India. The biggest democracy in the world with a population of over 1.3 billion people. This year, it was estimated that out of 1.3 billion people almost 48% are internet users. Nevertheless, India (currently) does not have a comprehensive privacy regime. However, on 27 July 2018, the Personal Data Protection Bill (“PDPB” or the “Bill”) was published and it aims to completely overhaul data protection legislation in India. Before explaining the key proposals contained in the PDPB, it is important to understand the background as to how this Bill came into being.
In 2016, the Government of India introduced the Aadhaar number, which is a 12-digit unique identity number based on the demographic and biometric data of Indian residents. The Aadhaar scheme is the biggest biometric data system in the world and the Government of India proposed making it mandatory for access to government services and benefits. This aspect of the Aadhaar scheme was challenged in the Puttaswamy case in 2017 with retired High Court Judge Puttaswamy arguing that the scheme violated the individual’s right to privacy as it was too intrusive (he was trying to file his income tax return). The case was brought to the Supreme Court to determine whether the right to privacy was guaranteed as an independent fundamental right following previous conflicting decisions from other Supreme Court benches. The nine-judge bench of the Supreme Court unanimously agreed that the Indian Constitution guaranteed the right to privacy as an intrinsic part of the right of life and personal liberty under Article 21.
Recognising the need for a data protection law, following the decision in the Puttaswamy case, the Government of India established the Srikrishna Committee and the PDPB is the product of a year’s work. Like many other international data privacy laws, the PDPB is similar to the GDPR. I have summarised the key proposals made by the PDPB below:
What is personal data?
The PDPB introduces new definitions of personal data and sensitive personal data. Personal data refers to any data on a natural person which allows direct or indirect identifiability. Like the GDPR, this is a wide definition however, it does not expressly address the treatment of metadata and online identifiers such as IP addresses. Sensitive personal data includes (and is not limited to) data on an individual’s religious and political beliefs, caste, biometric data, official government identifiers and financial data (specifically financial status and credit history). The contrasting difference with the GDPR is that financial data is not sensitive data under the GDPR. Additionally, unlike under the GDPR, the PDPB enables the supervising authority to identify new categories of personal data as sensitive personal data.
Who will it apply to?
The PDPB applies to the processing of personal data by the State and state entities, and to Indian corporate entities and Indian citizens if they are located within India. Like the GDPR, it also applies to the processing of any personal data by entities located outside India if the personal data processed is with respect to any business or activity that involves offering goods or services to individuals located in India.
Rights of data subjects
The Bill provides some basic rights to data principals. These include the right to access their data, the right to correction, the right to data portability and the right to be forgotten. It must be noted that the right to be forgotten is not similar to the right to erasure or deletion as granted under the GDPR. Instead, it is a right to prevent or restrict disclosure of personal data by the data fiduciary (i.e. the data controller). The Bill does not provide the right to erasure, the right against automated decision making and profiling, all of which are provided in the GDPR.
The Bill mandates a data fiduciary to notify the Data Protection Authority (“DPA”) (as soon as possible and no later than the period that will be specified by the DPA) of any personal data breach that is likely to cause harm to any data principal. This is a subjective decision that the data fiduciary would need to make. The notification must include particulars of the nature of the data breached, the number of data principals affected, consequences of the breach and the measures being taken to remedy it. The DPA will determine whether such breach needs to be reported by the data fiduciary to the data principal. The DPA may also direct the data fiduciary to publish details of the breach on its website. This is a new change in India as under current legislation, there is no requirement to notify any authority of breaches of personal data.
Perhaps the biggest difference between the PDPB and the GDPR is the data localisation requirement under the former. Indian authorities are now generally more sensitive to, and conscious of, the need to maintain data residency and have taken steps to ensure data localisation within the PDPB. Data localisation requirements under the Bill apply depending on whether the data is personal data or critical personal data. The Bill requires at least one copy of personal data or sensitive personal data that is not defined as critical personal data to be stored in India. The Bill empowers the Central Government to define certain categories of data as critical personal data. Critical personal data may only be processed (and stored) on a server or data centre located in India. The data localisation restriction will have a significant impact on how businesses are structured, especially on organisations dependant on cloud-based services as accessibility and storage of data would be hindered.
Like the GDPR, personal data may only be transferred outside of India, if the data fiduciary meets the following criteria: (i) the transfer is made subject to standard contractual clauses or intra-group schemes that have been approved by the DPA; (ii) the transfers are to a country, a sector in a country or to an international organisation that the Central Government in consultation with the DPA deems permitted; (iii) in a situation approved by the DPA (usually in a medical emergency context); and (iv) in addition to conditions (i) and (ii) above, if the consent of the data principal is obtained for the transfer of personal data or the explicit consent of the data principal has been obtained for the transfer of sensitive personal data. As this requirement is similar to the GDPR, most multinational companies are already likely to be complying with these requirements.
The PDPB sets out a detailed framework on the sanctions that would apply if the relevant legislation is not complied with. Sanctions range from monetary penalties to criminal sanctions. Interestingly, and similar to the GDPR, companies may be fined 4% of “total worldwide turnover” or up to INR 150,000,000 (whichever is greater) for violations such as breaching the PDPB’s provisions on cross-border transfers. This approach differs from other jurisdictions that have enacted data protection legislation following the GDPR, for example, the Brazilian General Data Protection Law (“LGPD”) imposes a 2% fine of the company's, group's or conglomerate's turnover in Brazil in its last fiscal year, limited in total to R 50,000,000 per infraction.
Additionally, an individual may face imprisonment of up to 3 years or a fine which may be extended to INR 300,000 (approximately $4,190) for obtaining, transferring and/or selling personal data or sensitive personal data that causes significant harm to individuals. A similar penalty may be imposed on an individual who re-identifies de-identified data without the consent of the data fiduciary or data principal.
As may be noted from the above, the PDPB will establish comprehensive data privacy rules within India. Stakeholders will be particularly interested (as well as surprised) by the maximum fine for breaching the PDPB being 4% of global turnover of a company. Nevertheless, the Bill is currently only a draft and there may be further consultation before the Bill passes through both the houses of Parliament and receives the assent of the President of India. What can be said at this stage is that India has become serious about data protection. Very serious.
Once the Personal Data Protection Bill 2018 gets enacted, the entire data storage volume generated in India will reside within Indian shores and will also be processed and analysed within Indian precincts.