The Personal Data Protection Bill, 2019 was introduced in the Parliament on December 11, 2019 and has been referred to a joint select committee for further review. The committee is tasked to come out with its report on the proposed clauses, which shall be presented to the Parliament prior to its upcoming 2020 budget session. The 2019 Bill brings about significant changes over its predecessor 2018 draft.
Compared to the 2018 draft which proposed 15 chapters and 112 sections, the 2019 Bill contemplates 14 chapters and 98 sections. There are far-reaching modifications in approximately 49 clauses, some clauses of the 2018 draft have been deleted, and certain new provisions pertaining to social media intermediaries, sandbox innovations, policymaking for digital economy and processing of biometric data have also been introduced. Further, the draft available in public domain comes with an elaborate note on the statement of objects and small notes on clauses. There is scepticism that while the 2019 Bill is drafted better than the 2018 draft, grey areas continue to remain, which may not be completely without merit. This and the subsequent Post aim at providing an overview of some of the key changes in the 2019 Bill.1
• Personal data: The 2019 Bill revises the scope of personal data, sensitive personal data, and anonymised data. The meaning of these concepts under the 2018 draft were analysed in our first post
- Personal data is now defined as data about a natural person (the data principal), or that which directly or indirectly results in her identification, having regard to any trait, characteristic, attribute or identity feature. The data can be either online or offline and for profiling purposes, shall also include any inference drawn from such data. The 2018 draft did not provide clarification on whether personal data would include manually processed data and inferences derived from profiling activities. The revised definition clarifies these aspects, thereby qualifying identifiable data processed manually (such as in files, documents) along with any results derived from profiling part of personal data.
- The definition of sensitive personal data stands revised to mean personal data that reveals, relates to or constitutes financial or health or biometric or genetic data, official identifiers, sex life, sexual orientation, transgender or intersex status, caste or tribe, religious or political affiliation. The 2018 draft specifically included passwords, which now stands omitted. Further, the 2018 draft empowers the central government to determine other categories of sensitive data in consultation with the Data Protection Authority (DPA) and sectoral regulators. Earlier, this power was vested with DPA.
- Anonymised data refers to any data that has undergone anonymization i.e., an irreversible process (meeting irreversibility standards to be specified by DPA) of transforming or converting personal data to an unidentifiable form. The definition has been retained as is from the 2018 draft. But, unlike the 2018 draft which clearly carved out processing of anonymised data from its ambit, the 2019 Bill may create potential confusion around what kind of anonymised data is exempted. It states that processing of anonymised data is outside the purview of 2019 Bill, provided the processing is not pursuant to clause 91 of 2019 Bill. Clause 91 states that central government in consultation with DPA can direct data fiduciaries or processors to provide anonymised or non-personal data2 for better provision of services, or formulation of evidence-based policies. The details on implementation mechanism for such data sharing with central government shall be prescribed under rules. The rationale for including this clause is unclear, and it may be prudent that a separate law for such processing is put in place as opposed to evaluating them under the 2019 Bill. This is because anonymized or non-personal data due to their nature cannot be fit into the same bucket as personal data. At this stage, it appears that in the course of providing anonymised data to the central government, data fiduciaries and processors may be required to comply with processing requirements under 2019 Bill. If so, then the carve out for anonymised data is materially diluted.
• Purpose limitation: The 2019 Bill tightens the purpose limitation requirements. Personal data can be processed in fair and reasonable manner ensuring principal’s privacy, for specific, clear, lawful purpose, which is consented to by the data principal. Processing can also be carried out for purposes that are incidental or connected to the consented purpose, provided that the principal can reasonably expect such incidental or connected processing, having regard to the main purpose, context and circumstances of collection.
The 2018 draft permitted processing for specified and other incidental purposes without linking it with consent requirement, thereby creating some ambiguity on the exact scope of purpose limitation. By using expressions like “consented” and “incidental or connected” purpose, the 2019 Bill clarifies the scope, and is likely to provide better guidance to fiduciaries and processors for designing consent mechanisms.
• Retention period: The principles around data storage limitation have been streamlined. The 2019 Bill prohibits a fiduciary from retaining personal data beyond such period as is necessary for the processing purpose. It positively obligates the fiduciary to delete once the processing is completed in accordance with regulations prescribed by DPA. However, personal data can be retained where principal has explicitly consented to an extended duration, or if necessary to comply with any legal obligation. Further, the fiduciary is mandated to undertake periodic review to determine necessity of retaining personal data.
The 2018 draft permitted retention for such duration as was reasonably necessary for the processing purpose and retention for longer periods was only permitted if mandated under or necessary to comply with legal obligations. What duration will qualify as reasonably necessary permits subjective considerations, and the determination is dependent on facts and circumstances. Compared to this, the 2019 Bill brings in a necessity threshold, and this will require objective evaluation of whether retention period commensurates with the processing purposes. In essence, the fiduciary may be required to substantiate that processing would have been impossible without retention. Additionally, it seeks to strengthen principal’s privacy rights vis-à-vis her personal data, and at the same time allows certain flexibility as fiduciaries can obtain explicit consent for longer retention periods.
• Notice:The 2019 Bill requires the fiduciary to provide detailed notice to principal at the time of collecting personal data, or where data is not directly collected from the principal, as soon as reasonably practicable. The underlying idea for notice is to provide complete disclosure to principal on what and how processing takes place. The contents of the notice tend to have a fundamental bearing on principal’s right to informational privacy and ensure accountability and transparency throughout the data processing cycle. The notice must inter alia provide the purposes, nature and categories of personal data, identity and contact details of fiduciary and data protection officer, right to withdraw consent along with procedure, details of entities with whom data may be shared, grievance redressal procedure, retention period, and right to file complaints with DPA. The requirements of notice are similar to what was provided under the 2018 draft, except that fiduciaries now must clearly state out whether the personal data is sensitive or critical, and if so, the specific nature such as financial, genetic, biometric, etc.
The notice must be provided for all kinds of processing, unless specifically exempted. To this effect, the 2019 Bill exempts the notice requirement in following instances:
- if notice substantially prejudices processing by state for performance of its functions under law to provide any state service/benefit or issuance of any certification, license, or permit to the principal; for instance, notice may not be required where processing is required for government to provide utilities, subsidies, tax exemptions, issuing PAN, etc.
- if notice will substantially prejudice processing by any person (including state) (i) for compliance with any legislation, or any judicial pronouncement, such as processing of financial information for purposes of tax filings, (ii) in response to medical emergency involving a life threat/severe health threat for the principal, or any other individual, such as disclosure of medical report to spouses in case where principal has human immunodeficiency virus, (iii) to undertake any measure to provide medical treatment, or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health, (iv) for carrying out safety measures, or provide assistance/services to any individual during disasters or breakdown of public order
- processing of personal data (but not sensitive personal data) by an employer for recruitment, termination, attendance, performance assessments, or provision of any service or benefit to principal acting as an employee
- processing of sensitive personal data by the employer where obtaining consent is not appropriate having regard to the employment relationship, or where obtaining consent will involve disproportionate efforts for the employer
- if processing is in the interest of prevention, detection, investigation and prosecution of any offence or legal contravention
- where processing by disclosure is necessary for enforcing any legal right or claim, seeking relief, defending any charge, opposing any claim, or obtaining any legal advice from an advocate
- processing by any court or tribunal for exercise of judicial function
- processing of personal data by natural person for any personal or domestic purpose, provided it does not involve disclosures to public, or is not undertaken in connection with any professional or commercial activity
- processing necessary for journalistic purpose in compliance with code of ethics issued by Press Council of India or by any media self-regulatory organisations
Additionally, the central government may exempt application of some or all provisions of the 2019 Bill including the notice requirements, if processing is
- necessary or expedient in interest of sovereignty and integrity of India, security of state, friendly relations with foreign states, public order, or prevention incitement for commission of any cognizable offence related to the above grounds; for this, the government is obligated to provide an order with reasons; and
- for certain class of research, archiving or statistical purposes, subject to such conditions as are prescribed
The 2019 Bill expands the exemptions where notice requirement can be done away with. The 2018 draft exempted notice requirement for 7 grounds, while the 2019 Bill provides 9 grounds with the new additions being processing by state and employers. Further, the 2018 draft allowed exemption from notice requirement when processing is for sovereignty, security, public order or prevention of crime, if there was express mandate under law, with sufficient procedural safeguards and subject to necessity and proportionality thresholds. These have been diluted, and the requirement is limited to an order with reasons from the central government. The rationale for the expanded list of exemptions is unclear and may result in a situation where vast volumes of personal data may be processed without necessary information being provided to the principal.