Data Protection Bill, 2018

Data Protection Bill, 2018

 The Supreme Court (SC) in August 2017 ruled that privacy is a fundamental right because it is intrinsic to the right to life.
"Right to Privacy" is an integral part of Right to Life and Personal Liberty guaranteed in Article 21 of the Constitution," the SC's nine-judge bench ruled unanimously.

It added that the right to privacy is intrinsic to the entire fundamental rights chapter of the Constitution. It was only after the SC’s ruling that there were enhanced concerns relating to protection of personal data. After which, Government of India appointed B.N. Srikrishna ( Retd. Judge of SC) to head a committee, to make recommendations on how personal data can be protected. The committee submitted its report on July 2018.   

After the Justice BN Srikrishna Committee submitted the draft data protection bill in July last year, the ministry of electronics and IT (MIETY) opened another round of public consultation, which attracted almost 600 sets of feedback, including from the US government

The ministry of electronics and IT has sent the draft of the bill to the law ministry for vetting after making a few changes. The law ministry has sought more time to study the bill and give its feedback. Thus, now it can only be introduced in the Parliament after General Elections in the monsoon session.

The Draft Bill mandates several obligations, such as:

Collection and purpose limitation: The collection and processing of personal data should only be for purposes that are clear, specific, and lawful.

Notice: Clear notice must be provided at the time of collection of personal data. The notice should specify details such as the purpose of processing, categories of personal data being collected, etc. The notice must also mention the individuals or entities with whom personal data will be shared. Significantly, the Draft Bill also mandates that such information should be provided in a manner that is easily comprehensible and in multiple languages, where necessary and practicable. Obligations such as these will certainly increase compliance cost and effort requirements.

Data quality: Reasonable steps are required to be taken to ensure that the personal data processed is complete, accurate, not misleading, and updated. Therefore, strong data management practices, along with a continuous review of personal data stored by entities, will have to be undertaken.

Storage limitation: Personal data should be retained only as long as may be reasonably necessary to satisfy the purpose of processing. Again, entities need to develop robust data management and review practices to meet such obligations.

The localisation of personal data: At least one serving copy of personal data is required to be stored on a server or data centre located in India. Further, the Central Government may notify certain critical personal data which is mandatorily required to be processed in a server or data centre located in India. The requirements of data localisation are expected to increase costs for retaining personal data on Indian servers.

Security safeguards: Security safeguards are required to be implemented and periodically reviewed considering the nature, scope, and purpose of processing of personal data. Some of the measures prescribed include de-identification and encryption and steps for preventing misuse and unauthorized access to personal data. Entities would, therefore, need to invest in their IT systems and teams to ensure these obligations are met.

Personal data breach notification: Notification to the Authority is required to be made where a breach of personal data is likely to cause harm to persons whose personal data is breached. The Authority may direct that a notification is made to the affected persons, and also to publish details of the breach on the concerned organisation’s website.

Additional obligations: Data fiduciaries (akin to data controllers) may be designated as ‘significant data fiduciaries’ by the Authority based on certain parameters such as the volume of personal data processed, the sensitivity of personal data processed, etc. These entities will have additional obligations such as the appointment of a data protection officer, conducting data audits, etc.

The Draft Bill is all set to increase the compliance burden of businesses. Entities would have to invest adequately to upgrade their data protection practices and procedures. Moreover, time and effort will have to be expended to build organisational capabilities on this front. However, if the measures of compliance are initiated today in a systematic manner, it will eventually turn out to be a worthwhile investment and a real business differentiator in the long run.

 Principles relating to Data Protection Bill

  1. Technology agnosticism: The law must be technology agnostic. It must be flexible enough to take into account changing technologies and standards of compliance.
  2. Holistic application: The law must apply to both private sector entities and the government.
  3. Informed consent: Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful.
  4. Data minimisation: Data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes beneficial for the data subject.
  5. Controller accountability: The data controller shall be held accountable for any processing of data, whether by itself or by entities with whom it may have shared the data for processing.
  6. Structured enforcement: Enforcement of the data protection framework must be by a highpowered statutory authority with sufficient capacity.
  7. Deterrent penalties: Penalties on wrongful processing of data must be adequate to ensure deterrence.

Concepts forming the basis of Data Protection Bill-

  • Consent:

 Consent has been globally recognised as an effective means of processing personal data as data subjects use it to allow or deny organisations the right to process their personal data. While the framework recognises consent as one of the grounds for the collection and use of personal data, it also puts forth the following views which are currently under discussion:

    Consent should be freely given, informed and

  • specific to the purpose of processing. All transactions do not warrant the same
  • standards of consent. The validity of consent needs to be
  • carefully determined.

2)  Other grounds for processing:

 Although the paper recognises consent as a very important part of data processing activities, it acknowledges the need for other legally recognised grounds to permit the processing of personal data. The paper recognises contractual necessity, compliance with legal obligations, and situations of medical emergency as grounds to permit personal data processing. It also considers other grounds adopted by the GDPR such as:

  • Public interest;
  • Vital interest;
  • Legitimate interest; and
  • Other residuary grounds of interest.

3) Globalisation vs localisation :

Under data localisation, entities are required to store and process personal data on servers physically present within their national boundaries. Although this approach helps address concerns over data privacy, security, surveillance and law enforcement, it increases the burden on businesses by way of increased cost of compliance, and may also impact the building blocks of the economy, which rely on data exchange. The paper aims to take a call on data localisation after considering a cost-benefit analysis between the enforcement benefits arrived at from data localisation and the costs involved pursuant to such requirements.


Implications of Data Protection Bill for Internet Giants-

Global internet giants and social-media companies such as Facebook, Google, Uber, Amazon will not be able to transfer and process sensitive personal dara of Indians. With this mandate, prohibiting cross border movements of Informantion such as passwords, financial and health data, caste, religious and political beliefs, sexual status and orientation. 

This provision is likely to create discomfort for Global Internet Giants, many of which have termed such provisions as anti-internet or impractical. IT Giants have argued that they should have the right to store the data in servers across the globe, adding that the new law mandating local storage increases cost while being detrimental to their overall business interests.