New data protection regime in preparation in India



Highlights and findings of the 2021 data protection bill.

By Pragni Kapadia

A comprehensive data protection law for India has been in preparation since the Supreme Court’s recommendation in 2017. Two drafts of the bill (2018 and 2019) were previously released for public comment, after which the draft Personal Data Protection Act, 2019 (PDP Bill) has been referred to a Joint Parliamentary Committee (JPC). The JPC presented its report on the PDP Bill to parliament on December 16, 2021 (Report). While the report was adopted by the members of the JPC, eight members submitted dissenting notes on certain aspects of the law.

The report recommends several amendments to the PDP bill, the most extraordinary being to regulate the collection and processing of personal and non-personal (NPD) data resulting in a title change to the Data Protection Bill, 2021 (DPB) . Data protection laws around the world normally only regulate personal data.

The PBO, among others (a) aims to cover personal data (PD), sensitive personal data (SPD), critical personal data (CPD), anonymized personal data and NPD; (b) is cross-border in scope and applies to entities located outside of India if they have a commercial connection with India or conduct profiling of individuals in India; and (c) requires that a data protection authority to deal with both PDs and NPDs be put in place. Higher compliance benchmarks are prescribed for the SPD and the CPD (which are subsets of the PD). The standards for data localization (i.e. storage of data in India) are strict with regards to CPD in the interest of national security and law enforcement. Since the data is stored in mixed data sets, separating the data for localization could prove to be a challenge resulting in the localization of both the SPD and the CPD. Cross-border data transfer also requires permissions and will be tedious.

Few elements of CPM are welcome, such as (a) placing importance on notification to data principals by data processors / trustees coupled with informed consent from data principals; (b) restriction of the use of employee data by employers; (c) data retention rules specifying that data may only be retained until it meets the purpose for which it is processed and should be deleted at the end of this period; and (d) report security breaches for PD and NPD within 72 hours to the DPA. It is not clear exactly how the DPA will coordinate with specialist agencies such as the Computer Emergency Response Team and the Department of Electronics and Information Technology, standardization testing and certification. quality. Two years have been set aside for the implementation of the provisions of the PBO, which is a relief for all stakeholders. Strict standards for children’s data have been introduced regarding the date of minors (ie, under 18), including parental / guardian consent; verification of all children’s data and prohibition of profiling / tracking of children’s data etc. However, some aspects of these layouts can have a counterintuitive impact, especially for education and tech related game / AI companies where it is critical to use children’s data to track the progress of children. ‘a child. The appointment of a C-Suite data protection officer introduced higher accountability as opposed to lower level employees with less responsibilities and a grievance process was also introduced. However, a CEO, CEO or CFO may not have the bandwidth to handle these issues on their own, so it’s unclear how this will be implemented.

With the aim of giving users more control over their data, the PBO introduces a provision on data portability, according to which key data controllers can request from the data trustee their personal data in a commonly used and readable format. by machine. Exemptions have been made for cases where (a) the data processing is not automated; (b) where processing is necessary for law enforcement, court order or state function; and significantly, (c) when meeting the request is technically impossible. The PDP Bill’s exemption for the portability of data revealing trade secrets has been omitted from this version of the law. Certain elements concerning data portability should be clarified in the final version of the PBO, such as (a) the intellectual property of the transferred data; (b) whether the generated data would include derived data (which can be a challenge for digital companies having to share analytical data) and other practical issues such as data format etc.

Interestingly, the right to be forgotten, also recognized by several high courts in India, appears to have been diluted as the data trustee was given (a) the ability to deny the request to erase information from the main data; and (b) certain exemptions to retain, use and process such data.

Some facets of the PBO seem to go against the main intent of the law – the protection of the PD / SPD and the CPD. Consent is at the heart of any data protection law. There is an expansion of state powers and exemptions and the scope of Article 12 of the PBO, which previously allowed the processing of personal data without consent for the exercise of state functions on two grounds only: (i) the provision of services or benefits and (ii) the issuance of certifications, licenses or permits – has been innocently extended by the insertion of the word “including”, to now suggest that these two categories are just one illustration of the many other reasons the government might collect data without consent. Section 35 of the PBO adds that the government has the power to exempt any government agency from all or part of the provisions of the PBO in the name of sovereignty, state security, etc., which has sparked dissent. committee members on the grounds that the government has wide discretion to access PD / NPD without the consent of key data controllers. The government has been given the power to order that anonymity / NDP be shared by any entity with the government, under certain circumstances. The government also had the opportunity to develop a policy on the regulation of the NDP, including anonymized data. The report appears to focus on protecting both national sovereignty and the country’s commercial interests, which is not a common thread with global data protection regimes.

In the same vein as the 2021 rules on information technology (intermediate directives and code of ethics for digital media), the scope of the PBO seems to extend beyond the framework of data protection. requiring a healthy debate in the chambers of parliament on its introduction. For example, (a) the global extension of making social media intermediaries into publishers of data in certain cases where they lose their immunity as mere hosts of content; (b) the requirement for social media platforms operating in India to have local offices; and (c) the establishment of a statutory media regulatory authority. Additionally, the recommendation that a framework be established for the monitoring, testing and certification of hardware devices – a provision that is typically not included in data protection laws around the world.

The PBO provides civil indemnity to data trustees / processors for any violation of any law that could lead to a flow of data protection disputes. In addition, the PBO provides for financial penalties such as fines (up to 4% of worldwide turnover) and criminal penalties in the limited case of unauthorized de-identification of data.

The PBO is just a bill and has not yet been introduced as a bill for parliamentary consideration. The JPC’s recommendations are not binding on the government, and the PBO can be tabled in parliament in its current form or undergo subsequent changes – for now, just wait and watch!

(The author is Senior Advisor, Lumiere Law Partners. Opinions are personal and not necessarily those of

Financial Express is now on Telegram. Click here to join our channel and stay up to date with the latest news and updates from Biz.



Comments are closed.