A copy of The Personal Data Protection Bill, 2019 (“the PDP Bill, 2019)” was made available in the public domain yesterday (the Bill can be downloaded at the end of this post). The PDP Bill, 2019 has brought in some new clauses – compliance obligations for social media companies and enhanced State power to exempt any government agency from the purview of the Bill; relaxed some existing provisions – done away with mandatory mirroring requirements for all personal data and done away with certain offences for transferring/ selling personal data; and in some cases removed extant requirements such as the creation of the Data Protection Funds.
Some of the key changes brought in by the PDP Bill, 2019 are as follows:
- Social Media Intermediaries and voluntary verification of accounts (Sec. 26 and 28 of the Bill)
The PDP Bill, 2019 extends the obligations of significant data fiduciaries to another class of entities called the social media intermediaries (“SMIs”). The Bill defines SMIs to mean intermediares who primarily/ solely enable online interaction between two or more users and allow them to create, upload, share, disseminate, modify or access information using its services (it specially excludes entities like – e-commerce platforms, TSPs/ ISPs, search engines, cloud service providers, online encyclopedias, and email services from the definition of SMIs). Another qualification for an entity to be an SMI is – the likelihood or actual impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India [see Sec. 26(4)].
In addition to obligations such as – data protection impact assessments (Sec. 27), maintenance of records (Sec. 28), audit of policies (Sec. 29), and appointment of a data protection officer (Sec. 30), which are applicable to all significant data fiduciaries, SMIs are required to provide an option to users (registering from India or using the services in India) for voluntary verification of their accounts [the methods of such voluntary verification will be notified by the Central Government as per Sec. 93(1)(d) of the Bill]. Verified user accounts will be marked with a demonstrable verification mark [See Sec. 28(4)]. As per Sec. 29, data auditors are required to evaluate SMIs for timely implementation of their obligations under account verification norms.
Social media verification requirements are misplaced in data protection legislation. As under existing provisions [see Sec. 26(1)] social media companies could easily fall under the ambit of significant data fiduciaries, the only basis for this distinct classification could be to introduce account verification mechanisms. We believe that there is no basis for reasonable classification on the lines of social media intermediaries in the PDP Bill, 2019 and these requirements shall be removed.
- Central Government can E xempt any Government A gency from the Bill (Sec. 35 of the Bill)
Sec. 42 of the Draft Personal Data Protection Bill, 2018 (“the Srikrishna Bill”) allowed access of personal data to the State for security purposes based on principles of necessity and proportionality and on the basis of authorisation under law. The provision for Government access to personal data under the PDP Bill, 2019 (Sec. 35) is wider, gives the Central Government power to exempt any government agency from the purview of the Bill (all or select provisions) and does not codify the principles of necessity and proportionality as determinants to access.
Sec. 35 of the PDP Bill, 2019 effectively enhances existing surveillance powers of the government and gives the State over arching power to access personal data. This provision enables government surveillance projects like the NATGRID, CMS, and the nationwide facial recognition program. Even the Srikrishna Committee Report recognised that unfettered access to the State of personal data, without adherence to established safeguards (such as necessity and proportionality as expounded in the privacy judgment of the Supreme Court – Puttaswamy ) is potentially unconstitutional. We believe that granting access of personal data to the State, without appropriate safeguards and judicial oversight is against established constitutional principles and should not form part of the PDP Bill, 2019.
- Dilution of D ata L ocalisation R equirements (Sec. 33 and 34 of the Bill)
The mandatory requirement for storing a mirror copy of all personal data in India as per Sec. 40 of the Srikrishna Bill has been done away with in the PDP Bill, 2019. Localisation requirements are only on sensitive and critical personal data (stored in India with conditions for transfer overseas). Critical personal data may only be processed in India [See Sec. 33(2)]. Sensitive personal data (“SPD”) may be transferred outside India based on explicit consent and a) if the transfer is made per a contract or intra-group scheme (approved by the data protection authority); or b) Central Government allows transfer to a country, entity or international organization; (requisite safeguards for protection of such personal data are prescribed under these provisions) or c) data protection authority may allow a transfer of SPD for specific purposes.
Similarly, for critical personal data, transfers may be allowed for health or other emergency services or where the Central Government approves transfers to a country, entity or international organization.
Though, removing the mandatory mirroring requirement is an appropriate change, we believe users/ data principals should be given rights over where they wish to store their personal data and the State should not impose restrictions on transfer of such data, specially after explicit consent.
- The R ight to E rasure (Sec. 18 of the Bill)
The Srikrishna Bill did not contain a right to erasure, even under the right to be forgotten (“RTBF”) (See Sec. 27 of the Srikrishna Bill). The PDP Bill, 2019 has brought the right to erasure alongside the right to correction of personal data [See Sec. 18(1)(d)]. The data principal may request data fiduciaries for a right to erasure of personal data when such data is no longer necessary for the purpose of processing. Data fiduciaries may refuse such requests for erasure, but data principals may require fiduciaries to take reasonable steps to indicate, alongside the relevant personal data, that the same is disputed by them.
We belive this to be a good inlusion as it enhances data principal rights to request the erasure of data which is no longer needed for the purpose of processsing. Such a right was missing from Srikrishna Bill. A right to erasure should also be incorporated under the RTBF (under Sec. 20 of the PDP Bill, 2019), as presently, RTBF only includes a right to non-disclsure and not erasure.
- Removal of Judicial Member from Selection Committee Recommending Members to the Data Protection Authority (Sec. 42 of the Bill)
The PDP Bill, 2019 has removed the inclusion of a judicial member (the Chief Justice of India or another Supreme Court Judge) from the selection committee which is empowered to give recommendations to the Central Government for the appointment of members of the Data Protection Authority (“the DPA”) [the Srikrishna Bill included a judicial member in the selection committee - see Sec. 50(2) of the Srikrishna Bill]. Now, as per Sec. 42(2) of the PDP Bill, 2019, the selection committee will comprise of – a) the Cabinet Secretary (who’s also the Chairperson); b) Secretary, Department of Legal Affairs; and c) Secretary, Ministry of Electronics and Information Technology.
The DPA is completely dependent on the Central Government for its formation and membership. Considering that the PDP Bill, 2019 applies to the State as well, the regulatory body, which is tasked with enforcement of the Bill, is not independent from the State.
We believe that to ensure the independence of the DPA, there should be sufficient involvement of judicial members in the selection committee as well as in the DPA. This will guarantee judicial review and will quell concerns of conflict of interest.
(This is by no means an exhaustive list of the key changes in the PDP Bill, 2019. We will keep updating this list to capture other important changes like – the privacy by design policy, concept of consent manager, inclusion of inferred data in the definition of personal data etc.)