India is one of the world’s largest data-generating countries and is on the cusp of enacting a new Data Protection Law. PrivSec Report examines what it could all mean. 

India is not just any player in the global data market. With its 1.36 billion residents and its recent record of rapid growth, facilitated by cross-border data flows that enable start-ups in the Global South to access foreign markets, what India does when it comes to data protection really matters.

The country is on the verge of enacting its first all-encompassing cross-sectoral data protection law, the Personal Data Protection Bill 2019.

This wide-ranging and complex piece of legislation will create India’s first national regulatory authority for the protection of personal data and is seen as India’s answer to GDPR, but with more flexible definitions of consent. It is hoped the law will strengthen compliance requirements. The legislation, which is expected to be passed in the 2021 Budget season starting this week, has already run into controversies around surveillance and data localisation however.

PrivSec Report discusses India’s privacy vision with Tripti Dhar, ISO consultant at Reina Legal and Naavi Vijayashankar, Data Protection and Data Governance Consultant and Executive Chairman at Foundation of Data Protection Professionals (FDPPI).

The Personal Data Protection Bill (PDPB) was first proposed in 2018, but was revised the following year after it received heavy criticism from various stakeholders for “incorporating stringent blanket provisions on data localisation”. As it stands, the 2019 Bill has removed the provision for mandatory storage of all personal data in the country, but Dhar says the localisation requirements of non-personal data “remain a burning issue.”

India’s privacy background 

Naavi reminds us that privacy is not a brand-new concept to India. Rather, he says, “If we combine [previous] legal provisions with the several decisions of the Supreme Court upholding the Privacy Rights, we should say that India does have data protection laws already in place.”

The Information Technology Act was introduced in 2000 and amended in 2008 (ITA 2000/8), which “provides privacy protection to a certain extent,” Naavi explains. The law imposes civil penalties on companies which do not practice “reasonable security practice” if they handle sensitive personal information. The penalty for a privacy breach under this law is a 3-year imprisonment and fine of up to Rs 500,000.

However, a civil penalty does not punish a company for non-compliance through administrative fines, it only provides compensation to damages claimed by a victim of contravention, Naavi explains.

The PDPB 2019 by contrast, would create a national regulatory authority for the protection of personal data, which Naavi believes will “significantly increase the level of compliance compared to the current situation where ITA 2000/8 tries to provide some legal measures for privacy protection.” Businesses would be held to account.

PDPB 2019 

The PDPB 2019 in this respect is arguably a welcome move for many Indian citizens and businesses. Naavi says: “It replaces Section 43A provisions of ITA 2000/8 with a whole set of provisions with better clarity on the obligations of the Data Fiduciaries, Rights of the Data Principals, and the need for close monitoring of the ‘Reasonable Security Practice’.” It also creates a separate regulatory authority for monitoring compliance.

“The separate law and a regulatory mechanism followed by registration, mandatory data audits, filing of information with the regulator as well as the power of the regulator to conduct voluntary audits, etc., will significantly increase the level of compliance compared to the current situation where ITA 2000 tries to provide some legal measures for privacy protection,” Naavi says.

Dhar explains that although modelled on the Europaan Union’s GDPR, the PDPB 2019 “sets its own tone of privacy regulations”.

She says: “By incorporating, medical emergency, medical treatment, protecting the safety of individual in case of disaster, as a necessary legal basis of processing moreover the definition of consent is also more flexible than that contained in the GDPR and in this way it sets itself apart from other national laws such as GDPR.”

By primarily focusing on Indian citizens and protecting their privacy, “it seeks to provide more control to Indians over their personal information and create a culture towards respecting informational privacy of individuals,” Dhar adds. “At the same time, it tries to balance between personal privacy and new technological innovation to help people gain ethical and fair advantages from data they choose to share and thus create an environment of trust around processing of personal information.”

Furthermore, commenting on the Bill’s extraterritorial effect, Naavi says, “The law does not discriminate between Indian nationals and foreign nationals regarding the provision of rights under the law,” which he describes as “fair and in tune with the legal precedence in India.”

However, Dhar contends that the Bill can also be read as an attempt to “carve out India’s niche for the government to exercise its control and retain exemptions.”

Unchecked state surveillance? 

Some measures in the bill have led to accusations that it will lead to unchecked state surveillance by domestic authorities within India. However, Naavi says: “PDPB safeguards against the State Surveillance to the extent law can accomplish.”

Sections 35 and 36 of the Bill emerged as the crux of issues of the Bill as it empowers government agencies to process citizens’ personal data. Section 35 enables the Indian government to exempt any government agency from the provisions of the Bill for purposes of public order and national security.

However, according to Naavi, “There has been a mischievous speculative interpretation of this section by a section of the experts and the media which is unwarranted.”

He explains, “[Section 35] is only applicable when the Government can establish through due process that seeking exemption was ‘Necessary’ an ‘Expedient’ in the interest of sovereignty and integrity of India and the security of the State.” He adds that, “Certain provisions such as obtaining consent or giving prior notice is exempted for law enforcement purposes just like GDPR and other similar laws.”

Additionally, he explains that exemptions for the corporate sector such as fraud prevention and information security, “are all necessary provisions under the legitimate interest claim of the commercial entities.”

He says: “The law cannot protect against the misuse by the implementing authorities and if such a situation arises, they have to be handled by the Courts in India which are competent to protect any unlawful activities of the Government.”

Dhar offers a different perspective on Sections 35 and 36, stating, “The balance between a surveillance state and individual’s fundamental right to privacy seems to be tipped off in favour of the government presently.”

“Section 35 and 36 allows certain security agencies to process data for surveillance. They are, however, not allowed to misuse this data,” she states. “Article 19 of the Constitution also provides reasonable restrictions, where the government allows itself similar exemptions in cases of ‘decency’, ‘morality’, ‘defamation’. Based on the constitution, the government can use ‘incitement to offence’ and ‘public order’ for surveillance. These terms are generic and can be misused.”

Additionally, she argues, “While [the Bill] also broadly categorizes data of individuals into three categories — critical, sensitive and general the government can, at any point, bypass restrictions to give complete access to itself or any agency under it.”

As a result, she says, there is a need for judicial deliberation on this issue “to ensure that the individual’s fundamental right to privacy is upheld, is retained, after the passing of the PDPB Bill.”

Data localisation 

An earlier version of the law, PDPB 2018, included a provision that one copy of all personal data had to be kept in India, while another copy may be transferred out of India subject to usual restrictions such as adequacy, Standard Contractual Causes (SCCs) or Binding Corporate Rules.

Ultimately, business interests were able to extract a concession to which there is no restriction on transferring non-sensitive personal data outside of India.

The PBPD 2019 states that only sensitive personal data must continue to be stored in India, but this data can be transferred outside of India if explicit consent is given by the individual, and it is subject to additional conditions. This also includes “critical data” under emergent circumstances.

However, Naavi explains that a demand remains from one section of experts in India that the “provisions of Sections 33/34 on transfer of data needs to be made stricter at least as was provided in the PDPB 2018 version.” However, he adds, “It is not known at this point of time if any changes would be recommended by the JPC when it sends its final recommendations to the Parliament.”

“If however,” Naavi adds, “more organizations do decide to store personal data in India, it would give a boost to the local industry and it should be welcome.”

On the other hand, Dhar suggests that “while data localization requirements are not novel provisions, exclusive to PDPB, such requirements create hindrance in creating and perpetuating a global data governance framework and ensuring smooth flow of data globally.” She adds, “Localization requirements of non-personal data thus remains a burning issue.”

Non-personal data and anonymisation 

On 16 December 2020, the Ministry of Electronics and Information Technology (MEITY) constituted a Committee of experts on non-personal data (NPD) released its revised report recommending the

introduction of legislation governing NPD. The Committee argued that non-personal data held by organizations “need to be governed with an objective of unlocking the value of the data,” Naavi says.

At the start of India’s budget session commencing this week, the PDPB 2019 will be redrawn by the Joint Parliamentary Committee.

One of the core issues surrounding the inclusion of NPD is that “anonymized personal data” is considered as non-personal data. Therefore, as Naavi explains, the process of “anonymization” for which standards will be specified by the Data Protection Authority, “will separate the data asset that flows out of the regulation of PDPB into the proposed regulation under NPDG.”

However, Dhar suggests that it has its problems: “Though any data that cannot identify individuals is understood as NPD, this could cover a vast array of information, including companies’ intellectual property (IP) or confidential information. All anonymized data need not be secure. Researchers have been able to re-identify individuals from seemingly anonymized data by combining datasets or using new techniques.”

In the case of public or community data, she says, identification can be made when combined with other datasets. “For instance, aggregated data on access to subsidised health care can disclose traits of a particular community such as age, employability, economic status, health care requirements and so on,” she says.

“Using the powers under Clause 91, government can cite policy formulation, efficacious provision of services and public interest to demand access to the entity’s NPD, irrespective of the confidentiality and proprietary nature. At the same time, the 2019 Bill does not provide any guidelines on if and how such accessed data will be further accessed, stored, reused and protected,” Dhar says.

She adds: “In the current form, it is possible that the government can freely utilize an organization’s data in any manner without following any due process, and since the overarching goal would be dressed as policy initiatives or for the public good, there may be limited judicial scrutiny. Consequently, the power vested with government is without necessary checks and balances.”

Therefore, governance of NPD, Dhar says, “presents complex, new considerations that are distinct from the concerns relevant to personal data regulation.” She argues that given this complexity, “the committee should consider holding a wide public consultation that will help bring different perspectives to the table.”

However, as Naavi explains, anonymisation is important to business: “While part of the technology world consists of hackers who can break encryption or anonymization, apart from punishing such activities, the PDPB 2019 cannot try to ignore anonymization as a reasonable way of converting processed personal data which is otherwise set to be discarded as a waste into an anonymized data asset that can bring some revenue to the company without adversely affecting the protection of privacy.”

What’s next for India’s privacy landscape? 

A recent study conducted by CUTS International, a global NGO based in India, suggests that an increase in digital services exports by 1 per cent would advance India’s GDP by 0.02% and vice versa. Thus, arguing for the implementation of seamless cross-border data flows.

Naavi predicts that after India’s privacy laws have been enacted, the country will increase its ability to attract international data processing business through its software development and data processing projects.

“Soon not only the awareness but also a market of opportunities will rise in India under the regime” is Dhar’s optimistic prediction.