DRAFT PERSONAL DATA PROTECTION BILL 2018, INDIA – STAGGERING, EREGIOUS, HISTORIC
A committee set up by the Ministry of Electronics and Information Technology (MEITY) has prepared and proposed a draft general data protection law for India, to replace the existing regime.
The draft law has been put up by the MEITY for public comments, the deadline for which is presently 30th September, 2018. The overall objectives of the public consultation exercise is for the MEITY to seek feedback from various stakeholders (such as citizens, NGOs, SMEs and start-ups) that the draft law should affect if enacted into law.
Impact
Draft law which aim to strengthen the data protection regulations and strengthen protection for all Individuals of India.
Penalty of upto INR 15 Crores or 4 percent of the “total worldwide turnover” of the preceding financial year (whichever is higher); in case of severe violations (INR 5 crore or 2 percent of the
“total worldwide turnover” in case of certain less severe breaches).
Criminal penalties (ranging from 3-5 years of imprisonment) for intentional, reckless and damages caused with knowledge, for certain offences. All offences under the draft bill are categorised as cognizable and non-bailable.
The term ‘total worldwide turnover’ not only includes the total worldwide turnover of the Data Fiduciary but also that of its group entities, if such turnover of the group entity arises as a result of processing activities of the Data Fiduciary.
Applicability
The draft law seeks to regulate 2 kinds of data collected/processed/stored/disclosed by any person or entity i.e.
i) Personal data: Which identifies details of a person such as their name, contact address, phone number, email address etc. and
ii) Sensitive Personal data: including passwords, financial data, health data, biometric data etc.
Applicability of the Processing Data Principal
Draft Law
In Over Located Located
India seas in India Overseas
Data Located Located
Fiduciary/ in India overseas
Processor
* if in connection with any business carried on in India, or any systematic activity of offering goods or services to data principles within India; or in connection with any activity which involves profiling of data principles within India
** Unless specifically exempted, such as in the case of outsourcing contracts
What is Significant Data Fiduciary?
If any entity processes:
i) Large volumes of personal data
ii) Very Sensitive personal data
iii) Has a high turnover
iv) Data that has a risk of harm to the user
v) Uses ‘new technologies’ for processing.
If the entity is classified as ‘significant data fiduciary’ then they have to comply with additional requirements such as data protection, impact assessments, record-keeping, data audits and appointing data protection officer to ensure compliance.
Obtaining Consent from Data Principal – Most Critical
Anyone who does collection, processing, storage, disclosure of personal or sensitive personal data of a user (Data Principal) is required to take consent and named as Data Fiduciary. (One who processes such data is Data Processor)
Consent obtained should mention the purpose of collection and would need to mention numerous aspects and which is most critical. Information required to be provided by the Data fiduciary to the Data Principle in the notice are mentioned in Section 8 of the draft law.
Exemption for Start-ups:
If a start-up engages in manual processing of data (as opposed to automated means) and does not:
i) Have a turnover of more than INR 20 lakhs in the preceding financial year, and
ii) Collect personal data for the purpose of disclosure to third parties, and
iii) Process personal data of more than 100 individuals in a given day in the preceding 12 months,
Then certain compliance such as provision of notice, storage of limitation, certain transparency and accountability measures etc., should not apply.
No exemption available to Automated Processing of data.
Data Storage
As a general rule, a copy of all personal data and sensitive personal data should be stored on a server or a data centre in India.
“This rule brings additional cost of data storage and transfer to those who have their data outside India”
In addition to this consent is required for data transfer to outside India via:
i) Certain provisions which would be pre-approved by the data protection authority.
ii) Government approves the location or organization for the transfer.
iii) If the data protection authority specifically approves such a transfer due to necessity.
Apart from the above the law talks about the Child’s consent, Data Potability, Data breach notification to the authorities, Significant Data Fiduciary
Security Safeguards
“Innovative and transformational IT promises high returns, but the riskiness associated in case draft law gets enacted, would seldom be articulated. For start-ups, now the strategic focus should also be on compliance of data protection”
Having regard to the nature, scope and purpose of processing the personal data undertaken, the risk associated with such processing, and the likelihood and severity of harm that may result from such processing, the data fiduciary and the data processor shall implement appropriate security safeguard including steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction, data leakage of personal data.
But there is no single answer to the problem of data leakage …. (i) if personnel are issued laptop computers and virtual private network (VPN) access capabilities, it may be assumed that they are expected to be mobile, work remotely and take their data with them.
So what if despite all system level controls if the employee took photographs of the critical personal data and published in grey market or shared with the competitors. What if the sales personal shared the contact and email address of all the customers with some marketing companies, here marketing company will process the data for a purpose of which there was no consent obtained by the Data Fiduciary from the Data Principal. In such case Data Principal may sue the Data Fiduciary and Data Fiduciary liable for a penalty of 15 crore or 4 % of “total worldwide turnover” whichever is higher, along with prosecution.
“There is an implicit, but unwanted expectation that an authorized user (may of employee or service provider) will not betray the trust place in him or her of the Data Fiduciary/Data Processor, either intentionally or inadvertently. Even if that were a reliable control, what meaning does trust have in an era in which data sharing is promoted as an ideal and lucrative income source? The boundaries of trust must be encoded in policy that, it is hoped, will lead to behaviour. Maybe so, if the definition of “trust” is clear. Clarity of the policy will (or perhaps, may) motivate staff to follow the rules. But trust parameters are a weak substitute for secure perimeters”
Conclusion
There is another, perhaps deeper, implication of the draft law. Systems that store personal information, unfortunately, are more and more common in digital age. Even the most technologically savvy organisations struggle to cover all their bases, leaving them prone to breaches, big or small. It is hardly an original observation that innovation in information technology, huge data storage and artificial intelligence is changing society, its culture and more, and is doing so at a dizzying and dislocation pace.
The draft law will have impact on renegotiation of the concluded contracts for obtaining consent from the Data Principals, deleting the data where it is not necessary to be retained, data protection obligations, cross border data transfers and localization, Child’s consent, restriction or prevention of continuing disclosure of personnel data by the Data Principal, legal and contractual obligation between the Data Processor and Data Fiduciary, Anonymised data and Anonymization, etc. and are to be ponder upon by the society and the government.
But, we have to embrace these legal changes because it is the very necessity of the current scenario and there is no other alternative; or alternative data is the only alternative, through which the current pace of innovation and start-ups can continue.
Author: CA Manali Ganediwal
Published : Banking Finance, November 2018