal data. Issues pertaining to such above mentioned criteria must be solved with appropriate national security legislation and cannot be brought in under the garb of personal data protection. This has the potential of having a chilling effect on free speech through unwarranted government control over social media companies, which would be an undesirable consequence of the PDP Bill.
2.1.6. Section 28 of the PDP Bill provides that any SMI designated as a significant data fiduciary must enable its users to voluntarily verify their accounts with such SMI, and a ‘visible mark’ of such verification must be visible to other users of its service, in a manner as may be prescribed.
2.1.7. The facility of offering account verification on any social media platform is a product decision taken in consideration of the platform’s business objectives. The intent of such a verification mechanism is to ensure users are not misled by accounts purporting to represent public figures and brands. This is undoubtedly a best practice, and is aligned with the interests of any social media platform in improving
its safety standards and credibility. However, the above requirement is beyond the purview of a data protection law.
2.2. GLA Recommendation –
2.2.1. We recommend that all references to ‘social media intermediaries’ as a distinct form of intermediary be removed from the provisions of the PDP Bill as such intermediaries will be governed either as ‘data fiduciaries’ or ‘significant data fiduciaries’ under the provisions of the PDP Bill.
2.2.2. In the absence of a removal of all references to ‘social media intermediaries’, the decision to classify a particular entity as a SMI should lie solely with the DPA and should be taken in accordance with the criteria provided for other ‘significant data fiduciaries’. No separate criteria with respect to “electoral democracy, security of the State, public order or the sovereignty and integrity of India” should be provided for.
2.2.3. There should be no requirement on a SMI to provide a mechanism of verification of a particular user, as the above requirement is beyond the purview of a personal data protection law. A verifiable tick or any such other indicator has no reasonable nexus to the objective of the PDP Bill which is the protection of personal data of data subjects and not the verification of the online identity of a data subject.
3. Exemptions to applicability of the provisions of the PDP Bill –
3.1. Observations –
3.1.1. Under Section 35 of the PDP Bill, the Central Government is authorized to exempt any agency of the Government from any or all of the provisions of the PDP Bill. Such exemptions are with respect to the processing of data –
(a) In the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, or
(b) For preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order.
3.1.2. For the purpose of Section 35 of the PDP Bill, “processing of personal data” includes the sharing of data with any Government agency by a data fiduciary, data processor or data principal. Section 35 of the PDP Bill enables the Central Government and its ‘agencies’ to process personal data of all categories, without any of the safeguards otherwise applicable under the PDP Bill. It is respectfully submitted that the provision of such an exemption to the Central Government and its agencies may amount to legislative overreach and may be deemed unconstitutional in the light of the judgment of the Hon’ble Supreme Court of India in Justice K.S. Puttaswamy & Anr. vs. Union of India and Ors., where the Court clearly held that the provision of such an exemption exposes the citizenry of India to violation of their
constitutionally guaranteed right to privacy.
3.1.3. The Supreme Court’s decision in Justice K.S. Puttaswamy & Anr. vs. Union of India and Ors., laid down a three-pronged test to assess any act restricting the privacy of an individual, which are:
(a) Legality, i.e. the act must be backed by a law,
(b) Legitimate aim,
(c) Proportionality, i.e. whether the act is necessary and proportionate to the aim to be achieved.
3.1.4. These tests were also encapsulated in Section 42 and 43 of the JSC Bill, which laid out that any processing of data in the interests of security of state or for an investigation, could only be done pursuant to a law, in accordance with procedure established by law, and necessary and proportionate to the aims achieved.
3.1.5. The broad executive powers under Section 35 of the PDP Bill would allow an authorized government agency to require that a data fiduciary share personal data of its users with such agency, if it believes it may prevent a threat to public order. In the process, the government agency as well as the data fiduciary sharing such data, would not be required to comply with any safeguards prescribed within the PDP Bill itself, such as consent obligations, notice obligations, and those pertaining to purpose limitation, collection limitation or accountability. This is antithetical to the principles of privacy and data protection otherwise upheld in the PDP Bill, and renders it liable to constitutional challenge.
3.2. GLA Recommendations –
3.2.1. The necessity and proportionality requirements provided for in Sections 42 and 43 of the JSC Bill, ought to be retained in Section 35 of the PDP Bill, and
3.2.2. ‘Agencies’ of the Central Government ought to be clearly defined in the PDP Bill to mean only those entities that satisfy the following 6 key tests that were laid down by the Hon’ble Supreme Court in its landmark judgment in Ajay Hasia and Ors. vs. Khalid Mujib Sehravardi and Ors.. i.e.
(a) If the entire share capital of the corporation is held by Government it would go a long way towards indicating that the corporation is an instrumentality or agency of Government.
(b) Where the financial assistance of the State is so much as to meet almost entire expenditure of the corporation, it would afford some indication of the corporation being impregnated with governmental character.
(c) It may also be a relevant factor to determine whether the corporation enjoys monopoly status which is the State conferred or State protected.
(d) Existence of deep and pervasive State control may afford an indication that the Corporation is a State agency or instrumentality.
(e) If the functions of the corporation of public importance and closely related to governmental functions, it would be a relevant factor in classifying the corporation as an instrumentality or agency of Government.
(f) Specifically, if a department of Government is transferred to a corporation, it would be a strong factor supportive of this inference of the corporation being an instrumentality or agency of Government.
4. Regulatory overreach by the Central Government –
4.1. Observations –
4.1.1. Section 49 of the PDP Bill stipulates the powers and functions of the DPA. One of the primary functions of the DPA, as provided for under Section 49 (2) (a) of the PDP Bill is to monitor and enforce the PDP Bill. However, the PDP Bill has empowered the Central Government to regulate certain critical portions of the PDP Bill.
4.1.2. The PDP Bill stipulates that critical personal data can be processed only in India. However, the PDP Bill does not elaborate what categories of personal data will be treated as critical personal data nor does it provide an indicative list of categories of personal data that will be considered as critical personal data (this principle was followed for sensitive personal data in Section 3(36) of the PDP Bill). The explanation to Section 33(2) of the PDP Bill stipulates that the Central Government shall determine what categories of personal data will constitute critical personal data.
4.1.3. The concept of creating a new category of personal data, apart from sensitive personal data and carving out a further sub-set of sensitive personal data as “critical personal data” has not been observed in either the GDPR and the California Consumer Protection Act, 2018, 2 of the more recently enacted data protection legislations globally.
4.1.4. Section 34 of the PDP Bill stipulates the conditions under which data fiduciaries can process sensitive personal data and critical personal data outside India. On such condition outlined is that if the Central Government, in consultation with the DPA certifies that a third country has adequate levels of security and that such transfers shall not prejudicially affect the enforcement of the PDP Bill.
4.1.5. Further, as the Central Government needs to only consult with the DPA, it is not bound by any of the advice given by the DPA. In this case, there are chances that this might become a political tool where the Central Government may disregard any advice provided by the DPA and base its decision to certify whether a country has adequate levels of protection on political grounds rather than an objective
review of the data protection standards of a third country.
4.1.6. Section 15(1) of the PDP Bill stipulates that the Central Government, in consultation with the DPA shall categorize the categories of personal data that will constitute sensitive personal data (this will be in addition to the list provided in Section 3(36) of the PDP Bill).
4.2. GLA Recommendations –
4.2.1. Assuming that the Parliament in its wisdom determines that the concept of “critical personal data” is required to be retained in the PDP Bill, the responsibility for categorization of any data as “critical personal data” must be vested solely with the DPA. Similarly, the responsibility for categorization of any data as “sensitive personal data” must also be vested solely with the DPA.
4.2.2. The PDP Bill must contain an indicative list (as has been provided for sensitive personal data) or a list of criteria that will need to be examined by the DPA (as has been provided for determining a significant data fiduciary under Section 26 of the PDP Bill) prior to a determination being made that certain personal data is or is not to be deemed to be “critical personal data”.
4.2.3. We would recommend that the DPA (which is the sectoral regulator) be conferred with the sole authority to determine the adequacy of a third party country’s data protection standards.
5. Regulatory overreach by the Central Government –
5.1.1. Section 91 of the PDP Bill stipulates that the Central Government can, in consultation with the DPA, compel any data fiduciary or data processor to share any anonymised data or non-personal data. The objects clause of the PDP Bill stipulates that the main function of the PDP Bill is to protect the privacy of individuals with regards to their Personal Data. Therefore, by seeking to regulate non personal data and anonymised data, the PDP Bill goes beyond its stated objects.
5.1.2. Further, Section 91(1) of the PDP Bill stipulates that the Central Government can use such anonymised data or non-personal data for providing better targeting of delivery of services or for the formulation of evidence based policies. As a result of this, the Central Government will be using the intellectual property of the data fiduciary or data processor irrespective of whether or not the Central Government has the consent of the data fiduciary or data processor. We respectfully submit that such a provision could be tantamount to an appropriation of the property of a business entity, without the requirement of payment of any consideration to such business entity. We respectfully submit that such a provision would impinge on the ability of every data related business in India to continue its business in India. This provision could potentially be challenged as being violative of Article 19 (1) (g) of the Constitution of India.
5.2. GLA Recommendations –
5.2.1. Considering that non-personal data or anonymised data is outside the scope of the PDP Bill, we would recommend deleting all provisions relating to the processing of anonymised data or non-personal data.
5.2.2. Further, the Ministry of Electronics and Information Technology, on September 13, 2019, constituted a committee headed by Mr. Kris Gopalakrishnan (Co-Founder of Infosys) to recommend governance norms for non-personal data. Therefore, this committee should be allowed to complete its mandate and determine the manner in which non-personal information is processed.
6. Conflicts between the roles of DPA and Central Government –
6.1. Observations –
6.1.1. By providing the Central Government the right to regulate certain provisions of the PDP Bill, there are certain circumstances where the decisions of the DPA and the Central Government might be contradictory. The PDP Bill does not provide a mechanism to resolve such disputes.
6.1.2. One such instance of this is under Section 34 (2) of the PDP Bill which outlines the conditions under which Sensitive Personal Data can be transferred outside India. One of the conditions outlined under Section 34 (2)(b) of the PDP Bill is that sensitive personal data can be transferred to a country which has been certified by the Central Government to have an adequate level of protection. On the other hand, Section 34 (2)(c) of the PDP Bill outlines that sensitive personal data can be transferred outside India when there DPA has authorized the same. In this case, if the DPA permits the transfer of sensitive personal data to a country that has not been certified by the Central Government, there is no resolution process if the Central Government objects to the permission granted by the DPA.
6.2. GLA Recommendation –
In order to ensure that there are no such disputes that arise, the DPA should be solely vested with all power to regulate the PDP Bill in its entirety. However, even in the event that certain powers are given to the Central Government, the PDP Bill must contain a resolution mechanism to resolve any contradictions in the directive/regulations issued by the Central Government and the DPA.
7. Consultation of stakeholders under the PDP Bill –
7.1. Observations –
7.1.1. Section 50 of the PDP Bill provides that the DPA, through regulation, may prescribe codes of practice to promote good practices under the PDP Bill. Section 50 of the PDP Bill also specifies that no such code of practice will be issued unless stakeholders have been duly consulted.
7.1.2. However, even though there are many aspects of the PDP Bill that are intended to be prescribed by Regulations formed by the DPA, there is no requirement of stakeholder consultation for any other Regulation with the exception of the codes of practice under Section 50 of the PDP Bill.
7.2. GLA Recommendation –
7.2.1. The DPA has been delegated the authority to prescribe Regulations on a number of processes and concepts that the PDP Bill is silent on and which are critical for the effective implementation of the PDP Bill. We suggest that these Regulations also be placed before stakeholders for an inclusive consultation process prior to being issued.
7.2.2. Further, we note that Section 50(6) of the PDP Bill provides an indicative list of matters that may be covered by such codes of practice and is not exhaustive, we suggest that a code of practice also be prescribed for:
(a) A standard form contract that data fiduciaries may adopt for the purpose of transferring sensitive personal data outside India, under Section 34(a) of the PDP Bill. This has been incorporated by the GDPR where the EU has provided standard contractual clauses under Article 46 of the GDPR that data controllers will need to execute prior to transferring data to countries which do not have an adequate level of protection. The current draft of the PDP Bill provides that sensitive personal data may only be transferred outside India with the explicit consent of the data principal and if such transfer is made pursuant to a contract or intra-group scheme approved by the DPA.
(b) A model privacy by design policy which if followed does not need to be submitted before the DPA for certification and where approval will be streamlined. Section 22 of the PDP Bill presently stipulates that the privacy by design policy of each data fiduciary is to be submitted for certification before the DPA.
Learn more about our Technology practice.
#PersonalDataProtectionBill #2019 #Technology #India #GameChangerLawAdvisors