Draft data protection bill: Key points for companies

Following an increase in personal data theft and other digital crimes, a draft Personal Data Protection Bill, 2018, was submitted to the Ministry of Electronics and Information Technology by a committee of experts chaired by retired justice BN Srikrishna on 27 July.
The proposed data protection framework was prompted by the case of Justice KS Puttaswamy (Retd) & Anr v Union of India & Ors (2017), in which the Supreme Court held that the right to privacy is a fundamental right, subject to certain reasonable restrictions, thus striking a balance between protecting the interests of individuals and the legitimate use of data by the state and the private sector. Corporate entities automating workflows and enhancing internal and external collaboration need to implement, evaluate and accordingly update certain processes in order to comply with the proposed data protection law.
Applicability: The draft bill applies to the processing of personal data by the state, Indian corporate entities and Indian citizens located within India, and by entities outside India if it is with respect to any business activity that involves offering goods or services to individuals located in India.
Types of data covered: Section 3 categorizes data into (a) anonymized data, (b) personal data, (c) sensitive personal data, (d) critical personal data, (e) financial data, (f) genetic data and (g) health data.
Rights of data subjects: Chapter VI sets out the rights of the natural person to whom the data relates (“data principal”) in relation to the data processor (“data fiduciary”). The “right to be forgotten”, in section 27, restricts the disclosure of personal data after the purpose is served, or consent withdrawn.
Data protection authority: Chapter X provides for the establishment of an independent authority to oversee enforcement of the personal data protection law.
Transparency and accountability: Chapter VII mandates that data fiduciaries adhere to security safeguards, notify the authority of data breach, assess data protection impact, keep records and conduct data audits, appoint a data protection officer and put in place a mechanism for grievance redressal.
Transfer of data outside India: Chapter VIII lays down restrictions and conditions for cross-border transfer of personal data. It empowers government to classify sensitive personal data as critical and mandate its processing. Corporate entities that have critical personal data must store it in India barring some exceptions.
Among the challenges presented by the bill are problematic exemptions in chapter IX, which nullify almost all of the necessary provisions and rights guaranteed in chapters II to VIII. Chapter IX provides that data principal rights are suspended when processing is necessary for the functioning of the state.
Section 40(1), in chapter VIII, requires corporate and other entities processing personal data to ensure storage on a server or in a data centre located in India. Small businesses and startups will find it hard to afford this and it will also stop them from going global. Also, the date of coming into force of section 40 has not been provided. Section 40(3) bizarrely provides that the central government can decide not to follow the rule in section 40(1) for reasons of “necessity or strategic interests” of the state.
Miscellaneous provisions in chapter XV of the bill give unrestricted power to the government in relation to security and Aadhaar. Section 98(1) allows government to issue “such directions as it may think necessary in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order”, giving it arbitrary powers.
There is no separate provision for surveillance by law enforcement authorities. Sections 42 and 43 provide for processing of personal data in the interests of state security and “of prevention, detection, investigation and prosecution of any offence or any other contravention of law” but these sections do not specify any consequences for non-compliance. The Indian Telegraph Act, 1885, and the Information Technology Act, 2000, already contain such provisions so the bill does not represent a comprehensive surveillance reform.
The bill does not provide any measures for accountability and oversight over the intelligence agencies such as the Intelligence Bureau.
With today’s increased competition and strong emphasis on data protection, Indian companies need to be aware of the provisions of the proposed Protection of Personal Data Bill and accordingly frame a corporate data protection policy as the draft bill provides a healthy balance between privacy and innovation.
Deepak Sabharwal is the managing partner of Deepak Sabharwal & Associates.