An overview on “The personal Data Protection Bill, 2019â€
Traditionally, Role of data in business is for limited purpose and usage for technology is minimal. However, in the era of digitalization, the need and importance of data has grown drastically. Business are collecting the data for various purpose from both customers and consumers. The possible reasons are
- To understand the behavior of consumer tastes and preference
- Understanding the historical data for projecting future growth
- To maintain strong Customer Relationship to promote their products and services etc….
Decade ago, Data is measured in terms of papers but today it is measured in terms of data measurement units like Gigabytes or Terabytes etc. Physical storage of data is replaced with digital devices. There is a drastic change with respect to Collection, storage, processing, understanding and usage of data.
Decade ago, Vs current situation
- The art of book keeping was replaced by electronic form of books of accounts
- Paper documentation was replaced by Paperless documentation
- Internet and integration with technology has become integrated part of business
- Local trading to global trading via E-commerce
- Discounts are accompanied with cash backs and vouchers
- Maintaining individual ledger accounts was replaced by personal online accounts with the company’s website or third parties’ websites and so on.
From the above we can conclude that the business has undergone significant change over the years. This resulted in the massive change in the manner of generation, collection, storage, communication and interpretation of data and there is a significant impact on the decision making of the business.
However, since there is no regulations on data collection and processing of the same, there has been a tendency where the businesses (including companies, other Body corporates and Individuals) or in the guise of business (fraud-stars) are collecting the personal data of public in the name of survey and misusing the same various personal benefits.
For example, a consumer may be asked to give his personal details while billing or for any luck draw or as a part of survey. Likewise, a large amount of data is collected from various persons for various purpose. Here one important point to be noted is that in this case, the following are absent or not informed to the public from whom the data is collected:
- the consent of data collection
- purpose of collection and processing of data
- End result of the data collected
Further, in India, till now we have only regulations on security and safeguards of the data collected and stored under Information technology Rules but not on the data collection and processing.
In these scenarios, it is very essential to keen observation and regulations on the collection, processing and usage of personal data collected. Consequently, the need for audit of data and data privacy also gaining importance. In India, currently there is no legal requirement with respect to audit of data. However, a bill “The Personal Data Protection Bill, 2019” is pending for approval in parliament.
Background:
The Hon’ble Supreme Court of India in the case of Justice K. S. Puttaswamy (Retd.) and Anr. vs Union of India And Ors had delivered a landmark judgment holding that the right to privacy is protected as a fundamental constitutional right. The nine-judge bench held that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”. It explicitly overrules previous judgements of the Supreme Court in Kharak Singh vs State of UP and M.P Sharma vs Union of India, which had held that there is no fundamental right to privacy under the Indian Constitution. Subsequently, a committee chaired by Justice B. N. Srikrishna, was set up to examine various issues related to data protection in India.
Objectives of the Act:
- To regulate the collection, purpose, usage and processing of data within India
- Processing of data by data fiduciary or processor present outside India
- Prohibit of storing sensitive personal data outside in India.
- Data shall be collected, processed and used only after receiving the consent of Data principal
- To establish an authority under this Act for regulate for data processing and privacy.
Applicability:
In case where the processing of personal data has been collected, disclosed, shared or processed within India, the provisions of the bill are applicable to
- Data fiduciary: means any person who alone or in conjunction with others determines the purpose and means of processing of personal data.
- Data processor: means any person who processes personal data on behalf of a data fiduciary.
Note: Person means includes the government, a company, any juristic entity or any individual.
Data fiduciary may be or may not be data processor.
Example: ABC Ltd. made a market survey on Product A and B and collected huge amount data. In this case two possible scenarios
- ABC limited is equipped with IT technology to process the data and convert into information – here ADC Ltd. is both data processor and fiduciary
- ABC Ltd. don’t have any IT support – I will source the data collected to third party. In this case, ABC Ltd. data fiduciary whereas the third party is data processor who process the data into information.
Social media intermediaries:
- An intermediary who primarily enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services. Example Facebook.
- Any social media intermediary with users above such Applicable threshold and whose actions have, or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India, as a significant data fiduciary
Exception: A "social media intermediary", shall not include intermediaries which primarily
- enable commercial or business-oriented transactions
- provide access to the Internet
- in the nature of search-engines, on-line encyclopedias, e-mail services or online storage services.
The provisions of the Act places emphasis on 3 terms. They are
- Data: means and includes a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means.
- Principal Data: means the Natural person to whom the personal data. Hence corporate entities like Companies cannot be termed as Data principals.
- Consent: The consent of the data principal shall be valid only if the following are met:
- Consent as defined under section 14 of the Indian Contract Act, 1872
- Notice must be given stating the purpose of collecting data and other requirements as required under section 7 of this Act
- the purpose of collection and processing of data should be specific and clear and
- consent capable of being withdrawn.
Agreeing to the terms and conditions of unconditional rights over the data collected and incapable of withdrawing the same does not amount to consent.
Classification of Data under the Act
- Personal data: means data about or relating to a natural person who is directly or indirectly identifiable.
- Sensitive data: means personal data includes passwords, financial data, health data, official identifier, biometric data, genetic data, caste or tribe.
- Anonymized data: Data that went to under the process of anonymization – a irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified.
Example: Mr. Ram has signed up Amazon account for the first time. In order to open the account Mr. Ram has to give basic details like name, address, contact number any other details if necessary. After signing up, Mr. Ram has placed certain orders and gets them delivered in accordance with the delivery terms.
In this case, Mr. Ram is Data principal, Amazon is Data fiduciary as well as data processor and the details of Mr. Ram including what he searched and ordered in Amazon is personal data and the payment and bank related information comes under Sensitive Personal Data.
Exemption
- Where a data fiduciary is categorized as “Small entity” under the Act, the relaxations with respect to the following provisions under the Act is given
- Requirement of notice for collection or processing of personal data
- Quality of personal data processed
- Restriction on retention of personal data
- A brief summary of processing activities undertaken by the data fiduciary and
- sections 19 to 32 of this Act.
A "small entity" means such data fiduciary as may be classified, by regulations, by Authority, having regard to—
- the turnover of data fiduciary
- the purpose of collection of personal data and
- the volume of personal data processed by such data fiduciary.
- The provisions of the Act shall not apply to the processing of anonymized data.
- The Government may by order may exempt any agency of government from the provisions of the Act.
- Personal data is processed
- For the purpose of prevention, detection, investigation and prosecution of any offence or any other contravention of any law for the time being in force
- is necessary for or relevant to a journalistic purpose
- Processing of personal data by
- any court or tribunal in India
- a natural person for any personal or domestic purpose
- Disclosure of personal data is necessary for enforcing any legal right or claim or in related legal matters and Judicial matters.
Obligations for data processing:
Every person processing personal data of a data principal shall
- process such personal data
- in a fair and reasonable manner and
- ensure the privacy of the data principal
- on the consent given by the data principal
- only when there is a right of the data principal to withdraw his consent
- only when there is a procedure for grievance redressal
- collect personal data only to the extent that is necessary for the purposes of processing of such personal data.
Example: Some applications might ask permission for your contacts whereas it is not necessary or not required. In such cases we generally agree T&C (given consent). However, after agreeing such T&C, we cannot take back our consent. In such cases, this Act places a restriction.
Other obligations/requirements under section 7 of this Act:
- The burden of proof that the consent has been given by the data principal shall be on the data fiduciary.
- The data fiduciary shall not retain any personal data beyond the period specified or purpose is fulfilled and shall delete the personal data at the end of the processing.
- The data fiduciary shall undertake periodic review to determine whether it is necessary to retain the personal data in its possession.
Grounds for processing
The personal data may be processed by the data fiduciaries or processors if such processing is necessary
- For any function of the government authorized by law for—
- the provision of any service or benefit to the data principal from the government or
- the issuance of any certification, licence or permit for any action or activity of the data principal by the State under any law for the time being in force made by the Parliament or any State Legislature or
- for compliance with any order or judgment of any Court or Tribunal in India
- to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal or any other individual
- to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease.
Obligations of Data fiduciary in case of Data Breach:
In case where any data breach occurred resulting in harm to harm to any data principal, every data fiduciary shall by notice inform the Authority about the data breach which shall include the following particulars,
- nature of personal data
- number of data principals affected
- possible consequences and
- action being taken by the data fiduciary to remedy the breach.
"Personal data breach" means any unauthorized or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to, personal data that compromises the confidentiality, integrity or availability of personal data to a data principal.
Conclusions:
In the era of digitalization, it is necessary for the business to collect, process and rely on the data collected. In fact, business have reached a level where the data has become integral part of business. However, In the view of enormous growth for importance of data, there is a need to enact an Act to
- Regulate the collection, purpose, processing and end result of data within India and data processing outside India.
- Prevent misuse and causing harm to data principals.
Traditionally, Role of data in business is for limited purpose and usage for technology is minimal. However, in the era of digitalization, the need and importance of data has grown drastically. Business are collecting the data for various purpose from both customers and consumers. The possible reasons are
- To understand the behavior of consumer tastes and preference
- Understanding the historical data for projecting future growth
- To maintain strong Customer Relationship to promote their products and services etc….
Decade ago, Data is measured in terms of papers but today it is measured in terms of data measurement units like Gigabytes or Terabytes etc. Physical storage of data is replaced with digital devices. There is a drastic change with respect to Collection, storage, processing, understanding and usage of data.
Decade ago, Vs current situation
- The art of book keeping was replaced by electronic form of books of accounts
- Paper documentation was replaced by Paperless documentation
- Internet and integration with technology has become integrated part of business
- Local trading to global trading via E-commerce
- Discounts are accompanied with cash backs and vouchers
- Maintaining individual ledger accounts was replaced by personal online accounts with the company’s website or third parties’ websites and so on.
From the above we can conclude that the business has undergone significant change over the years. This resulted in the massive change in the manner of generation, collection, storage, communication and interpretation of data and there is a significant impact on the decision making of the business.
However, since there is no regulations on data collection and processing of the same, there has been a tendency where the businesses (including companies, other Body corporates and Individuals) or in the guise of business (fraud-stars) are collecting the personal data of public in the name of survey and misusing the same various personal benefits.
For example, a consumer may be asked to give his personal details while billing or for any luck draw or as a part of survey. Likewise, a large amount of data is collected from various persons for various purpose. Here one important point to be noted is that in this case, the following are absent or not informed to the public from whom the data is collected:
- the consent of data collection
- purpose of collection and processing of data
- End result of the data collected
Further, in India, till now we have only regulations on security and safeguards of the data collected and stored under Information technology Rules but not on the data collection and processing.
In these scenarios, it is very essential to keen observation and regulations on the collection, processing and usage of personal data collected. Consequently, the need for audit of data and data privacy also gaining importance. In India, currently there is no legal requirement with respect to audit of data. However, a bill “The Personal Data Protection Bill, 2019” is pending for approval in parliament.
Background:
The Hon’ble Supreme Court of India in the case of Justice K. S. Puttaswamy (Retd.) and Anr. vs Union of India And Ors had delivered a landmark judgment holding that the right to privacy is protected as a fundamental constitutional right. The nine-judge bench held that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”. It explicitly overrules previous judgements of the Supreme Court in Kharak Singh vs State of UP and M.P Sharma vs Union of India, which had held that there is no fundamental right to privacy under the Indian Constitution. Subsequently, a committee chaired by Justice B. N. Srikrishna, was set up to examine various issues related to data protection in India.
Objectives of the Act:
- To regulate the collection, purpose, usage and processing of data within India
- Processing of data by data fiduciary or processor present outside India
- Prohibit of storing sensitive personal data outside in India.
- Data shall be collected, processed and used only after receiving the consent of Data principal
- To establish an authority under this Act for regulate for data processing and privacy.
Applicability:
In case where the processing of personal data has been collected, disclosed, shared or processed within India, the provisions of the bill are applicable to
- Data fiduciary: means any person who alone or in conjunction with others determines the purpose and means of processing of personal data.
- Data processor: means any person who processes personal data on behalf of a data fiduciary.
Note: Person means includes the government, a company, any juristic entity or any individual.
Data fiduciary may be or may not be data processor.
Example: ABC Ltd. made a market survey on Product A and B and collected huge amount data. In this case two possible scenarios
- ABC limited is equipped with IT technology to process the data and convert into information – here ADC Ltd. is both data processor and fiduciary
- ABC Ltd. don’t have any IT support – I will source the data collected to third party. In this case, ABC Ltd. data fiduciary whereas the third party is data processor who process the data into information.
Social media intermediaries:
- An intermediary who primarily enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services. Example Facebook.
- Any social media intermediary with users above such Applicable threshold and whose actions have, or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India, as a significant data fiduciary
Exception: A "social media intermediary", shall not include intermediaries which primarily
- enable commercial or business-oriented transactions
- provide access to the Internet
- in the nature of search-engines, on-line encyclopedias, e-mail services or online storage services.
The provisions of the Act places emphasis on 3 terms. They are
- Data: means and includes a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means.
- Principal Data: means the Natural person to whom the personal data. Hence corporate entities like Companies cannot be termed as Data principals.
- Consent: The consent of the data principal shall be valid only if the following are met:
- Consent as defined under section 14 of the Indian Contract Act, 1872
- Notice must be given stating the purpose of collecting data and other requirements as required under section 7 of this Act
- the purpose of collection and processing of data should be specific and clear and
- consent capable of being withdrawn.
Agreeing to the terms and conditions of unconditional rights over the data collected and incapable of withdrawing the same does not amount to consent.
Classification of Data under the Act
- Personal data: means data about or relating to a natural person who is directly or indirectly identifiable.
- Sensitive data: means personal data includes passwords, financial data, health data, official identifier, biometric data, genetic data, caste or tribe.
- Anonymized data: Data that went to under the process of anonymization – a irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified.
Example: Mr. Ram has signed up Amazon account for the first time. In order to open the account Mr. Ram has to give basic details like name, address, contact number any other details if necessary. After signing up, Mr. Ram has placed certain orders and gets them delivered in accordance with the delivery terms.
In this case, Mr. Ram is Data principal, Amazon is Data fiduciary as well as data processor and the details of Mr. Ram including what he searched and ordered in Amazon is personal data and the payment and bank related information comes under Sensitive Personal Data.
Exemption
- Where a data fiduciary is categorized as “Small entity” under the Act, the relaxations with respect to the following provisions under the Act is given
- Requirement of notice for collection or processing of personal data
- Quality of personal data processed
- Restriction on retention of personal data
- A brief summary of processing activities undertaken by the data fiduciary and
- sections 19 to 32 of this Act.
A "small entity" means such data fiduciary as may be classified, by regulations, by Authority, having regard to—
- the turnover of data fiduciary
- the purpose of collection of personal data and
- the volume of personal data processed by such data fiduciary.
- The provisions of the Act shall not apply to the processing of anonymized data.
- The Government may by order may exempt any agency of government from the provisions of the Act.
- Personal data is processed
- For the purpose of prevention, detection, investigation and prosecution of any offence or any other contravention of any law for the time being in force
- is necessary for or relevant to a journalistic purpose
- Processing of personal data by
- any court or tribunal in India
- a natural person for any personal or domestic purpose
- Disclosure of personal data is necessary for enforcing any legal right or claim or in related legal matters and Judicial matters.
Obligations for data processing:
Every person processing personal data of a data principal shall
- process such personal data
- in a fair and reasonable manner and
- ensure the privacy of the data principal
- on the consent given by the data principal
- only when there is a right of the data principal to withdraw his consent
- only when there is a procedure for grievance redressal
- collect personal data only to the extent that is necessary for the purposes of processing of such personal data.
Example: Some applications might ask permission for your contacts whereas it is not necessary or not required. In such cases we generally agree T&C (given consent). However, after agreeing such T&C, we cannot take back our consent. In such cases, this Act places a restriction.
Other obligations/requirements under section 7 of this Act:
- The burden of proof that the consent has been given by the data principal shall be on the data fiduciary.
- The data fiduciary shall not retain any personal data beyond the period specified or purpose is fulfilled and shall delete the personal data at the end of the processing.
- The data fiduciary shall undertake periodic review to determine whether it is necessary to retain the personal data in its possession.
Grounds for processing
The personal data may be processed by the data fiduciaries or processors if such processing is necessary
- For any function of the government authorized by law for—
- the provision of any service or benefit to the data principal from the government or
- the issuance of any certification, licence or permit for any action or activity of the data principal by the State under any law for the time being in force made by the Parliament or any State Legislature or
- for compliance with any order or judgment of any Court or Tribunal in India
- to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal or any other individual
- to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease.
Obligations of Data fiduciary in case of Data Breach:
In case where any data breach occurred resulting in harm to harm to any data principal, every data fiduciary shall by notice inform the Authority about the data breach which shall include the following particulars,
- nature of personal data
- number of data principals affected
- possible consequences and
- action being taken by the data fiduciary to remedy the breach.
"Personal data breach" means any unauthorized or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to, personal data that compromises the confidentiality, integrity or availability of personal data to a data principal.
Conclusions:
In the era of digitalization, it is necessary for the business to collect, process and rely on the data collected. In fact, business have reached a level where the data has become integral part of business. However, In the view of enormous growth for importance of data, there is a need to enact an Act to
- Regulate the collection, purpose, processing and end result of data within India and data processing outside India.
- Prevent misuse and causing harm to data principals.