Key Provisions in India’s Draft Personal Data Bill
Key Provisions in India’s Draft Personal Data Bill
This post is a follow-up to our earlier post on the release of India’s draft personal data protection bill. In this post, we go into greater detail about the bill’s provisions and flag issues for companies worldwide that may process data in India or provide goods or services in India.
High Level Insights
The General Data Protection Regulation (GDPR) as a Model: For the most part, the Committee’s recommendations use GDPR as a model. The draft bill grants individual rights, institutes heightened consent requirements, mandates organizational practices such as DPIAs, and imposes stiff penalties for non-compliance. However, the draft bill coins new terminology, referring to GDPR’s “data subjects” as “data principals” and GDPR’s “data controllers” as “data fiduciaries.”
Data Localization: The Committee includes a data localization provision that requires copies of Indian personal data be stored in India. Likewise, it erects barriers that make it more difficult to transfer personal data out of India.
The Central Role of the Data Protection Authority (DPA): As in GDPR, the draft bill would introduce a DPA with the power to interpret regulations, investigate businesses, and issue fines, injunctions, and even criminal penalties. But unlike GDPR, the Committee’s proposal empowers the DPA to engage in rulemaking. For example, the DPA could identify new categories of sensitive data, specify new lawful bases for processing, and decide whether a particular business needs to hire a DPO, perform a DPIA, or undergo a data audit. As such, the DPA’s leadership and structure may have a substantial impact on the scope of India’s data protection regime.
“Data Fiduciaries” and Processors
The Committee’s proposed regulation largely adheres to the GDPR’s definitions of “controller” and “processor,” but introduces new “data fiduciary” and “significant data fiduciary” categories. Although the term “fiduciary” is new, the substance of its definition is equivalent to a “controller” under the GDPR. Changing the term to “fiduciary,” however, was deliberate—the Indian proposal intended to imply a fiduciary relationship between data principals and fiduciaries. Fiduciaries would have a duty of care to treat data principals’ data “fairly and responsibly,” which may add new meaning above and beyond “controller.”
The DPA would have discretion to determine if an entity should be classified as a “significant data fiduciary,” which carries added responsibility and higher penalties. Significant data fiduciaries are required to complete DPIAs, adhere to record-keeping requirements, conduct data audits, and appoint data protection officers.
In general, the proposed jurisdiction provisions allow substantial extraterritorial reach, along the lines permitted by the GDPR. However, the draft bill does not contain the parallel recitals that are included in the GDPR, which limit the GDPR’s extraterritorial reach. Accordingly, the Indian draft bill has even greater reach than the GDPR. The Committee included an exception for processors in India that process only foreign nationals’ personal data.
Definition of Personal Data
The Committee defines personal data as “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic . . . of the identity of such person.” The Report acknowledges that this definition is a standard, not a rule, and instructs the DPA to provide additional guidance defining personal data.
None of the draft bill’s requirements would apply to anonymized data. However, the draft bill insists that anonymization must be “irrevocable.” Under this standard, it may be difficult to determine that a given data set qualifies as “anonymized.”
Lawful Bases for Processing Personal Data
The draft bill includes six different grounds for processing personal data: (1) consent, (2) state functions, (3) court orders, (4) prompt action, (5) employment, and (6) reasonable purpose. Notably, the drafting committee rejected processing to satisfy a contractual obligation as a basis for lawful processing, which will make many business relationships quite difficult. In addition, only the DPA would be able to identify particular types of processing that satisfy the “reasonable purpose” provision.
Conditions for Consent
The Report observes that, “on the internet today, consent does not work.” For both personal and sensitive data, the data fiduciary bears the burden of establishing that consent was given. Further, the draft bill prevents data fiduciaries from conditioning provision of a good or service on consent to “processing . . . not necessary for that purpose.” To serve as a basis for processing sensitive personal data, consent must be explicit.
Right to Be Forgotten
The Right to be Forgotten permits data principals to “restrict or prevent continuing disclosure” of their data. This includes de-linking and deleting publicly available data. However, data principals may exercise this right only when disclosure is no longer necessary, or when processing was based on the data principal’s consent.
The draft bill requires that breaches be reported to the DPA when it could significantly harm data principals or is likely to harm the rights of data principals. The report and bill avoid creating a specific standard and defer to future guidance from the DPA. The notification should be made “as soon as possible and not later than the time period specified by the Authority.” The clock does not start until after the time required to take urgent action to mitigate harms and address the breach. The Authority will assess the breach notifications to determine when data principal notification is required.
The Committee’s proposal includes a data localization requirement that require data fiduciaries to store a copy of covered personal data in India. Under the draft bill, data fiduciaries “shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.” In addition, if the government designates a category of personal data as “critical” it “shall only be processed in a server or data centre located in India.” The Committee’s proposal would authorize the government to exempt “certain categories of personal data” from the data localization requirement “on the grounds of necessity or strategic interests of the State.” However, the government cannot exempt sensitive data from this requirement.
Restrictions on Data Transfer
The draft bill would, for the first time, impose an onward-transfer restriction for India that would prevent the transfer of personal data to other countries without authorization. The proposed regulation outlines several methods by which data could be transferred across borders, including pursuant to model contracts approved by the DPA, intra-group schemes (across borders but within a corporate group); circumstances when the central government determines that the data will receive an “adequate level of protection,” and consent. Health information necessary for “prompt action” is exempted from the cross-border transfer requirements. The government can also approve other categories of data under this justification.
Remedies and Penalties
The Draft Bill includes both civil and criminal penalties. It establishes two categories of civil penalties:
The first category permits penalties up to five crore rupees (approximately $730,000 USD) or two percent of the fiduciary’s gross revenue from the last financial year, whichever is higher.
The second category permits penalties up to fifteen crore rupees (approximately $2.2M USD) or four percent of the fiduciary’s total gross revenue from the last financial year, whichever is higher.
In addition, a series of violations prompt a per-day penalty subject to a cap.