Personal Data Protection Bill 2018: Will the Legislation Introduce a GDPR-esque Compliance Regime in India? Ushering in an era of extraterritorial data privacy compliance for global firms operating in India

While earlier legislations dealing with personal data lacked deterrent penalties, with the introduction of the Personal Data Protection Bill 2018 (PDP Bill) companies doing business in, or with India, can scarcely afford to ignore the imminent paradigm shift in the Indian data privacy compliance framework.

Some of the significant concepts introduced by the PDP Bill include the right to be forgotten, data portability, restrictions on cross-border data transmission; carve-outs for anonymized data and journalistic purposes and reporting requirements for personal data breaches. With the exception of data localization, which is difficult to rationalize, the introduction of these concepts now bring Indian data privacy laws at par with contemporary requirements and introduce a compliance regime for data privacy in India.

GDPR Modelled Concepts: It is apparent from a reading of the PDP Bill that swathes of concepts and cues have been borrowed from the European Union General Data Protection Regulation (GDPR). The concepts of a "data controller' and "data subject' have been substituted with adapted concepts of a data "fiduciary', which determines the purpose and means of processing of personal data, and data "principal', being the individual who provides personal data. While the usage of the term fiduciary hints at a trust-based relationship, the PDP Bill is silent on whether the relationship between the data fiduciary and the data principal is a fiduciary responsibility. The PDP Bill has also adopted the principle of extraterritorial applicability and introduces turnover based penalties for certain contraventions that can extend up to 4% of the total worldwide turnover of the entity in breach much like the GDPR. While this is intended to serve as a deterrent penalty, how this would be calculated qua functionaries of the state and non-profit organisations remains unaddressed.

Attempts Overhauling Existing Laws: Thus far, the collection, handling and dissemination of an individual's sensitive personal data or information was largely governed by the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 which consisted of a mere eight provisions. These rules prescribed that consent must be provided in writing by letter, fax or email, which was woefully onerous, given that it has become de rigueur for consent to be obtained by a clickwrap contract, (i.e. by clicking on the "I Agree' tab to consent to terms and conditions).

In an age where the manner of obtaining informed consent has assumed significance, the PDP Bill, which stipulates that explicit consent should be obtained, is silent on the manner of obtaining consent. This is an omission that is conspicuous by its absence.

The PDP Bill has also broadened the definition of "sensitive personal data' to also include genetic data, gender status, caste or tribe, religious or political belief or affiliation and any other category of data specified by the Data Protection Authority of India (Central Authority). The delegation of the ability to add other categories of information to this definition could be viewed both as allowing flexibility, but also as granting overarching discretion to an authority.

The provisions of the PDP Bill which grant d iscretion and delegate powers to authorities would certainly need to be examined more carefully and perhaps the discretionary ambit would need to be narrowed to prevent abuse by delegated authorities. For example, as stated above the determination of whether the data breach causes harm, rests with the data fiduciary, which dilutes the stringency of the reporting requirement and grants exploitable discretion which could be called a lacuna.

Reporting Data Breaches: The reporting requirement for data breaches appears to have been diluted since the reporting appears to be mandatory only where the breach is likely to cause harm to a data principal, granting some degree of discretion in the interpretation of what may constitute harm. Interestingly, in what appears to be an attempt to prevent opinions about individuals being passed off as facts, data fiduciaries are also required to keep personal data in a form that distinguishes personal data based on facts, from personal data based on opinions or personal assessments.

Since this confers the onerous task of segregating facts from opinions devolving upon all data fiduciaries, presumably to curb the dissemination of thinly veiled personal opinions as facts, it should ideally be limited to significant data fiduciaries.

Contentious Classification of Data Fiduciaries: The government had earlier hinted that it would want to regulate Facebook and WhatsApp, and to this end, the PDP Bill appears to have introduced the concept of a "significant data fiduciary' which would be subject to stringent compliance measures. The entities falling within this definition would be notified by the Central Authority, if it is of the opinion that any processing activity undertaken by such data fiduciary or class of data fiduciaries carries a risk of significant harm to data principals.

As all legislation, objective criteria rather than discretionary authority would have certainly gone a long way to minimize litigations contesting classification as a "significant data fiduciary'. For example, it would be ludicrous to designate any messaging app using end to end encryption as a "significant data fiduciary' as the as messaging platform merely acts as a conduit without being able to intercept and read messages. If such a classification is made, it would most likely be challenged.

Conflicting Exceptions for Security of State: While in one instance the PDS Bill provides that processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, it delegates upon the Central Government the power to issue to the Central Authority such directions as it may think necessary in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order.

Rather than set out objective parameters for what would justify an encroachment on privacy, the PDS Bill has squarely conferred upon the Central Authority the sweeping discretion to issue directions, paving the path for arbitrary state action. The extensive discretion conferred by the legislature on the executive also appears contrary to the judgment of the Supreme Court last September in Justice K.S Puttaswamy v. Union of India and Others that assumed that the data privacy law would the principles set out in the judgment. It is also darkly reminiscent of Section 66A of Information Technology Act, 2000 which was widely abused by the executive and finally struck down as being "unconstitutional' by the Supreme Court in 2015.

Earlier this year, the Standing Committee on Information Technology had invited suggestions from the public in general and experts/professionals/organizations/ associations and stakeholders interested in "citizens' data security and privacy'. What remains to be seen is whether these suggestions, along with views from the public on redressing lacunae in the PDP Bill would be considered and incorporated in the final legislation promulgated by parliament. With the blizzard of criticism that the PDP Bill has drawn whether justified or not, it is trite to state that the lack of a further consultative process could result in each ambiguous provision playing out in courtrooms, risk having case laws eclipse legislated data privacy laws yet again.