Cyber Monday Sale! 50% Off All Access

Personal Data Protection Bill 2018: Will the Legislation Introduce a GDPR-esque Compliance Regime in India? Ushering in an era of extraterritorial data privacy compliance for global firms operating in India

By Akash Karmakar

Opinions expressed by Entrepreneur contributors are their own.

You're reading Entrepreneur India, an international franchise of Entrepreneur Media.

Shutterstock

While earlier legislations dealing with personal data lacked deterrent penalties, with the introduction of the Personal Data Protection Bill 2018 (PDP Bill) companies doing business in, or with India, can scarcely afford to ignore the imminent paradigm shift in the Indian data privacy compliance framework.

Some of the significant concepts introduced by the PDP Bill include the right to be forgotten, data portability, restrictions on cross-border data transmission; carve-outs for anonymized data and journalistic purposes and reporting requirements for personal data breaches. With the exception of data localization, which is difficult to rationalize, the introduction of these concepts now bring Indian data privacy laws at par with contemporary requirements and introduce a compliance regime for data privacy in India.

GDPR Modelled Concepts: It is apparent from a reading of the PDP Bill that swathes of concepts and cues have been borrowed from the European Union General Data Protection Regulation (GDPR). The concepts of a "data controller' and "data subject' have been substituted with adapted concepts of a data "fiduciary', which determines the purpose and means of processing of personal data, and data "principal', being the individual who provides personal data. While the usage of the term fiduciary hints at a trust-based relationship, the PDP Bill is silent on whether the relationship between the data fiduciary and the data principal is a fiduciary responsibility. The PDP Bill has also adopted the principle of extraterritorial applicability and introduces turnover based penalties for certain contraventions that can extend up to 4% of the total worldwide turnover of the entity in breach much like the GDPR. While this is intended to serve as a deterrent penalty, how this would be calculated qua functionaries of the state and non-profit organisations remains unaddressed.

Attempts Overhauling Existing Laws: Thus far, the collection, handling and dissemination of an individual's sensitive personal data or information was largely governed by the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 which consisted of a mere eight provisions. These rules prescribed that consent must be provided in writing by letter, fax or email, which was woefully onerous, given that it has become de rigueur for consent to be obtained by a clickwrap contract, (i.e. by clicking on the "I Agree' tab to consent to terms and conditions).

In an age where the manner of obtaining informed consent has assumed significance, the PDP Bill, which stipulates that explicit consent should be obtained, is silent on the manner of obtaining consent. This is an omission that is conspicuous by its absence.

The PDP Bill has also broadened the definition of "sensitive personal data' to also include genetic data, gender status, caste or tribe, religious or political belief or affiliation and any other category of data specified by the Data Protection Authority of India (Central Authority). The delegation of the ability to add other categories of information to this definition could be viewed both as allowing flexibility, but also as granting overarching discretion to an authority.

The provisions of the PDP Bill which grant d iscretion and delegate powers to authorities would certainly need to be examined more carefully and perhaps the discretionary ambit would need to be narrowed to prevent abuse by delegated authorities. For example, as stated above the determination of whether the data breach causes harm, rests with the data fiduciary, which dilutes the stringency of the reporting requirement and grants exploitable discretion which could be called a lacuna.

Reporting Data Breaches: The reporting requirement for data breaches appears to have been diluted since the reporting appears to be mandatory only where the breach is likely to cause harm to a data principal, granting some degree of discretion in the interpretation of what may constitute harm. Interestingly, in what appears to be an attempt to prevent opinions about individuals being passed off as facts, data fiduciaries are also required to keep personal data in a form that distinguishes personal data based on facts, from personal data based on opinions or personal assessments.

Since this confers the onerous task of segregating facts from opinions devolving upon all data fiduciaries, presumably to curb the dissemination of thinly veiled personal opinions as facts, it should ideally be limited to significant data fiduciaries.

Contentious Classification of Data Fiduciaries: The government had earlier hinted that it would want to regulate Facebook and WhatsApp, and to this end, the PDP Bill appears to have introduced the concept of a "significant data fiduciary' which would be subject to stringent compliance measures. The entities falling within this definition would be notified by the Central Authority, if it is of the opinion that any processing activity undertaken by such data fiduciary or class of data fiduciaries carries a risk of significant harm to data principals.

As all legislation, objective criteria rather than discretionary authority would have certainly gone a long way to minimize litigations contesting classification as a "significant data fiduciary'. For example, it would be ludicrous to designate any messaging app using end to end encryption as a "significant data fiduciary' as the as messaging platform merely acts as a conduit without being able to intercept and read messages. If such a classification is made, it would most likely be challenged.

Conflicting Exceptions for Security of State: While in one instance the PDS Bill provides that processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, it delegates upon the Central Government the power to issue to the Central Authority such directions as it may think necessary in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order.

Rather than set out objective parameters for what would justify an encroachment on privacy, the PDS Bill has squarely conferred upon the Central Authority the sweeping discretion to issue directions, paving the path for arbitrary state action. The extensive discretion conferred by the legislature on the executive also appears contrary to the judgment of the Supreme Court last September in Justice K.S Puttaswamy v. Union of India and Others that assumed that the data privacy law would the principles set out in the judgment. It is also darkly reminiscent of Section 66A of Information Technology Act, 2000 which was widely abused by the executive and finally struck down as being "unconstitutional' by the Supreme Court in 2015.

Earlier this year, the Standing Committee on Information Technology had invited suggestions from the public in general and experts/professionals/organizations/ associations and stakeholders interested in "citizens' data security and privacy'. What remains to be seen is whether these suggestions, along with views from the public on redressing lacunae in the PDP Bill would be considered and incorporated in the final legislation promulgated by parliament. With the blizzard of criticism that the PDP Bill has drawn whether justified or not, it is trite to state that the lack of a further consultative process could result in each ambiguous provision playing out in courtrooms, risk having case laws eclipse legislated data privacy laws yet again.

Akash Karmakar

Partner, Law Offices of Panag & Babu

Akash Karmakar is a partner with the Law Offices of Panag & Babu and leads the firm’s fintech and regulatory advisory practice. Akash has advised several technology, telecom, and fintech companies to navigate regulatory challenges stemming from the intersection of law and technology. Through the course of his career, he has also assisted several multinational companies structure their entry into India, evaluate and address regulatory risks, and ensure compliance with Indian privacy laws.

Business News

Elon Musk Still Isn't Getting His Historically High Pay as CEO of Tesla — Here's Why

A second shareholder vote wasn't enough to convince Delaware judge Kathaleen McCormick.

Business News

'Something Previously Impossible': New AI Makes 3D Worlds Out of a Single Image

The new technology allows viewers to explore two-dimensional images in 3D.

Legal

How Do You Stop Porch Pirates From Stealing Christmas? These Top Tips Will Help Secure Your Deliveries.

Over 100 million packages were stolen last year. Here are top tips to make sure your stuff doesn't get swiped.

Growing a Business

Her Restaurant Business Is Worth $100 Million — Here's Her Unconventional Advice for Aspiring Entrepreneurs

Pinky Cole, founder of Slutty Vegan, talks about going from TV producer to restaurant owner, leaning into failure and the value of good PR.

Real Estate

Why Real Estate Should Be a Key Part of Your Wealth-Building Strategy in 2025 and Beyond

Real estate remains a strong choice for building wealth in 2025 and beyond, from its ability to generate passive income to offering long-term appreciation and acting as a hedge against inflation.

Leadership

Leadership vs. Management: How to Understand the Difference and 6 Ways to Bridge the Gap

Here are the key differences between leadership and management, highlighting their complementary roles and providing six strategies to develop managers into future leaders.