The Lok Sabha passed the much-awaited bill on the personal data protection which was thoroughly examined by a joint committee before being passed in Parliament. The bill aims to protect the personal data of an individual, and establishes a Data Protection Authority for the same. Whereas the fundamental rights of the citizen i.e right to privacy are essentially being protected creating a collective culture that fosters free and fair digital economy.
Preventing the misuse of personal data and to protect the interests of data principals and ensure compliance with the act
Exemption for processing data without individual consent for a reasonable purpose
Promotes concepts of consent, storage limitation and data minimization.
Obligations on agencies collecting personal data(data fiduciary) and to collect only that data which is required for a purpose and with the consent of the individual(data principal).
The “rights of grievance” to the individual to complaint against data fiduciary.
This includes security of the state, detection of any unlawful activity or fraud, whistle-blowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.
The Bill calls for the creation of an independent regulator DPA, which will oversee assessments and audits and definition making.
Each company will have a Data Protection Officer (DPO) who will cooperate with the DPA for auditing, grievance redressal, recording maintenance and more.
The bill governs the processing of personal data by:
II. Companies incorporated in India
III. Foreign companies dealing with the personal data of individuals in India.
The bill categorizes the data for processing in the following ways:
A. “Personal data”: any data about or relating to a natural person who is directly or indirectly identifiable having regard to any attributes or characteristics of such person (online or offline) and includes any inference drawn from such data for the purposes of profiling.
B. “Sensitive personal data”: a subset of personal data which may reveal, related to or constitute financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation. Additionally, the Central Government in consultation with the DPA and the sectoral regulators, notify other categories of personal data as sensitive personal data.
C. “Critical personal data”: a subset of personal data and will include such categories of personal data as may be notified by the Central Government.
PERSONAL DATA AND SENSITIVE PERSONAL DATA OF CHILDREN
Processing of personal data and sensitive personal data of children.
(1) Data fiduciary should process personal data of a child in such a manner that protects the rights of and is in the best interests of the child.
(2) Before processing any personal data of a child, verify his age and obtain the consent of his parent or guardian, in such manner as may be specified by regulations.
(5) The guardian data fiduciary shall be barred from profiling, tracking or behavioural monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child.
Restriction on the retention of personal data. The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of the processing. The personal data may be retained for a longer period if explicitly consented to by the data principal, or necessary to comply with any obligation under any law for the time being in force. The data fiduciary shall undertake a periodic review to determine whether it is necessary to retain the personal data in its possession.
• Evidence of Compliance: The Draft Bill proposed requiring that Data Fiduciaries demonstrate that all processing of Personal Data by them was in compliance with its provisions. This broad requirement has been done away with but has been retained for demonstrating consent.
• Recommended Exception for Search Engines: A potential “reasonable purpose” which will permit processing of data has been included for the operation of search engines. This was a change sought by multiple stakeholders.
• Sectoral Regulator: The role of the sectoral regulator has been strengthened requiring their inputs for codes of practice, and requiring consultation with them before notifying categories of Sensitive Personal Data. This will likely mean that existing categories of sensitive personal data such as payment data and policyholder data will be defined as Sensitive Personal Data.
• Right to correction and erasure: A direct right to seek the erasure of irrelevant Personal Data has been included. Data Principals now have the ability to require such erasure directly, rather than after adjudication. This may require more robust erasure mechanisms to be put in place. The previous mechanism restricting or preventing the continuing disclosure of the personal data by a data fiduciary after adjudication has still been retained with modifications.
• Social Media Intermediaries: Social Media Intermediaries as a new and separate category of Data Fiduciaries. These are entities which primarily or solely connect users enabling them to create, modify, upload, share, disseminate or access information. Search engines, e-commerce entities, internet service providers, email and storage services, and online encyclopedias are expressly excluded from this definition Social Media Intermediaries which have more than a specified number of users, and whose actions are likely to impact electoral democracy, security of the state, public order, sovereignty or integrity of India will be notified by the Central Government as Significant Data Fiduciaries. All such notified Social Media Intermediaries are required to enable users who register for, or use, their services from India to voluntarily verify their accounts, and thereafter mark verified accounts with a specified mark which will be visible to all users.
• Localization and Cross Border Data Transfers: The data localization requirement, which formed the basis for much of the discussion and the debate around the Draft Bill has been narrowed substantially:
• No requirement of localization (or indeed transfer restrictions) will apply for Personal Data;
• A requirement remains to store Sensitive Personal Data in India but such data may be transferred outside India for processing. The ambiguous concept of “serving copy” has been done away with;
• Critical Personal Information may be processed only in India. Some exceptions to transferring critical personal data outside India have been specified.
Further clarity has been provided on the contents of contracts or intra-group schemes for the transfer and processing of sensitive personal data outside India. A higher threshold (explicit consent) has been specified for transferring sensitive personal data outside India.
• Regulatory Sandbox: A provisions for a regulatory sandbox between twelve and thirty-six months in duration has been created to encourage the development of new technologies in the nature of artificial intelligence and machine learning, pursuant to which entities will be exempted from purpose, storage and consent requirements under the Bill.
• Selection Committee: Several changes have been made in relation to the composition of the selection committee which is tasked with recommending the members of the Authority.
• Authority: The Authority will, to the extent possible, be allowed to express its views before the Central Government prior to the Central Government prescribing any directions or questions of policy in relation to the Authority’s exercise of its powers or the performance of its functions. Further, the Authority has been obligated to publish its annual report which will provide a summary of the activities of the Authority in the relevant year.
• Data Sharing with the Government: Data Processors or Data Fiduciaries to provide it with anonymity Personal Data, or other non-personal information (which was expressly excluded from the scope of the Draft Bill) to enable the targeting or delivery of services, or the formulation of evidence-based policies. The provision does not provide for any form of compensation or remuneration for such data. It also reaffirms the right of the Central Government to formulate policies for the digital economy to the extent that such policies do not govern personal data. This is particularly relevant in view of the proposed E-Commerce Policy.
On the one hand, certain changes made to the Draft Bill may prove to business-friendly by providing for increased certainty, on the other hand, other changes detailed above (e.g. the deletion of the implementation timeline, requirement to share anonymized and non-personal data with the Government, obligations relating to social media verification, etc.) may prove to be a source of concern.
The popular teahouse chain Chaayos has been in the news recently for using facial recognition technology (‘FRT’) at a number of its stores in Delhi and Bangalore. Chaayos uses this technology to create profiles of its customers. These profiles are then used to “remember” them on subsequent visits, enabling repeat orders and efficient payment.
It has been reported that Chaayos does not display any information about the use of the personal data (that is, the image) collected by the system, that there was no opt-out option presented to customers, and that there was no obvious way of deleting one’s data from the system. With the tabling of the Personal Data Protection Bill, 2019 (‘Bill’), in Parliament, the use of FRT may soon be regulated.