Privacy and Data Protection – India Wrap 2020
2020 was the year in which the world went more digital than ever before, owing to the pandemic that altered life as we knew it. One of the silver linings of the year was the spotlight on the importance of data and data flow. Taking this cue, the Indian Government took significant steps in tech policy and data regulation in 2020, viz. non-personal data, health data, financial data, and data related to e-commerce and other consumer facing services. The judiciary has also made observations on individual rights regarding data privacy, and the ever-deliberated Personal Data Protection Bill, 2019 (“PDP Bill”) was a moving piece under Government deliberation during the year.
The highlights are as follows:
1. THE LOOMING PROPOSED PRIVACY LAW
Inspired by the GDPR, the PDP Bill was proposed in 2019 to bring about a comprehensive overhaul to India’s current data protection regime, which is currently governed by the Information Technology Act, 2000 and the rules thereunder. The current draft of the PDP Bill prescribes compliance requirements for all forms of personal data, broadens the rights given to individuals, introduces a central data protection regulator, as well as institutes data localization requirements for certain forms of sensitive data. The PDP Bill applies extra territorially to non-Indian organizations in the event certain nexus requirements are met, and also imposes hefty financial penalties in case of non-compliance.
The PDP Bill was referred to a Joint Parliamentary Committee (“JPC”) on December 12, 2019 for recommendations. The JPC’s report, after timeline extensions granted, is now due to be submitted to the Parliament, in the Budget Session to be tentatively held in January 2021.
The JPC has been conducting a number of meetings with Government ministries, industry bodies and various stakeholders; as well as holding meetings for clause by clause considerations of the PDP Bill. Importantly, as per recent reports,1 the JPC is now planning to expand the scope of the PDP Bill from just personal data to ‘encompass overall data protection’ and non-personal data. As per further reports,2 members of the JPC are still undecided and split over these key issues of data localization and Government access to data held especially by social media platforms among others, and some reports3 have confirmed that the PDP Bill will not be passed in its current version and that it will be “redrawn” by the JPC.
We expect considerable time until the PDP Bill is enacted, given the substantial delays in progress and recent reports on the scope of the PDP Bill being reopened and broadened. Whether there will be a change in scope of the PDP Bill, and specifically in the compliance requirements including data localisation and cross border data transfer restrictions and compliances under this proposed law is yet to be seen.
2. PROPOSED NON-PERSONAL DATA FRAMEWORK
The Ministry of Electronics and Information Technology, Government of India constituted a committee (“NPD Committee”) to explore the governance of non-personal data (“NPD”). The terms of reference of the NPD Committee were to: (a) study various issues relating to non-personal data; and (b) to make specific suggestions for considerations of the Central Government on the regulation of non-personal data. Currently, processing NPD is not regulated under law. Further, “anonymized data” is specifically excluded from the applicability of the current draft of the PDP Bill.
On July 12, 2020, the NPD Committee released their report4 on the Non-Personal Data Governance Framework for public comments. The report called for a separate NPD governance framework to be put into place. However, the report was not a well-articulated document in terms of definitions, proposed provisions and the purpose sought to be achieved by the framework.
Subsequently, in January 2021, the NPD Committee released a revised version of their report clarifying certain aspects. The revised report expands on how the PDP Bill and the recommended NPD framework would function in tandem, clarifying that it is only anonymised data that will fall under the NPD framework. The revised report, amongst other things, details the types of NPD that may be collected, delves into public and private rights that may subsist in such data, as well as provides for a detailed data sharing mechanism that exempts transfers between private entities. The report provides separate guidelines for ‘Data Businesses’5, or data collecting entities that meet certain thresholds, calls for the separate treatment of certain ‘High Value Datasets’6, and also calls for the creation of a separate regulator that would function independently.
However, as mentioned above, certain reports7 indicate that the JPC may be looking to broaden the scope of the PDP Bill to include NPD as well. These reports run contrary to the NPD Committee’s recommendation for all NPD-related provisions in the PDP Bill to be removed. We expect more clarity once the JPC issues its report on the PDP Bill.
3. DATA EMPOWERMENT AND PROTECTION ARCHITECTURE FOR FINTECH
In August 2020, NITI Aayog (a policy think tank run by the Government of India) released a draft framework on the Data Empowerment and Protection Architecture (“DEPA”) in consultation with a few industry regulators, banks and fintech players. Through DEPA, NITI Aayog aims to institute a mechanism for secure consent-based data sharing in the fintech sector, which they believe will be “a historic step towards empowering individuals with control over their personal data”.8 DEPA aims to build over existing regulation by the RBI on ‘Account Aggregator’9 models, through which individuals will be able to share their financial data across banks, insurers, lenders, mutual fund houses, investors, tax collectors, and pension funds in a secure manner. While this document released by NITI Aayog is focused on the implementation of DEPA in the financial sector alone, DEPA is also proposed to be introduced as a similar framework beyond just financial data, and across all sectors, beginning with the health and telecom sectors.
While NITI Aayog goes into much detail on the motivation behind introduction of the DEPA platform, the exact process of how the architecture would be implemented is yet to be detailed. In order to fully implement DEPA, the relevant Government regulators and ministries would be required to release a detailed document that lays down the processes for the information flow in DEPA. DEPA was open for public comments until November 30, 2020, and there has been no further update till date.
4. A POLICY FOR THE MANAGEMENT AND SHARING OF HEALTH DATA
A National Digital Health Mission (“NDHM”) was announced by the Central Government and the Ministry of Health and Family Welfare (“MOHFW”) published a blueprint10 in late 2019 recommending the creation of a National Digital Health Ecosystem (“Ecosystem”) which allows for interoperability of digital health systems at the patient, hospital, and ancillary healthcare provider level. On December 14, 2020 the MOHFW approved11 a Health Data Management Policy (“HDM Policy”)12 largely based on the PDP Bill to govern data in the Ecosystem. The HDM Policy recognises entities in the data processing space, i.e. data fiduciaries (similar to data controllers under GDPR) and data processors similar to the PDP Bill, and establishes a consent framework for processing personal data.
The HDM Policy provides for rights to individuals, and provides for the creation of Health IDs for individuals, Health Practitioner IDs for medical practitioners, and Health Facility IDs for operators/owners of health facilities. It mandates data fiduciaries to abide by the basic data protection principles and establishes certain compliance requirements including security practices and impact assessments., the HDM Policy also allows for consent-based sharing of data and establishes a grievance redressal procedure through the National Health Authority. Guidelines for an ‘NDHM Sandbox’13 were also published in August 2020 to encourage the incubation of new technologies in a contained environment.
The HDM Policy will have a significant impact on the medical and pharmaceutical industry once implemented, as healthcare institutions will have increased compliance obligations and the telemedicine sector is set to become busier than before. However, the HDM Policy has significant overlaps with the PDP Bill, which may cause a conflict between the HDM Policy and the PDP Bill. It is therefore unclear why the HDM Policy was separately proposed, and in case of a conflict – which may prevail.
5. DATA IMPLICATIONS IN THE IMPENDING E-COMMERCE POLICY
A draft of the new e-commerce policy has reportedly been in the works14 and proposes to set up an e-commerce regulator with wide-ranging powers over e-commerce entities and platforms. The draft contained wide-ranging proposals on sharing source codes, algorithms and other data with the Government, use of non-personal data of consumers, anti-piracy, cross border data flows, etc. As per more recent media reports, the Central Government is in the ‘final stages’ of drafting India’s e-commerce policy15 and may set up an ‘investigation body’ to look into violations by e-commerce entities.16
It would be interesting to see whether many of the data related provisions such as on ownership, Government access and data sharing have been diluted in the e-commerce policy in light of industry feedback, and the provisions of the PDP Bill and the NPD governance framework currently under Government consideration.
6. GOVERNANCE OF DATA OBTAINED BY MOTOR VEHICLE AGGREGATORS
The Ministry of Road Transport and Highways published the Motor Vehicle Aggregator Guidelines 2020 (“MV Aggregator Guidelines”)17 on November 27, 2020 to regulate the business of transport aggregators and sets out recommendations for a licensing regime for aggregators; regulation of fares; compliances with regards to vehicles, apps and websites; ride-sharing, safety measures and ride cancellations. The MV Aggregator Guidelines state that the data generated on an aggregator’s app or website must be stored in India for a minimum of 3 months and maximum of 24 months from the date of generation. This data must also be made available to the State Governments as per law. It also prescribes that the aggregator must not disclose customer data without their written consent.
The Guidelines do not detail parameters on the scope of data covered, the conditions of storage, or any exemptions to the data localization requirement. Since both the Central Government and State Governments have legislative powers over motor vehicles18, and the Motor Vehicles Act, 1988 provides that a State Government may follow guidelines notified by the Central Government on issuance of licenses to transport aggregators, it remains to be seen how individual State Governments implement these guidelines in their respective jurisdictions.
7. INDIAN JUDICIARY ON REGULATION OF PERSONAL DATA
The Kerala High Court in the case of Balu Gopalakrishnan v. State of Kerala19 passed an interim order on April 24, 2020 on the export of COVID-19 related data by the State Government of Kerala to a US-based entity, Sprinklr, for data analytics. The High Court held that certain measures were to be implemented by the State Government before granting Sprinklr access to the data. These measures include anonymizing the data, obtaining specific consent from citizens, and ensuring the return of data once contractual obligations end. The High Court also barred advertisements and the commercial exploitation of the data by Sprinklr. This judgment sets an important benchmark for all public-private partnerships in the post COVID-19 era in the field of data protection and emphasizes the accountability of the State in handling data of its citizens. Our detailed update on this matter is available here.
The Odisha High Court in the case of Subhranshu Rout @ Gugul v. State of Odisha20 observed in its order on November 23, 2020 the importance of the right to be forgotten of an individual and how it remains unaddressed in legislation. The case involved objectionable content regarding a woman that was posted online. While the victim had not made any arguments with regard to the permanent removal of her data, the court encouraged the victim to seek appropriate orders for the protection of her fundamental right to privacy even in the absence of an explicit right to be forgotten. The court went on to note that recognizing such a right by law would help in safeguarding woman’s rights online, thus highlighting the importance of strong individual privacy rights. The court was cognizant of the fact that the current draft of the PDP Bill if passed as law, would introduce a right to be forgotten in India. Our detailed update on this matter is available here.
8. THE EUROPEAN UNION COURT’S DECISION IN ‘SCHREMS II’
In what has been a significant development in global data protection law, the Court of Justice of the European Union (“CJEU”) in a case popularly known as Schrems II21 invalidated the EU-US Privacy Shield (“Privacy Shield”) and read down the inviolability of the Standard Contractual Clauses (“SCCs”). The Privacy Shield is an adequacy decision issued by the European Commission (“EC”) regulating data transfers between the United States of America (“US”) and any member state of the European Union (“EU”) or the European Economic Area (“EEA”) data transfer framework. SSCs are contractual clauses approved by the EC under EU’s data protection law, the General Data Protection Regulation (“GDPR”) which may be incorporated into data transfer agreements to export data outside the EU or EEA. Adequacy decisions and SCCs are two amongst a host of permissible ways to transfer data outside the EU or EEA member states under the GDPR.
The CJEU invalidated the EC decision approving the Privacy Shield observing that due to the operation of surveillance laws in the US, the Privacy Shield does not provide adequate protection of data protection rights of an individual that is similar to the GDPR. It also ruled that the SCCs by themselves do not provide adequate protection of an individual’s data protection rights and additional due diligence of the transferee’s country’s laws has to be made to be a legitimate cross-border transfer of data under the GDPR. This would have a direct impact on businesses transferring personal data from the EU or EEA to India since data transfers through the SCCs may be suspended at any time by an EU or EEA regulator if it opines that Indian Law operating along with the SCCs do not adequately offer protection to individual rights. Hence businesses may need to undertake a separate assessment of Indian laws in addition to the use of SCCs and implement appropriate safeguards to ensure that the adequate protection to individual rights is offered that is similar to the GDPR.
WHAT TO EXPECT IN 2021
2020 has laid the groundwork for a pipeline of developments on the privacy and data protection front. While we may see the scope and purpose of the PDP Bill broadened before it is tabled before the Parliament in 2021, we could also expect significant regulation on the economic and commercial usage of non-personal data, as well as ownership aspects. The PDP Bill may also be made available for discussion and stakeholder comments once the revised version is released. The position on data localization and cross border sharing of data is yet to be finalized, which is a policy decision that will impact most businesses operating in India. However, in the backdrop of the PDP Bill, we expect to continue to see industry-specific data policies and regulation by sectoral regulators such as drone-related policies which may give rise to new issues including cybersecurity and mandatory disclosure to the Government. It is also clear that the judiciary is more cognizant of privacy rights than ever before, which is a sign of a strong data protection regulation ahead.
1 Available at LiveMint (Last accessed on December 29, 2020).
2 Available at IndiaTimes.com (Last accessed on December 29, 2020).
3 Available at ThePrint (Last accessed on December 29, 2020).
4 Available India Government Online (Last accessed on December 29, 2020).
5 The NPD Committee report defines a ‘Data Business’ as any organization (Government or private organization) that collects, processes, stores, or otherwise manages data.
6 The NPD Committee report defines a ‘High-value Dataset’ as a dataset that is a public-good and benefits the community at large
7 Available at LiveMint.com (Last accessed on December 29, 2020).
8 Available at Niti.gov (Last accessed on December 29, 2020).
9 An Account Aggregator is defined by the RBI as a non-banking financial company that undertakes the business of an account aggregator i.e. providing under a contract, the service of, retrieving or collecting such financial information pertaining to its customer, as may be specified by banks from time to time; and consolidating, organizing and presenting such information to the customer or any other financial information user as may be specified by such banks. The RBI has notified directs for Account Aggregators available online (Last accessed on December 29, 2020).
10 Available at NHA.gov (Last accessed on December 29, 2020).
11 Available at NHDM.gov (Last accessed on December 29, 2020).
12 Available at NHDM.gov (Last accessed on December 29, 2020).
13 Available at NHA.gov (Last accessed on December 29, 2020).
14 Available at Medianama.com (Last accessed on December 29, 2020).
15 Available at FinancialExpress.com (Last accessed on December 29, 2020).
16 Available at FinancialExpress.com (Last accessed on December 29, 2020).
17 Available Here (Last accessed on December 29, 2020).
18 Motor Vehicles are covered under Item 35 – ‘Mechanically propelled vehicles including the principles on which taxes on such vehicles are to be levied’ of List III (Concurrent List) in the Seventh Schedule of the Constitution of India.
19 WP (C) 9498/2020.
20 BLAPL No. 4592 of 2020.
21 Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Case C‑311/18) available at (Last accessed on December 29, 2020).