1.1. In December 2019, the Indian Parliament referred the Personal Data Protection Bill, 2019 (“2019 Bill“) to a joint committee of the Parliament (“JPC”) for further consideration and to provide recommendations. This re-examination was triggered by various stakeholder comments received during the consultation process on the 2019 Bill, and the proposal of regulation of non-personal data under a separate law, by a committee of experts set up by the Ministry of Electronics and Information Technology. The JPC presented its report (“Report”) to the Parliament on December 16, 2021.
1.2. Under the Report, the JPC has provided: –
(a) specific recommendations on the 2019 Bill and the proposed data protection law, however, some concepts are not sufficiently described in the proposed legislation and may be introduced under the rules or under separate laws altogether; and
(b) a detailed mark-up on several provisions of the 2019 Bill.
1.3. One of the important recommendations is to regulate non-personal data within the purview of the 2019 Bill (which was restricted to personal data), which is why it has proposed for the bill to be re-named as the Data Protection Act, 2021 (“2021 Act”), having a broader scope of application.
1.4. Once enacted, the 2021 Act will replace the existing data protection framework under Section 43A of the Information Technology Act, 2000 (“IT Act”) and the rules framed thereunder, namely the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (“SPDI Rules”).
2. KEY RECOMMENDATIONS OF THE JPC REPORT
2.1. Regulation of social media platforms and intermediaries.
The Report talks about how the intermediary rules framed under the IT Act have been inadequate in regulating social media intermediaries, many of whom control the content accessible on their platforms. It further claims that social media intermediaries deploy AI to determine relevance of content for a particular user, or exercise control in enabling users to register on their platforms, all of which are activities that do not necessarily reflect an intermediary positioning. Given the nature of control exercised on their platforms, the JPC suggests that such intermediaries should instead be treated as publishers, and a mechanism should be developed to hold them responsible for the content hosted by unverified accounts on their platforms. Such intermediaries will be required to implement mandatory verification of user accounts, failing which the responsibility for the content will be affixed on them. Further, only social intermediaries with offices in India will be allowed to offer their platforms to Indian users. The JPC has added provisions under the 2021 Act that cover the above concepts. The JPC also recommends for a statutory media regulatory authority like the Press Council of India to be set up to regulate content hosted on the internet, in print or otherwise.
2.2. Special focus on intermediaries handling children’s data.
It had been suggested for all such intermediaries to mandatorily register themselves with the Data Protection Authority (“DPA”) and comply with incremental requirements. The JPC has suggested changes to the 2021 Act which require such intermediaries to develop a mechanism that enables a minor to confirm or deny consent to processing of his/her data upon attaining majority.
2.3. Develop an Indian counterpart to SWIFT systems.
The JPC has expressed concerns of foreign businesses, such as SWIFT, disclosing data of its users to foreign governments upon request, which if done for Indian users who are active users of such cross-border payment facilities, may compromise safety and protection of Indian users’ data. It has therefore been advised to work towards developing an Indian counterpart to the SWIFT system for handling of cross-border payment transactions.
2.4. Classify hardware manufacturers as data fiduciaries.
The JPC has suggested for hardware manufacturers who collect data along with the embedded software, to also be regulated as data fiduciaries, and the requirements in this regard will be proposed in the rules to be framed under the 2021 Act. They have advised for a formal certification process for all digital and IOT devices to be introduced, which will check whether the devices are able to maintain data security. Similar certifications will be developed for use of technologies that have the potential to train AI systems that collect and process large amounts of data and ensure that their technology is compliant with data protection standards prescribed under the 2021 Act. This appears to be a novel concept, untested in India or other jurisdictions.
3. KEY AMENDMENTS TO THE 2019 BILL PROPOSED UNDER THE JPC REPORT
The new data privacy regime contemplated under the 2021 Act seeks to regulate 2 datasets, i.e., personal data (“PD”), and non-personal data (“NPD”).
(a) The 2021 Act applies to: –
(i) processing of PD collected, stored, disclosed, shared or processed within India;
(ii) processing of PD by any person under Indian law, which includes processing of PD by individuals, companies, non-profit organisations, Government and its agencies etc.;
(iii) processing of PD by data fiduciaries located outside India in connection with any business carried out in India, any systematic activity of offering goods or services to data principals in India, or any activity that involves profiling of data principals in India; and
(iv) processing of NPD (which includes anonymized PD).
(b) Exemptions: Central Government may issue orders stating that the 2021 Act or some of its provisions will not apply to any agency of the Government, in interest of protecting sovereignty of India, security of state, public order, and similar grounds. The exemption may be subject to procedures, safeguards, and oversight mechanisms, as may be mandated upon such Government agency.
3.3. Categorisation of PD.
(a) The 2021 Act identifies the following categories of PD: –
(i) PD – PD includes data relating to a natural person, who is directly or indirectly identifiable, and also includes inferences drawn from such data for the purpose of profiling.
(ii) Sensitive personal data (“SPD”) – The scope of SPD has been expanded (in comparison with the SPDI Rules) and includes financial data, health data, official identifier (which includes Aadhaar number), sex life, genetic data, transgender status, intersex status, caste, or tribe, religious or political belief or affiliation etc.
(iii) Critical personal data (“CPD”) – The Central Government will notify what constitutes CPD.
(b) To clarify, SPD and CPD are sub-sets of PD.
♦What constitutes CPD is likely to be clarified under the rules or notification. All CPD will be subject to hard localisation requirements (details in this regard are provided at paragraph 3.5 below).
♦The JPC has separately recommended that India moves towards a complete hard localization for all PD, which they have clarified will be possible after: (a) setting up of the DPA; and (b) India has established the appropriate cloud infrastructure necessary to achieve this goal. Please refer to paragraph 3.5 below for summary of their other recommendation in this regard.
3.4. Notice and Differential Consent Requirements.
(a) Similar to the SPDI Rules, every data fiduciary is required to notify a data principal of all aspects relating to collection of PD, like purpose and basis of collection, nature of PD being collected, transfer (if any), etc.
(b) The 2021 Act proposes a differential approach to consent prior to processing of PD versus SPD.
(i) For processing of PD – Consent is required prior to commencement of processing. Such consent must be free, informed, specific, clear, and capable of being withdrawn.
(ii) For processing of SPD – “Explicit” consent is required. It appears that “explicit” consent requires that: –
A. consent can be obtained only after informing the data principal about the purpose of, or operation in processing, which is likely to cause significant harm to the data principal;
B. consent should not be ‘inferred’ from conduct or context; and
C. individual / separate consent for different categories of SPD should be obtained prior to processing.
(c) When is explicit consent required – Explicit consent is required for processing of SPD, cross-border transfer of SPD, and retaining of PD for longer than necessary. It has been clarified that provision of any service or good, or enjoyment of any legal right cannot be made conditional on consent for processing PD not necessary for that purpose or denied based on exercise of such choice.
(d) Employers are permitted to process PD for specified use cases, without seeking consent.
♦ Consent (either express or explicit) will be the norm for all data fiduciaries, save for limited exceptions that may be granted for emergency medical or disaster prevention situations, for performance of State functions authorized by law, for compliance with any judgment or order of any court or tribunal, or if processing is deemed necessary for a notified ‘reasonable purpose’.
♦ The DPA can prescribe good practice codes which will govern how notice can be provided and how consent can be obtained.
3.5. Cross-Border Data Transfer
(a) PD (not being SPD or CPD) – The 2021 Act does not impose any restrictions on transfer of PD (not being SPD or CPD) outside India.
(b) SPD – SPD is also permitted to be transferred outside India, subject to the following conditions: –
(i) Copy in India – A copy of the SPD should be stored in India;
(ii) Explicit consent – Explicit consent of the data principal is required for cross border transfer of SPD for processing; and
(iii) Additional conditions – One of the following 3 conditions needs to be satisfied: –
A. Transfer basis an approved contract or intra-group scheme – Transfer of SPD should be made under a contract / intra-group scheme approved by the DPA, in consultation with Central Government. The Government will assess if the contract holds the data fiduciary responsible for breach of transfer conditions, or if it grants appropriate protection to the data principal’s rights in case of any re-transfer;
B. Transfer basis adequacy principle – Central Government may identify countries / entities to whom SPD may be transferred. Such lists will be based on principle of data protection adequacy (like under EU-GDPR), or an assurance that the SPD will not be shared with any foreign government unless approved by the Central Government; or
C. Transfer for an approved purpose – DPA, in consultation with Central Government, may allow SPD to be transferred for specific purposes.
(c) CPD – CPD cannot be transferred outside India and can only be processed in India. Very limited exceptions have been identified in the 2021 Act, i.e., in cases of health emergency, or if made to a country/entity where Central Government has deemed the transfer as permissible.
♦ It is unclear if the DPA will accept intra-group scheme drafts governing data transfers from the data fiduciaries, or it will prescribe formats of its own which will automatically apply across sector or business activities. It is possible that this may be clarified under the codes of practice to be issued by the DPA.
♦ Certain international legislations, like the US Cloud Act mandate US-based companies to share information with US regulators in specified events. These data disclosure requests if received by foreign-based data fiduciaries in respect of Indian user data, will now require prior engagement with the Central Government/DPA as well.
♦ Which all jurisdictions will be granted ‘adequacy’ status for transfer of SPD? From public news reports, India has been under discussions with the EU for grant of data adequacy status for purposes of EU-GDPR, which, if successful, could be an indicator of countries that will have data equivalence with India in the future.
3.6. Data Principal Rights. The 2021 Act expressly recognises certain rights of data principals, such as: –
(a) Right to confirmation, which includes the right to receive from the data fiduciary a brief summary of the PD being processed;
(b) Right to correction, completion and updation of PD;
(c) Right to receive its own PD, which: (i) the data fiduciary has received directly from such data principal, (ii) the data fiduciary has generated while providing goods or services, or (iii) the data fiduciary has obtained from any third party;
(d) Right of portability of PD from one data fiduciary to another; however, this right will not be available in limited circumstances including where such transfer is not technically feasible;
(e) Right to be forgotten, which can be exercised by filing an application with the DPA; and
(f) Right to receive compensation, in case of breach of provisions of the 2021 Act by the data fiduciary.
3.7. The DPA.
(a) The 2021 Act contemplates establishment of a DPA that will be responsible for its enforcement and effective implementation.
(b) In addition to having a head office, the DPA will have offices across India. It has the power to issue directions, and initiate inquiries into alleged violations of the 2021 Act through its inquiry officers, wherein it shall have the power to ask for submission of books, records, documents, and data pertaining to the affairs of the data fiduciary.
(c) A data fiduciary’s contact with the DPA is likely to be in following areas: –
(i) obtain certification of its privacy by design policy;
(ii) comply with good practice codes of data protection issued by the DPA for areas such as privacy notice, obtaining consent, security standards to be implemented, etc.;
(iii) any complaint that may be received from data principals against the data fiduciary;
(iv) cross border transfer of SPD, since a data fiduciary can transfer SPD overseas, subject to prior approval of intra-group scheme or contract governing such transfer by the DPA in consultation with the Central Government, or if the transfer is to a jurisdiction approved by the Central Government in consultation with the DPA;
(v) DPA may specify criteria for assigning data trust score to significant data fiduciaries and authorize data auditors for such purpose (details on significant data fiduciaries are provided at paragraph 3.8 below);
(vi) notify the DPA of any data breach, and comply with rectification measures as may be prescribed;
(vii) obtain registration from the DPA, if it is classified as a significant data fiduciary;
(viii) if a data fiduciary is undertaking processing activities which, in the DPA’s assessment, may cause harm to a data principal, such data fiduciary may be mandated to appoint an auditor and conduct an audit into its activities;
(ix) submission of data impact assessments that are required to be undertaken by significant data fiduciaries;
(x) DPA may create a sandbox and engage with data fiduciaries for testing of new products and services for a limited time; and
(xi) DPA may monitor, test, or certify the integrity of hardware and software on computing devices to prevent malicious insertions that may cause data breach.
♦ There are extensive touch points for a data fiduciary with the DPA. In case of violation, the DPA has been granted extensive powers to take suo moto action, initiate inquiries, order for seizure of records, and award penalty.
♦ Many aspects such as codes of practice, intra-group transfers, trust scores, maintenance of security standards, and other compliances will be notified, by way of rules, regulations, and codes to be framed by the government or the DPA.
3.8. Significant Data Fiduciaries.
(a) The 2021 Act empowers DPA to categorise data fiduciaries as “significant data fiduciaries“, based on the volume and sensitivity of PD processed, turnover of the data fiduciary, etc.
(b) Significant data fiduciaries are required to register themselves with the DPA to process PD.
(c) Some of the key obligations of significant data fiduciaries include: –
(i) Data Protection Officer (“DPO”) – Significant data fiduciaries need to appoint a DPO. The DPO needs to be key managerial personnel (which could include chief executive officer, company secretary, whole-time director, chief financial officer, or such other person as may be prescribed), who is based in India.
(ii) Data Audits – They must conduct an annual data audit by independent data auditors for processing of PD and submit these audit reports to DPA.
(iii) Data Protection Impact Assessment (“DPIA”) – Significant data fiduciaries using new technologies or undertaking any large-scale profiling or use of SPD such as genetic data or biometric data need to perform DPIA before commencement of data processing. The findings of the DPIA are required to be submitted to the DPA, who may provide directions to amend aspects of the proposed processing or closure of the data processing altogether.
(iv) Record retention – Significant data fiduciaries need to maintain records (such as important operation in data life cycle, DPIA undertaken etc.), in the manner and period to be prescribed under the regulations.
(d) Social media platforms may also be classified as significant data fiduciaries, depending on factors such as – user threshold prescribed by DPA, and if its actions are likely to have significant impact on the sovereignty and integrity of India, electoral democracy, security of state and public order. Additionally, social media platforms notified as a significant data fiduciary must enable its users to voluntarily verify their accounts. Once these users are verified, their accounts should be provided a visible mark of identification.
(e) The data fiduciaries who process children’s PD or provide services to children are likely to be classified as significant data fiduciaries.
♦ Significant data fiduciaries will have incremental compliances under the 2021 Act, many of which will be refined under the rules.
♦ In addition to such compliances, social media intermediaries will additionally be required to offer user verification option on their platforms. While the JPC Report has recommended mandatory verification failing which the social media intermediary will be responsible for the content posted on their platforms, this outcome will also require an update to the recently notified rules governing intermediaries, as framed under the IT Act.
3.9. Processing of children data
(a) Children data (anyone below 18 years of age) can be processed subject to prior age verification and consent of the parent/guardian.
(b) It is expressly prohibited to carry out any profiling, tracking, behavioural monitoring of, or targeted advertising directed at children and undertake any kind of processing of children data that can cause significant harm to a child. ‘Harm’ as a concept is broadly defined and includes psychological manipulation that impacts autonomy of a data principal, or any restriction placed directly or indirectly on speech, movement or other action for fear of being observed or monitored, denial or withdrawal of any service or benefit resulting from an evaluative decision about the data principal, to name a few.
(c) Any data fiduciary that processes children’s PD or provides them services is likely to automatically qualify as a significant data fiduciary and be subject to incremental compliances.
3.10. Data Breach.
(a) Breach of PD
(i) Data fiduciaries must report instances of breach of any PD processed by it to the DPA, in the prescribed format, within 72 hours of being aware of such breach.
(ii) DPA may require details of the data breach to be reported to the data principals and to be posted on the website of the data fiduciary.
(b) Breach of NPD
(i) Clarity is needed if breaches relating to NPD also need to be reported.
(ii) In case of breach of NPD, the DPA may take such steps as may be prescribed.
3.11. Penalties and Offences.
(a) For data fiduciaries in the private sector – Depending upon the nature of contravention by data fiduciaries (such as violation of provisions governing processing of PD, SPD, failure to maintain security standards, etc.), the 2021 Act prescribes penalties up to INR 15 crores or 4% of the total worldwide turnover of the preceding financial year, whichever is higher. More details in relation to the penalties that may be imposed may emanate from the rules to be issued under the 2021 Act.
(b) For data processors in the private sector – A penalty of up to INR 5,000 for each day and a maximum of INR 50 lakhs may be imposed on a data processor, if it has not adhered to any directions, orders, cease and desist directions that may be issued by the DPA for violation of the 2021 Act.
(c) For Government entities – Depending on the nature of contravention, penalty for breach of 2021 Act cannot exceed INR 15 crores.
(d) Compensation – Data principals are entitled to receive compensation if they suffer harm due to violation of the statutory provisions by the data fiduciary or the data processor. These proceedings will be adjudicated by the adjudicating officers appointed by the DPA, who will consider the following factors to determine quantum of compensation – nature and duration of violation, extent of harm caused, whether the violation was intentional or negligent, action taken to mitigate the damage etc.
(e) Other non-compliances –
(i) Penalties – The 2021 Act also stipulates penalties for other non-compliances such as failure to submit any report or information mandated under the 2021 Act, failure to protect rights of data principals etc.
(ii) Offences – Imprisonment or fine may be imposed on persons who knowingly or intentionally re-identify PD that has been de-identified by a data fiduciary or a data processor, without their consent.
3.12. Regulation of NPD.
(a) The 2021 Act seeks to regulate NPD as well (which includes anonymized PD) in the form of regulations to be issued by the DPA, however, no specific provisions have been suggested under the 2021 Act at this stage.
(b) The Central Government may: –
(i) prescribe policies for handling of NPD; and
(ii) in consultation with DPA, direct data fiduciaries and data processors to provide any anonymised or other NPD, to enable better targeted delivery of services or formulation of evidence-based policies.
♦ The JPC has not opined on issues pertaining to regulation of NPD, some of which were outlined in the report of the committee of experts on governance framework for NPD issued in July 2020 and updated in December 2020. It remains to be seen to what extent private sector NPD will be sought to be monetized for the benefit of State functions, or start-up sector, which was originally proposed under said report. The JPC has suggested for NPD to be regulated by way of rules to be framed by the DPA, once it is set up.
♦ The DPA will prescribe its codes of practice applicable to anonymization of NPD.
♦ Given the JPC’s recommendation that the rules governing NPD will be framed separately, more clarity regarding reporting of NPD breach, and consequences is likely to emerge later.
The JPC has recommended that approximately 24 months be provided for the 2021 Act to fully come into force, and for certain provisions such as setting up of DPA, registration of data fiduciaries to come into force earlier, i.e., within 3-9 months of date of notification of the 2021 Act and setting-up and functioning of the appellate tribunals within 12 months of date of notification of the 2021 Act). However, the 2021 Act does not specifically state when it will come into force. It simply states that different provisions may come into effect on different dates.
♦ It is likely that a transition period will be provided to data fiduciaries and related parties to be adequately prepared.
♦ The JPC has recommended for detailed stakeholder consultation to be conducted for notification of provisions relating to technical, organisational, and managerial aspects.