Last Friday, the Justice Srikrishna committee submitted its report and the draft Personal Data Protection Bill, 2018, to the government (referred to as the “Report” and the “draft Bill”, respectively, in the rest of this piece). Long anticipated, the committee dropped these documents on an expectant policy community just in time for some heavy weekend reading.

The Report is titled “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians”, foregrounding the importance of data protection to the economy. So what then might the effects of this draft Bill be on Indian and global businesses, assuming it becomes law?

Data protection regulation in India

The Information Technology Act, 2000 (IT Act) contained no provisions relating to personal data when it was passed. It wasn’t until 2009 that India gained some semblance of a data privacy framework, by way of amendments to the IT Act that introduced Section 43A. And it was only in 2011 that rules were notified that defined “sensitive personal data” and fleshed out specific obligations with respect to consent, purpose limitation, retention period, and transfer. The limited data protection framework contained in these amendments and rules were introduced for a very specific purpose – to facilitate and protect the Indian BPO industry. Indian technology majors handled large amounts of data of EU residents, and the EU’s Data Protection Directive of 1995 had resulted in pressure to ensure that India had a basic modicum of legal protection for this data. This objective can be divined from the basic language of the legal provisions (for example the extensive use of the term “body corporate”), as well as the subsequent clarifications issued on various aspects of the amendments.

While various efforts have been made over the years to pass a comprehensive privacy or data protection law, none of them went far. The current draft Bill incidentally isn’t even the first law to be named the “Draft Personal Data Protection Bill” – that honour goes to a 2006 private member’s bill proposed by Congress MP Vijay Darda. However, things are different this time around and it is likely that we will have a new law in the foreseeable future.

Big ticket items for businesses

So what are the major changes to the data protection regime that the draft Bill proposes?

1. Data fiduciaries and data principals: The collector or processor of data will be known as a “data fiduciary”, indicating the high standards of care they are expected to adhere to. And the individual providing her data, commonly referred to today as the “data subject”, will be known as the “data principal”, signifying the intent of situating her at the top of this framework.

2. Definition of personal data: The definition of “personal data” is now predicated on just one criterion – what makes an individual identifiable. It is an expansive definition, and similar in approach to the EU’s General Data Protection Regulation (GDPR). Crucially, consent is now required for the collection and processing of all personal data, not just the narrower category of “sensitive personal data” as is currently the case.

3. Expansion of sensitive personal data: While retaining existing categories, new categories such as genetic data and official identifiers have been added.

4. Consent more stringent: Consent needs to be free, informed, specific, clear, and capable of being withdrawn.

5. Consent can be withdrawn: This is an important right given to a data principal, although the draft Bill curiously places all consequences of such a withdrawal of consent exclusively on the data principal. While this works out in favour of businesses, expect this to be one of many contested points as the Bill moves forward.

6. Purpose limitation: Personal data can be processed only for purposes that are clear, specific and lawful. Data processing must only take place for the purpose specified or for an incidental purpose that can be reasonably expected.

7. New standards to be followed: All data processing needs to be carried out in a “fair and reasonable manner” and “privacy by design” needs to be incorporated into all platforms and products.

8. Data Protection Authority (DPA): There’s a new regulator on the block and it’s going to be a powerful one, with the ability to impose significant fines and extraterritorial authority.

9. Extraterritorial scope: The draft Bill will broadly apply to any entity collecting or processing personal data of Indian residents, wherever the entity is based. As long as it intends to offer its services in India or profile Indian residents, it needs to comply with the law, even if it has no physical or legal presence in the country. While this is broadly the case under the current regime too, the draft Bill makes this more explicit and enforceable.

10. Data protection officers: Companies need to appoint data protection officers whose job it will be to ensure compliance with the law and act as an interface with the DPA.

11. Data breach notifications: Entities that have suffered a data breach need to report it to the DPA, who will then determine if they need to inform users.

12. Significant data fiduciaries: A specific category has been created to cover entities that meet specific criteria such as processing high volumes of data, handling highly sensitive data, or having revenue over a certain threshold. They need to register with the DPA, and may be required to undertake additional compliances such as carrying out impact assessments before commencing certain activities.

13. Data localisation: The elephant in the room – the draft Bill requires that a copy of all personal data needs to be stored physically on servers in India. Expect this to be one of the most hotly contested provisions. A further category of “critical personal data” (as yet undefined) must be stored exclusively within India.

14. New rights for data principals: A slew of new rights, including the right to be forgotten, right to correction, and the right to data portability, need to be implemented by online platforms. This could mean significant technical and process changes.

15. Personal data of children: Age verification and parental consent will be required in many cases while offering online services to minors, i.e. anyone below the age of 18. There are also significant restrictions with respect to tracking and profiling of minors.

Effect on businesses

One of the things that good businesses prize is predictability. Every startup is a gamble, and adding profound regulatory uncertainty to the mix is not liable to convince a VC to cut you a cheque. The current data protection regime is so far behind the curve when it comes to the way data is actually collected and used now that it leaves far too many legal and ethical questions unanswered.

This law should mark a turnaround point for businesses – they need to start taking privacy seriously and it gives them a template for how to do that. There will now be a clear imperative, in the form of penalties and potential enforcement action, to ensure that engineers and product managers think about privacy at all stages of product design and implementation. Some of the principles such as consent and purpose limitation already existed, but setting up a DPA means that they are now actionable. Having a DPA also means that jurisprudence on what terms such as “fair and reasonable” mean and what the scope of “personal data” is, will hopefully evolve. While all of this will mean increases in compliance costs in the short term, the long term benefits should certainly justify this.

Civil rights issues – why should business care?

Experts and commentators have rightly raised a number of important civil rights issues thrown up by the draft Bill, including overly broad provisions relating to government use of personal data and questions about the independence of the DPA. While these may seem unrelated to business, that would be a short-sighted view. If the contentious battle for net neutrality in India and similar episodes have taught us anything, it is that good public policy lies where the interests of business and civil society converge. The court of public opinion can make or break a product, even in a developing market like India.

The draft Bill also effectively recommends that India’s surveillance apparatus be regulated by a law, which currently isn’t the case. Again – this is an issue that business should care about in the medium to long-term, for both public policy and commercial reasons. The provisions in the telecom licence related to the Centralised Monitoring System (CMS) programme are a cautionary tale – they require telcos to (among other things) bear the cost of linking to the closest CMS node, not an insignificant expense. The lack of an enabling law with checks and balances also means that companies currently have no effective way to resist in case of government overreach on surveillance, even if it causes a consumer backlash.

The elephant in the room

Data localisation is bound to be the issue that riles up industry the most, because of its highly disruptive nature, as we explored in detail last week in this column. The requirement to store a copy of all personal data in India will have an effect on both foreign and Indian companies, both big and small. If this policy is implemented, it will mean that companies as varied as Facebook, MasterCard, or Salesforce will need to store significant amounts of Indian user data in India. Moreover, given the broad and expansive definition of personal data, there will be significant confusion over exactly what data is covered and how to maintain accurate copies in different locations at all times. It also raises an important question for international startups that offer innovative new products but do not have the scale and resources of global giants – will the next Slack or GitHub simply not offer its services in India because the compliance costs would be too prohibitive? If so, that would be a huge loss to India.

It is not encouraging that the committee went forward on the data localisation provisions despite the sole industry representative, the Data Security Council of India (DSCI), being completely against it. DSCI’s dissent note, appended to the end of the Report, lays this out quite clearly. All of this points to why good process is essential to good policy – more transparency, a more inclusive committee with representation from civil society and a greater range of businesses, and a structured consultative process with multiple stages of feedback would have been preferable in this case. The government will hopefully now open the Bill up for public comment, something that the DSCI has already called for.

All indications at present point to the fact that security interests within the government have trumped good technical and business policy, with the strong data localisation provision being shoehorned into the draft Bill. The just-announced draft e-commerce policy also appears to contain worrying provisions relating to data localisation and forced sharing of data with Indian startups, indicating that this could be part of a concerted effort. The government needs to do a tightrope walk on digital policy – India is a large market for global internet companies – while simultaneously harbouring ambitions of nurturing indigenous internet businesses that will dominate the world one day. The size of the Indian market gives the government significant bargaining power, but it would be short-sighted to use that power for goals such as law enforcement access to data when there are other alternatives available, or only to gain a bargaining chip in negotiations.

 

Visuals by: Rajesh Subramanian

---