The draft Personal Data Protection Bill, 2018 (“Bill”) raises many concerns for businesses – start-ups and established companies alike. Companies will be required to revamp several of their operational practices once the Bill becomes an enforceable law. This post provides an overview of some of the practical concerns raised by the Bill to give a sense of how it may affect businesses.
1. Who will the Bill affect?
The Bill applies to: (i) Indian companies, (ii) companies that process data in India, and (iii) companies outside India that process data in connection with a business in India/any systematic activity of offering goods and services in India/any activity that involves profiling of Indian residents.[1] Therefore, even businesses outside India can be covered by this Bill.
2. How will the Bill affect businesses?
Operationalising the privacy framework under the Bill will require companies to make significant changes to their data collection and processing practices. For example, companies will now need to take fresh consent from their users as per the detailed consent requirements under the Bill.[2] Fintech and other companies will need to adopt higher security safeguards since a wide range of data is considered sensitive personal data (see Question 4).
3. Will companies need to change the manner in which they obtain user consent for data collection and processing?
Companies will need to acquire the consent of their users in order to process their personal data.[3] In order to be considered valid, consent needs to be free, informed, specific, capable of being withdrawn and indicated through affirmative action (so “pre-checked” consent boxes can longer be used).[4]
While seeking user consent, companies will have to provide users with detailed notices (on the basis of requirements under Section 8 of the Bill) at the time of collection of data. Additionally, companies cannot make the provision of any goods/services or their quality conditional on consent. Thus, access to websites or user registration cannot be conditional on consent, unless the data to be collected is necessary for the provision of such services.
4. Should companies be concerned by the classification of sensitive personal data under the Bill?
All passwords, financial data, health data, biometric data, genetic data, data indicating religious/political beliefs/sexual orientation or caste/tribe status are considered sensitive personal data under the Bill.[5] Companies collecting or using sensitive personal data will need to take users “explicit consent” in order to process that data – meaning that they will have to inform users of the consequences of processing their data in addition to the regular notice and consent requirements.[6]
This can have impractical effects for the everyday use of publicly information like surnames that reveal caste/tribe or statements reflecting political/religious opinions available online – it appears that companies will need users’ explicit consent for collection and use of even this freely available data.
5. Are there are any restrictions on the amount of data that can be collected by companies?
Companies can only collect personal data for purposes that are clear, specific, lawful and communicated in advance.[7] Additionally, they must only collect data that is necessary for processing.[8] This could create difficulties – it may not always be possible to determine the exact purpose of data collection beforehand. For instance, with devices that work in an Internet of Things (“IoT”) ecosystem, the purposes for which data may be used are constantly evolving, and so it could be difficult to spell out exactly what purpose the data is going to be collected for.
6. Will the data localisation requirement under the Bill affect companies?
Companies will have to maintain at least one serving copy of all their personal data on a server in India, subject to some exceptions.[9] Certain categories of personal data (known as “critical personal data – to be notified by the Central Government) cannot be transferred out of the country at all, while the cross-border transfer of personal and sensitive personal data is subject to certain restrictions.[10]
Data localisation may reduce access to global cloud service platforms for companies in India. It may also limit access to global markets and the latest technologies. This could cut into profit margins, reduce productivity for companies and undermine their competitiveness.
7. Who is the regulator responsible for enforcement of the Bill?
The Data Protection Authority (DPA) will be responsible for enforcement of the Bill.[11] The Bill gives the DPA wide-ranging powers – including the power to identify additional classes of data as “sensitive”, the power to require certain entities to conduct mandatory data protection impact assessments and the power to permit cross-border transfers in certain cases.
8. What are the consequences of non-compliance with the provisions of the Bill?
Non-compliance with the Bill can attract penalties of up to Rs. 15 crores or 4% of worldwide turnover and even imprisonment up to five years.[12]
[This post has been authored by Tuhina Joshi, Associate Ikigai Law, with inputs from Nehaa Chaudhari, Policy Lead, Ikigai Law and Anirudh Rastogi, Founder, Ikigai Law]
[1] Section 2, the Personal Data Protection Bill, 2018.
[2] Section 8 read with Section 12, the Personal Data Protection Bill, 2018.
[3] Processing on the basis of consent is one of the main legal grounds for processing of personal data by private sector players. The other grounds of processing available to the private sector are – processing in compliance with law, processing that is necessary for prompt action, processing that is necessary employment or processing for reasonable purposes (refer Chapter III, Personal Data Protection Bill, 2018).
[4] Section 12, the Personal Data Protection Bill, 2018.
[5] Section 2(35), the Personal Data Protection Bill, 2018.
[6] Section 18, the Personal Data Protection Bill, 2018.
[7] Section 5, the Personal Data Protection Bill, 2018.
[8] Section 6, the Personal Data Protection Bill, 2018.
[9] Section 40(1), the Personal Data Protection Bill, 2018.
[10] Section 40(2), the Personal Data Protection Bill, 2018.
[11] See Chapter X, the Personal Data Protection Bill, 2018.
[12] See Chapter XI, the Personal Data Protection Bill, 2018.
