In Personal Data Protection Bill 2019 versus 2018 – Part 1, we delved into the changes in concept of personal data, purpose limitation, retention period and notice requirements. In this post, we continue to analyse some additional key changes.
1. Consent: The 2019 Bill makes prior consent the primary ground for processing. Consent must be:
- free as understood for contractual consent under the Indian Contract Act1
- informed through the detailed notice as discussed at #4 in our previous post Personal Data Protection Bill 2019 versus 2018 – Part 1
- specific with respect to the scope of consent factoring the processing purposes
- clear through an affirmative action that is meaningful in given context; and
- capable of being withdrawn as easily as is obtained.
This essentially means that consent cannot be influenced by any external factors or be conditional upon provision of goods or services, must be worded specifically with full disclosure of purposes in a simple, easy to understand language, and obtained through direct action as opposed to implied conduct.
Additionally, for processing sensitive personal data, consent must be explicitly obtained in clear terms without recourse to any inference from conduct, after informing the principal about the purposes or operations that may have significant harm, and giving him choice of separately consenting to each of those underlying purposes or operations. There are further requirements to process personal data of children. If a principal withdraws consent without any valid reason, the legal consequences and effects of such withdrawal shall be borne by the principal.
The 2018 draft provided for similar consent requirements for processing personal data. Regarding processing sensitive data, the 2018 draft created some confusion as it explained the additional requirements as essential constituents of a separate kind of “explicit consent”. It was ambiguous, since consent for processing any personal data per se required direct and affirmative action and prohibited any implied consent. The 2019 Bill has clarified the additional conditions.
Compared to the 2018 draft, the 2019 Bill strengthens the right to withdraw consent by stating that legal consequences of withdrawal shall be only borne by the principal if consent is withdrawn without any valid reason. This means that principal can provide cogent reasons for withdrawal, in which case, the fiduciary may be required to bear the consequences. This may also mean that despite withdrawal of consent for valid reasons, the fiduciary remains obligated to provide goods or services. The 2018 draft had a blanket provision which stated that principal shall bear consequences of withdrawing consent irrespective of any reason.
2. Other basis of processing: The 2019 Bill provides new processing basis where consent need not be obtained. These include all the grounds where notice requirement stands exempted. These grounds have been discussed at length in #4 of our previous post Personal Data Protection Bill 2019 versus 2018 – Part 1. To briefly reiterate, they include processing for:
- performance of state’s functions in providing any state service/benefit, or issuance of any certification, license, or permit to the principal
- compliance with any legislation, or any judicial pronouncement
- in response to medical emergency involving a life threat/severe health threat for the principal, or any other individual
- to undertake any measure for providing medical treatment/health services to any individual during an epidemic, outbreak of disease, or any other threat to public health
- carrying out safety measures, or providing assistance/services to any individual during disasters or breakdown of public order
- for recruitment, termination, attendance, performance assessments, or provision of any service or benefit to principal acting as an employee
- prevention, detection, investigation and prosecution of any offence or legal contravention
- enforcing any legal right or claim, seeking relief, defending any charge, opposing any claim, or obtaining any legal advice from an advocate
- judicial functions by court or tribunal
- any personal or domestic purpose by a natural person; and
- journalistic purpose in compliance with code of ethics issued by Press Council of India or by any media self-regulatory organisations
Apart from the above, consent is not required where processing is for reasonable purposes as may be specified by Data Protection Authority (DPA) through regulations. In formulating these regulations, DPA must factor fiduciary’s interest in processing, fiduciary’s reasonable expectation to obtain consent, public interest, effect of processing on principal, and reasonable expectation of principal in the context of processing. Some reasonable purposes have already been listed such as prevention and detection of any illegal activity including fraud, whistle blowing, mergers and acquisitions, network and information security, credit scoring, debt recovery, processing of publicly available data, and operation of search engines. In these instances and other specified reasonable purposes, DPA is mandated to prescribe safeguards to ensure protection of principal’s rights, and determine whether notice requirements shall apply or not.
Additionally, the central government may exempt application of some or all provisions of the 2019 Bill including consent requirement or any other processing basis, if processing is necessary or expedient in interest of sovereignty and integrity of India, security of state, friendly relations with foreign states, public order, or prevention incitement for commission of any cognizable offence related to the above grounds. For such exemption, the government is obligated to provide an order with reasons.
While many have observed that consent requirements have been streamlined from the 2018 draft, the 2019 Bill in our opinion retains most of the consent mechanism as is, albeit that consent can be completely diluted for where processing is done by state. The 2018 draft curtailed government’s ability to negate consent principles by further notifications on grounds of state security, sovereignty and public order. It required a clear prescription under a law with proper checks and balances for state to process without consent. This has been omitted and the 2019 Bill may have an arbitrary impact on principal’s right to informational privacy.
3.Rights: The 2019 Bill allows the principal to:
- get confirmation from the fiduciary on whether processing has taken place
- obtain summary or full details regarding the personal data being processed
- obtain brief summary of processing activities undertaken
- access the identities of all fiduciaries with whom personal data has been shared at one place along with the categories of data shared; and
- where necessary, having regard to the purposes and subject to regulations seek correction, completion, updation or erasure of personal data if purposes have been accomplished.
Most part of right to confirmation, access and correction have been retained as is from the 2018 draft. Nonetheless, the 2019 Bill brings a new right to erasure. Now a principal can seek erasure of personal data, if processing purposes have been achieved. This is akin to right to be forgotten under the European Union General Data Protection Regulation. But, there is still ambiguity on what is the scope of right to be forgotten under the 2019 Bill. This is because the 2019 Bill continues to retain a separate clause on right to be forgotten and explains it as a right to prevent continual disclosure of personal data with prior approval from the adjudicating officer.2
The aforementioned rights can be exercised by making a written request to the fiduciary directly or through a consent manager. While making such requests, principal has to provide identity details and may be required to pay specified fees. The request has to be responded within such time as may be prescribed. The 2018 draft did not expressly provide that requests can be made through consent managers, and by specific inclusion, the 2019 Bill validates the existing industry practice. This is likely to facilitate implementation. Further, the 2018 draft sought to impose a 90 day timeline for fiduciaries to respond to principal’s request. The 2019 Bill leaves this for the DPA to prescribe through regulations.
4. Cross-border data transfer: In wake of severe criticisms around data localization requirements under the 2018 draft, the 2019 Bill has significantly relaxed the requirements for cross-border data transfer. It states that significant personal data may be transferred outside India for processing, subject to explicit consent from principal for such transfer and any one of the following conditions:
- pursuant to a contract or intra-group scheme approved by DPA; for approval, the contract or scheme must provide clauses for effective protection of principal’s rights, liability of fiduciary for harm caused due to non-compliance with contract or scheme
- transfer to a country, or entity or class of entities in transferee country, or an international organization that provides adequate level of protection, and has been conferred with such adequacy decision by the central government; or
- pursuant to specific approval from DPA for any specific purpose.
While cross-border transfer is permissible, such sensitive data must be stored in India. Further, any data that is categorized as critical personal data by the central government must be processed in India. In extremely rare circumstances, critical data may be transferred outside India, if such transfer is to a:
- person/entity engaged in providing health/emergency services and is necessary for prompt action; these transfers must be notified to DPA within such period as may be specified; or
- country, entity or international organization which the central government deems permissible after evaluating adequacy of protection measures provided and whether such transfer shall cause prejudice to security and strategic interest of the state.
The 2018 draft required localization and imposed cross-border transfer conditions (i.e., contract clauses, adequacy decision, intra-group scheme, etc.) for all kinds of personal data. The 2019 Bill does not require any specific conditions for cross-border transfer of personal data that is not sensitive, and there is no mandate to keep a serving copy of processed personal data in India. This means that fiduciaries and processors can process personal data outside India as long as they have obtained consent from the principal, or are processing for any other non-consensual basis. This has come as a huge relief to industry stakeholders, but its actual implication on principal’s informational privacy is yet to be ascertained. Cross-border transfer requirements under European Union General Data Protection Regulation such as binding corporate rules for intra-group transfers, standard contract clauses and adequacy decisions apply to all kinds of personal data and not just special categories of data. While it was absolutely essential to do away with physical localization requirements and facilitate cross-border transfers, omitting conditions for transfer to a foreign jurisdiction may dilute principal’s right to informational privacy.
5. Penalties: The 2019 Bill provides for steep penalties for different kinds of contravention, alongside data principal’s right to seek compensation and DPA’s power to prosecute for offences. The following penalties are prescribed:
- INR 50 million or 2% of worldwide turnover, whichever is higher may be imposed upon a non-government fiduciary, if it fails to comply with the following obligations as applicable to fiduciaries/significant data fiduciaries3 – take prompt and apt response to data security breaches, register as a significant data fiduciary, undertake data protection impact assessments, conduct data audit, or appoint data protection officer; for similar contraventions by the state, penalty cannot exceed INR 50 million
- INR 150 million or 4% of worldwide turnover, whichever is higher may be imposed on a fiduciary where it processes personal data in contravention of the processing principles and permitted grounds (such as consent, special requirements for processing children personal data, etc.), fails to adhere to security safeguards, or transfers personal data in violation of cross-border transfer requirements; the penalty for similar contraventions by government has also been capped at INR 150 million
- INR 5,000 per day of default up to INR 500,000 for fiduciaries and INR 1 million for significant data fiduciaries, where they fail to comply with principal’s requests for exercise of their rights
- INR 10,000 per day of default up to INR 500,000 for fiduciaries and INR 2 million for significant data fiduciaries where they fail to furnish any report, return or information to the DPA
- Up to INR 10 million for significant data fiduciaries and INR 2.5 million for all other fiduciaries or processors who breach any other provision of the 2019 Bill.
Penalties can only be imposed after inquiry by the adjudicating officers appointed by the DPA. The concerned fiduciary or processor shall be provided with a reasonable opportunity of hearing, and inquiry proceedings can only be initiated by a complaint made by DPA. While the quantum and grounds for imposition of penalties are similar to the 2018 draft, the 2019 Bill reduces the penalty that can be levied upon government by capping the maximum
limit. No such cap was prescribed under the 2018 draft. Further, since enquiry can only be initiated by a complaint filed by the DPA, it is likely that an aggrieved data principal or any other person cannot file a complaint seeking imposition of penalty for contraventions, and this may significantly dilute the available remedies for breach of 2019 Bill.
The 2019 Bill has ironed out several grey areas that existed in the 2018 draft. The changes can have significant impact. The 2019 Bill definitely provides clearer requirements for data processing industries, but at the same time may also result in breach of privacy rights. Until such time, the joint committee has provided its review comments, speculations around the true import will continue.