Today India is one of the fastest growing markets for smartphones and internet. The number of internet users is growing at a rate of 18% per annum and is estimated to cross 627 million by the end of 2019. Similarly, smartphone users will reach 859 million by 2022. Even with these numbers, large segments of the population remain untapped and the possibilities of growth seem endless.
In the post Cambridge Analytica world, people have become more conscious of their personal data and its protection. With the increasing scope of online and mobile applications, the advances of analytics and the Internet of Things, the need for data security is more important than ever, considering the risk of new exposed system vulnerabilities and cyber-attacks, as well as the vast opportunities for data combination and end-users tracking.
India is key market for manufacturers like Apple, Samsung, Xiaomi, etc. and is also delivering explosive growth to apps like Facebook, Google, WhatsApp, TikTok, YouTube, etc. Back in 2017, number of Facebook users in India stood at 241 million, making it the largest audience country for Facebook. In 2019, WhatsApp reported to have doubled its user base in India to 400 million in a short span of 2 years. Google India reported that 80% of smartphone users across all age groups access YouTube. TikTok claims to have 200 million users in India, of which 120 million are active every month.
Despite virtually every smartphone having apps which collect and monetize user data and data breaches becoming an everyday affair, the concept of data privacy and data protection will draw a blank even from the most tech savvy people. This lack of understanding puts people at incredible risk of being targeted by nefarious elements on the internet and mass surveillance programs.
The Information Technology Act, 2000 which came into force on October 17, 2000 lacked provisions for protection and the procedure to be followed to ensure the safety and security of sensitive personal information of an individual thus resulting in the notification of the SPDI Rules.
Nearly a year after Supreme Court’s landmark judgment upholding privacy as a fundamental right, the government introduced the draft Personal Data Protection Bill, 2018 (Bill) to protect individuals’ personal data and regulate collection, usage, transfer and disclosure of the said data. The draft Bill was submitted by the Committee of Experts on Data Protection Framework for India chaired by Justice BN Srikrishna to the MeitY on July 27, 2018.
The Bill defines “Personal Data” as any data about or relating to an individual who is directly or indirectly identifiable with such data or a combination of such data with any other information and “Data Principals” are the individuals to whom the personal data relates to. The Bill draws a distinction between entities which determine the purpose and means of processing of personal data i.e., “Data Fiduciaries” and entities that process personal data on behalf of the Data Fiduciary i.e., “Data Processors”. The Bill also distinguishes Sensitive Personal Data from Personal Data. The passwords, financial data, health data, sexual orientation, biometric and genetic data, official identifiers, religious and political belief etc. come within the definition of Sensitive Personal Data.
The Bill is applicable to all activities relating to processing of Personal Data and Personal Sensitive Data within the territory of India by the State, any Indian company, any Indian citizen and Data Fiduciaries that process personal data in connection with any business carried on in India or offer goods and services to Data Principals within the territory of India.
GROUNDS FOR PROCESSING PERSONAL DATA
The Data Fiduciary will need valid consent of the Data Principal before processing any Personal Data and/or Sensitive Personal Data. The Bill explains in detail as to what can be considered as a valid consent. The categories of Personal Data being collected, purpose of processing such data, entities with which the data might be shared, and any cross-border transfer of data have to be disclosed to the Data Principal. The onus is placed on Data Fiduciaries to process Personal Data only for clear, specific and lawful purposes, in a fair and reasonable manner that respects the privacy of Data Principals and delete such data once the purpose for which the data was collected is satisfied.
DATA PROCESSING BY STATE
Personal Data can be processed by the State without the consent of the Data Principal where it is necessary for any function of Parliament or State legislature, to provide any service or benefit to the Data Principal and the issuance of any certification, license or permit for any action or activity of the Data Principal. Sensitive Personal Data may be processed to respond to medical emergencies, provide medical treatment or health services, ensure safety and provide assistance during any disaster of breakdown of public order.
The Bill recognizes the importance of protecting sensitive and personal data of children. Data can only be processed to protect and advance the rights and best interests of the child. Parental consent and age verification are required to process sensitive and personal data of children. Data Fiduciaries who operate commercial websites or online services directed at children or who process large amounts of data have been barred from profiling, tracking, or behavioral monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child.
DATA PRINCIPAL RIGHTS
Chapter VI of the Bill enshrines certain rights upon Data Principles along the lines of the rights granted to data subjects in EU’s General Data Protection Regulation (GDPR) which came into force on May 25, 2018. Data Principles have the right to obtain a brief summary of their Personal Data being processed, know the status of their data (right to confirmation and access). If the information stored with the Data Fiduciary is inaccurate, misleading, incomplete or out of date, the Data Principles have the right to correction the and withdraw their consent to Data Fiduciaries. Data Principles also have the right to receive their Personal Data collected by a Data Fiduciary in a machine-readable format, thus making it easier for the individual to transmit Personal Data between service providers (right to portability). Additionally, Data Principles have the right to rescind the consent given to Data Fiduciary to process data and prevent disclosure of Personal Data to the data i.e. ‘Right To Be Forgotten’.
TRANSPARENCY AND ACCOUNTABILITY MEASURES
To establish transparency and accountability of parties processing Personal Data, the Bill directs Data Fiduciaries to ensure ‘privacy by design’, i.e. implement policies and undertake actions like designing systems to anticipate, identify and avoid harm to the Data Principal, ensure business interests are not achieved by compromising privacy interests, use commercially acceptable and certified technology and process personal data in a transparent manner. Data Fiduciaries have to take due care of the Personal Data and implement security safeguards like encryption, de-identification, etc. In case of a data breach, the Data Fiduciary has to notify the Data Protection Authority where such breach is likely to cause harm to any Data Principal and provide details like number of individuals affected, possible consequences of breach and measures taken by Data Fiduciary to remedy the breach. Data Fiduciaries have to appoint a Data Protection Officer, conduct data audits periodically and put in place a grievance redressal mechanism.
CROSS-BORDER TRANSFER RULES
Several restrictions have been placed on cross-border transfer of data including storage of copy of data within territory of India and a blanket ban on cross-border transfer of Sensitive Personal Data. While the Bill is not explicit on the cross-border transfer of such Sensitive Personal Data yet, the interpretation appears to be restrictive. Further, the Central Government enjoys wide powers to restrict transfer of data based on country, sector within a country and international organization. The Data Protection Authority may approve standard contractual clauses or intra-group schemes subject to which Data Fiduciaries may transfer Personal Data outside the Indian territory. Data Fiduciaries will bear liability for the harm caused due to any non-compliance with the standard contractual clauses or intra-group schemes by the transferee.
PENALTIES AND COMPENSATION
The fines proposed for contravention of various provisions of Bill range from 2%-4% of global turnover or INR 5-15 crores whichever is higher. These penalties are somewhat similar to the fines as may be imposed under the GDPR regime. However, certain offences under the draft bill are categorized as cognizable and non bailable, which is not a feature of GDPR. Data Principles can also claim compensation from Data Fiduciaries for the harm suffered as a result of violation of the provisions of Bill.
Chapter XII of the Bill calls for Central Government to establish an Appellate Tribunal to hear appeals against the orders of the Adjudicating Officers. Like other quasi-judicial bodies, the Appellate Tribunal will not be bound by the procedure laid down by the Code of Civil Procedure, 1908. Appeals against orders of Appellate Tribunal will lie before the Supreme Court of India.
SOME DEBUGGING REQUIRED
There is no clarity as to how the Personal Data Protection Bill, 2018 will co-exist with the existing IT Act and the IT Rules. The Bill also needs to be less onerous as the current obligations may lead to regulatory burden for companies and budding entrepreneurs.
While the Bill places obligation on Data Fiduciaries to process data ‘in a fair and reasonable manner that respects the privacy of Data Principals’, it does not specify any principles or guidelines or lay best practices for the same.
The information mandated to be provided to data principals by Data Fiduciaries under Section 8 of the Bill would be futile unless measures are taken to educate people about basic tenets of data protection. People cannot be expected to give proper consent when they do not understand the information being provided in the notice. The ultimate aim of the Bill is not only to protect personal data but also to protect people.
The Bill allows for State to process data for a number of purposes without the knowledge or consent of the Data Principal. Even though the Bill largely succeeds in regulating the relation of private entities and individuals, it fails to effectively regulate the relation of citizen and the State and limit the power State should enjoy over individuals.
Data Fiduciaries are required to notify Data Protection Authority about any personal data breach “as soon as possible” and not later than the time period specified by the Authority. No time period is prescribed under the Bill.
The cross-border transfer rules and mandatory storage of data in local servers will raise costs for Data Fiduciaries and may hamper India’s growth in the digital age. The only possible reason for localisation may be to assist the authorities to gain access and scrutinize such data more easily. Data localization does not contribute towards data protection unless it is complimented with increased security and privacy measures for servers and data centers. If local servers are more vulnerable to attacks than servers located in a foreign country, then such a provision becomes futile.
The multiple mandatory requirements regarding privacy by design measures, security safeguards, data protection impact assessment, record keeping, data audits, etc. will be a regulatory and cost burden on the entrepreneurs.
The Bill provides a great foundation for a data protection regime in India. It specifies the rights of Data Principals and provides a mechanism to ensure accountability of Data Fiduciaries. When enacted, it will usher in a data privacy regime that will drastically improve and standardize the privacy practices in the country. Since some of its provisions have been adopted from GDPR, it will ensure uniformity and comity of laws. However, there are certain issues that should be addressed before the Bill is enacted.
The author is a Corporate and M&A lawyer at Sarin Partners Advocates & Legal Consultants. The views in the article should not be construed as legal advice. Please contact the author for any clarification.
 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
 Justice K.S. Puttaswamy (Retd.) v. Union of India and Ors. (2017)
 Available at https://meity.gov.in/content/personal-data-protection-bill-2018
 Ministry of Electronics and Information Technology
 Section 3 of the Bill
 Section 2 of the Bill
 Section 12(2) of the Bill
 Section 8 of the Bill
 Section 5 of the Bill
 Section 4 of the Bill
 Section 13 of the Bill
 Section 21 of the Bill
 Section 23 of the Bill
 Section 27 of the Bill
 Chapter VII of the Bill
 Section 40 of the Bill
 Section 41 of the Bill
 Section 69 – 73 of the Bill
 Chapter XIII of the Bill
 Section 75 of the Bill