Setting up the Context
After over two years of deliberation, the Joint Parliamentary Committee gave its report to the Parliament of India on the Personal Data Protection Bill 2019 on 16 December 2021. The Committee also presented a revised Data Protection Bill 2021 (DP Bill). Although presently, there persists dearth vis-à-vis dedicated legislation on a sector-neutral basis, Information Technology Act 2000 and the Information Technology (Reasonable security practises and procedures and sensitive personal data or information) Rules 2011 regulate data privacy and protection in India today.
Since the Hon’ble Supreme Court of India’s decision in Justice K. S. Puttaswamy vs Union of India & Ors. established privacy as a fundamental right, civil society and corporate organizations have been anticipating comprehensive data protection laws. As seen in Budget 2022, India needs a comprehensive data protection law to harness the expansion of the digital economy. India’s digital environment has changed drastically in recent years, and sectoral regulators have issued several recommendations, laws, and regulations to protect data and consumer interests. However, this multitude of regulations and rules without synergy would produce confusion, repetition, over-regulation, and compliance burden. Alongside, vague interpretations of these rules risk suboptimal norm-setting, regulatory arbitrage, and discretionary law enforcement. Thus, data harmonization and mutual coordination between various ministries and sectoral regulations must be addressed to circumvent the prevalent impasse.
Extant Jurisprudence vis-à-vis Data Protection Bill
India is neither a signatory to any convention pertaining to personal data protection, which is equivalent to the GDPR or Data Protection Directive, nor has it enacted any specific legislation in this regard. However, there are various provisions under Information Technology (Amendment) Act [IT Act], 2008, such as Sections 43A (compensation for failure to secure data) and 72A (Punishment for disclosure of information knowingly and intentionally). of the Information Technology (Amendment) Act, 2008 which mandate data protection and privacy. Subsequently, Indian Central Government issued IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, under Section 43A of the IT Act. The said rules have imposed additional requirements on commercial and corporate enterprises relating to collecting and disclosing sensitive data or information, which resonates with the GDPR and the Data Protection Directive. The DP Bill 2021 will repeal Section 43A of the IT Act, but other data protection and privacy measures will remain, which may lead to regulatory arbitrage. Currently, entities that fall under the definition of ‘intermediary’ come within the IT Act’s purview; however, with The DP Bill, the same will be classified as data fiduciaries (in most situations) as well, mandating them to follow different criteria. While all data fiduciaries are not intermediaries, wherever there is overlap, the same must be smoothened. Further, In February 2021, the Central Government notified IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which contradicts paramount DP Bill’s Clauses such as Clause 20 (Right to be Forgotten), Clause 22 (Privacy by Design), etc.
The convergences and divergences between current and soon-to-be-effectuated jurisprudence are described in the succeeding sections.
National Supervisory Authority
India lacks a comprehensive sectoral regulator vis-à-vis data protection regime. Currently, the Ministry of Electronics and Information Technology administers and issues IT Act guidelines, whereas the DP Bill proposes the Data Protection Authority of India. It would be India’s first comprehensive data protection regulator.
Scope of Application
The IT Act applies to persons outside India only when the crime is committed using the network system found in India. The DP Bill, however, would apply to anyone outside India if they are undertaking (i) business, (ii) provision of goods or services, or (iii) profiling in India. Further, Section 3(28) of the DP Bill covers electronic and manual records, unlike the IT Rules, which cover only the former. Compared to IT Rules, 2011, DP Bill derogations are intensive, as public order, state security, and sovereignty are not covered in the former. The sole derogations under IT Rules are the availability of information in public or access to it through the Right to Information, in which case no prior authorization is required because the information is not classified as Sensitive Personal Data or Information under Clause 3 of the IT Rules, 2011.
Sensitive Personal Data
Sensitive data includes passwords, financial information like credit cards, sexual orientation, medical records, biometric information, and passwords; however, the proviso excludes data available in public or through RTI. RBI occasionally discusses customer record confidentiality and privacy as well. In the Master Direction about the Issuance and Conduct Directions of Credit and Debit Cards, Clause 13 (f) and (g) discussed the need to protect customer financial information and adopt appropriate safety measures. The Bill has a similar definition but includes caste, ethnic, religious, and political data.
Unless done under contract where services are provided indirectly, the collection of sensitive personal data or information requires (i) explicit prior consent with an option to withdraw; (ii) lawful and necessary collection for the activity in question; (iii) retention only with adequate safety/security measures; and (iv) clear information about the purpose, nature, and details of the data collected. Furthermore, such data (i) cannot be published; (ii) cannot be provided to third parties without prior consent, with the condition that they cannot share further and must be in a nation with suitable security measures. However, data could be shared if mandated by law or agreed upon by contract. The Bill proposes similar stringent conditions for processing Sensitive Personal Data.
Cross-Border Transfer and Storage of Data (Data Localization)
IT Rules allow a corporation to transmit data overseas if (1) suitable security measures are in place, (2) necessary to perform a valid contract, or (3) the data subject consents for such transfer. However, overseas transfers do not require intimation to authorities. RBI’s Master Circular on ‘Storage of Payment System Data’ requires all financial data to be stored in India, except for data related to foreign legs of transactions, which could be stored outside. Likewise, according to Clause (5) of the following 2019 FAQs, payment processing can be done outside India in case data is stored in India within 24 hours. The Bill, however, adds conditions to consent and storage in India. The transfer is allowed only when (i) the contract provides for it with proper arrangements for security and liability in contravention, alongside consultation with the Central Government, and (ii) government approves it with adequate safety precautions. The transfer must also comply with public and state policy, and if data is transferred/stored outside India, the authority must be duly informed.
Consequences of Contravention
Section 72A of the IT Act allows for monetary fines up to Rs 500, 000, and punitive fines include imprisonment for up to three years for disclosing personal information if same is in breach of contract and consent. The Bill’s Section 57(1), however, proposes a monetary fine of up to Rs Five Crores or two per cent of a company’s worldwide revenue, whichever is higher, and up to three years in prison for re-identifying data without prior consent.
Further, compensatory measures are also included. Section 43A of the IT Act compensates for persistent carelessness in implementing and maintaining acceptable security methods and procedures to protect sensitive personal data. Similarly, Sections 64 and 65 of the Bill pave avenues for compensation from data fiduciaries and principals if they violate DP Bill provisions.
Analysis and Way Ahead
Eliminating overlapping and conflicting scopes and aligning them with a single data protection framework enforced in a coordinated manner is the first step to harmonization. The government should appoint a committee with the legislature and judicial representation to monitor this process and create broad action points for each regulator and policymaker based on their region. The Committee shall divide action points based on amendment needs into short-term and long-term. According to the nature of the amendment requirements. For instance, amending legislation would take more time than guidelines, rules etc.
Effective enforcement of the unified data protection framework is the second step in smoothening. The same would require high-level coordination among regulators and policymakers as while Clause 50(2) & Clause 56 talk about coordination between functioning regulators and governments, and Chapter 5(3) of the Draft Non-Personal Data Governance Framework talks about harmonization between the NPD regulations and PDP Bill (now DP Bill) through amending provisions; nonetheless, some of the legislation and data sharing & transfer framework policy including the DP Bill, 2021 stand disjunct and unclear. Thus, like the European Data Protection Board, the Indian government, legislature, and court should establish a Data Protection Board to implement the Data Protection Framework. An independent organization would have to ensure universal data protection, and the Board should include regulators, policymakers, and judges to be as representative as possible.
Lastly, the impugned Board’s lack of technical expertise can also be addressed by forming an external technical expert council, which would advise the Board, whenever necessary, on topics that require technical knowledge. The said council would also be obligated to confer with other stakeholders in a deliberative process. A similar expert council system is currently implemented in Brazil, which has a similar position to India vis-à-vis the multiplicity of digital laws.