cvv contributorsstud… · venkat raghavan, abha mohan, vinayak rajat bhat, satheesh varma (faculty...
TRANSCRIPT
CVV CONTRIBUTORS
Patron
Vanisree Ramanathan
Assocaite Professor, Political Sociology
Advisors
Nagaraj Neerchal
Professor of Statistics and Vice-Chancellor
Gauri Mahulikar
DEAN, CVV
P. Krishna Kumaran Thampi
Expert in Cyber Forensics and Security Auditing
Controller of Examinations, CVV
N M Sundar
Former Director, Information Technology, Barclay„s Bank, Singapore
Executive-Secretary to Trustee, CVV
Neeraj B Bhai
Director of IT Services, CVV
Maitreyi Hegde
Advocate, High Court of Kerala and Supreme Court of India
Language Editors
Saurabh Singapalli,
Assistant Professor of English, CVV
Neethu S Kumar
Assistant Professor of English, CVV
Academic Inputs:
Ananthu B, Anuroop G Asokan, Anu V V, Bidisha Sahu, Krishna S, Rakesh R K,
Shrikumar K Menon, Sreelakshmi Iyer, Srinivas Krishnan, Sunil J, Zeeshan Alam
(LL.M. Legal Theory Students)
Abdul Nabeel A, Alexander V J, Antony Judy, Austin Joseph, Febin Raj T S,
George V Markose, Gopika S, Pradeep, R Santosh Jose Prasad, Sruthi Das, Sumi Liza
(LL.M. International Trade and Commercial Students)
Vandana Venugopal, Muhammed Suhas A, Arul Kurian, Jovin P John,
Prateek Yadhav, Jayaprashant T
(M.A. Public Policy and Governance students)
Venkat Raghavan, Abha Mohan, Vinayak Rajat Bhat, Satheesh Varma
(Faculty Members)
Acknowledging External Support
Dhanuraj D
Antony Dawson D‟Silva
Swapna J
Centre for Public Policy Research Ernakulam
Abhilash Gopinath
Centre for Economy, Development and Law, Thrissur
Adv. Sreenath Namboodiri
Sandesh One, NGO
iv
Table of Contents
Introduction 07
Part I – Conceptual Framework of the 2018 & 2019 bills 08
I.01 - Personal Data: Sensitive, Critical and the Rest 08
I.02 - Reductionist Conception of „Data Processing‟ 10
I.03 - Separate Legal Regimes dealing with purpose
of State and other purposes 10
Part II – Theoretical Background Constituting the 2018 and 2019 Bills 12
Part III – Interpretation of Important Provisions of the 2019 Bill 15
III.01 Personal Data, Data Principal, Data Fiduciary
and Data Processor 15
III.02 Sensitive Personal Data 16
III.03 Processing 16
III.04 Obligations of a Data Fiduciary 18
III.05 Consent and Explicit consent 19
III.06 Grounds for Non-consensual Processing and Exemptions 21
Part IV – Recommendations 28
Annexure xxviii
Copyright Policy and Disclaimer
© 2020 Chinmaya Vishwavidyapeeth
All rights reserved. Permission is hereby granted, free of charge or fees, to any person using this
publication or any part of the same, for academic and non-commercial purposes, with due
acknowledgment of the title, authorship and the publisher. Subject to the permission granted, no part of
this publication may be reproduced or transmitted in any form or by any means without the permission of
the permission of the Registrar, Chinmaya Vishwavidyapeeth, Veliyannad, Kochi, Kerala 682313. This
document is an output of the research and study undertaken independently by the faculty and students of
this University, and the views expressed herein are solely that of the authors and are based solely on
information available publicly/internal data/other reliable sources believed to be true by them. The
University does not endorse the output of this independent academic study and the attached
recommendations. The recommendations are provided for assistance and are not intended to be and must
not alone be taken as the basis for any decisions.
v
MEETINGS LEADING TO REPORT
Personal Data Protection Bills
2019 2018 &
Focus Group Discussion with LLM
and MA Public Policy students
201 th December 29 9
Personal Data Protection Bills
2018 & 2019
Presentation of Initial Findings
before Experts of Information
Technology and Data Sciences
17 th January 2020
Legal Bases of Information Privacy: A talk on the Personal Data Protection Bills
( University Seminar ) 29 th January 2020
vi
CVV- CPPR CONSULTATIVE MEETING
on LEGAL BASES OF INFORMATION PRIVACY
&
PERSONAL DATA PROTECTION BILL 2019
27th February 2020
(PUBLIC DISCUSSION ON THE FINDINGS & SUGGESTIONS)
7
Does the Proposed Personal Data Protection Bill 2019 compromise individual
rights as well as state interests?
Introduction The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha on December 11, 2019
and was put forth for discussion. Prior to this Bill, The Personal Data Protection Bill, 2018
(hereafter 2018 Bill) was under the consideration of the parliament. The 2018 Bill was prepared
by a committee of experts headed by Justice B. N Srikrishna, who recently criticised the new Bill
for granting excessive powers to Government authorities. The 2018 Bill proposed by this
committee had two primary objectives: (1) to protect personal data as an essential facet of
information privacy; and (2) to create a collective culture that fosters a free and fair digital
economy respecting the information privacy of individuals while ensuring empowerment,
progress and innovation in the economy.
It is important to note that while ensuring the growth of the digital economy is an important facet
of the economic development of any modern nation-state, the Bill on Personal data protection
need not necessarily retain „growth of digital economy‟ as one of its primary objectives guiding
the design of the law. The objective to promote the digital economy compromises the very
purpose of the Bills introduced for the protection of personal data. The influence of the said
agenda has overtly altered the standards and procedures prescribed under several provisions in
both the Bills. The present work aims to bring such significant inconsistencies to the forefront of
public discussion. Both the Bills are compared in the light of the report of the Justice B. N.
Srikrishna Committee, and are examined in the context of facts pertaining to the world of
information technology and the digital economy.
Part I of this report examines and explains the conceptual framework and design on which the
Bills are drafted. Upon analysing the conceptual framework of the Bills, it becomes necessary to
look into the theoretical bases on which the Bills were drafted. Hence, Part II aims to analyse the
appropriateness of the theoretical background constituting the Bills and their conceptual
framework. Part III aims to provide a clause-by-clause interpretation of significant sections of
the Bill, and discusses the current status of the Bill. It also analyses the pros and cons of such a
Bill being passed into an act, significantly affecting the lives of the individuals.
8
PART I
Conceptual Frameworks of the 2018 and 2019 Bills
After the Puttaswamy judgement in 2017, which was seen to be an authoritative judgement that
conclusively held the Right to Privacy as a fundamental right, it became a positive duty imposed
upon the government to protect the privacy of the individuals. The Government of India, upon
recognizing the importance of data protection, and to ensure growth of the digital economy,
constituted a committee of experts under Justice B. N. Srikrishna to identify key data protection
issues in India and recommend methods for addressing them. The office memorandum
constituting the committee specifies the Terms of Reference (ToR) to be two-fold: a) To study
various issues relating to data protection in India, b) To make specific suggestions for
consideration of the Central Government on principles to be considered for data protection in
India and suggest a draft data protection Bill.
However, in the report, the Committee claims to address the objective of “unlocking the data
economy, while keeping data of citizens secure and protected”. The committee‟s self-professed
restatement of its ToR takes cue from the contextual paragraph of the office order (for reference,
see Annexure A of the Committee report).
The committee‟s report titled “A Free and Fair Digital Economy - Protecting Privacy,
Empowering Indians” now stands much removed from the primary goal of data protection. It
relegates this key goal to an auxiliary status, while it presumes the promotion of digital economy
as its indispensable objective. It is this context which necessitates an analytical study of the
conceptual framework, the legal techniques and the standards used by the proposed 2018 Bill. It
is further important to learn how this conceptual framework has permeated into the new Bill
introduced in December 2019 and also to discern the differences between both the Bills. Justice
B. N. Srikrishna has recently commented that the new Bill has diluted the safeguards which the
2018 Bill had envisaged for the protection of the rights of individuals. Starting from the
Puttaswamy Judgement to the new 2019 Bill, a significant reduction in the protection accorded
to individuals can be observed in successive stages of legislative policy discussions, and drafting.
The impact of such reduction becomes more visible if one analyses the conceptual framework
the new Bills build upon. This report recognises three important distinctive principles as the arms
of the conceptual framework:
1. Qualification of personal data into „sensitive personal data‟, and „critical personal data‟
and the design of separate legal regimes dealing with each.
2. An all-encompassing conception of data processing.
3. Separation of the purposes of the State and others for data processing.
I.01 Personal Data: Sensitive, Critical and the Rest
According to the 2018 Bill, personal data means data about or relating to a natural person, who is
directly or indirectly identifiable by such data. This data can be any characteristic, trait, attribute
or any other feature which makes a natural person identifiable. Also, a combination of such
features, or any combination of such features with any other information, which may lead to
9
identification of the individual, is classified as personal data. Personal data has been further
qualified into sensitive and critical personal data affording separate legal regimes for the
protection of the same. The bill supposedly envisages varying grades of protection to all the
three categories of personal data [(1) personal data (basic/general- assumed to be non-sensitive),
(2) sensitive personal data, (3) critical personal data)].
While personal data not classified as sensitive personal data may be processed on the basis of
consent that is free, informed, specific with regard to the scope of consent, clear, and capable of
being withdrawn, sensitive personal data should be processed only with explicit consent.
Passwords, financial data, health data, official identifiers, sex life, sexual orientation, biometric
data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or
affiliation are some of the personal data identified as sensitive personal data by the 2018 Bill.
Personal data is qualified as sensitive on the basis of the significant harm it may cause to the
individual, legitimate expectation of confidentiality, and the risks associated with it. The
promoters of the Bill find the normal provisions dealing with the protection of non-sensitive
personal data inadequate to address and remedy the significant harm caused to individuals by the
processing of such data. However, the extent of inadequacy is not really discussed nor explained.
It must be reckoned that though the Bills profess these two categories of personal data, there is
hardly any variance in the protection accorded to these two categories, except for one difference
in the standard of the consent to be obtained from individuals who are parting with their privacy
rights, i.e., Sensitive Personal Data should only be processed on the basis of „explicit consent‟.
Nevertheless, the provisions of the Bills are not very clear about the distinction between
„consent‟ and „explicit consent‟. The consequences and implications of this ambiguity shall be
dealt with in detail in Part III.
Apart from these two types of data, the Bills empower the central government to notify
categories of personal data as critical personal data, that shall only be processed in a server or
data centre located in India. This is to prevent cross-border transfer of such data.
Also, it needs to be noted that, the chapter dealing with processing of sensitive personal data (Ch
IV) in the 2018 Bill is silent with regard to whether such data can be processed without consent,
although the report backing the Bill maintains such a position explicitly. It is also silent about
whether non-state entities can process such data or not. The Chapter contains three separate
sections dealing with the processing of sensitive personal data for the purposes of functions of
the state, for judicial and legal proceedings, and for undertaking prompt action. It is not clear
from the Bill whether these sections mutually exclude or cross-fertilise each other.
On the other hand, the new 2019 Bill makes it clear that processing for state functions can be
non-consensual. It does not improve clarity on the question of whether private entities can
process such data. No additional safeguards or restrictions on the processing of such data have
been prescribed anywhere in the Bill, and the entirety of it has been left to the Authority being
established. Annexure 1 to this report contains a table featuring the grounds for personal data
processing and their impact on the categories of personal data and sensitive personal data. The
chart in the annexure shall also provide a quick comparison between the 2018 Bill and the 2019
Bill.
10
I.02 Reductionist Conception of „Data Processing‟
The term „processing‟ as defined under the 2018 Bill takes a reductionist approach and defines
processing as inclusive of all processes related to the handling of data. According to both the
Bills and the report, “processing”, in relation to personal data, means an operation or set of
operations performed on personal data, and may include operations such as collection, recording,
organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination,
indexing, disclosure by transmission, dissemination or otherwise making available, restriction,
erasure or destruction. This all-encompassing definition of „data processing‟ fails to explain the
distinct processes that form parts of the idea of „data processing‟ and to comprehend the distinct
legal implications they may hold.
Upon analysing the data life-cycle stages, processing activities like collection and recording of
personal data stand as the base for further activities to be performed. Though the collection of
data is an extensive activity in the present unregulated digital space and such collection on
presumed or implied consent has become order of the day, it is the most crucial stage of the data
life-cycle. It is where process-able personal data is born and the interference with the right to
privacy of the individual begins. Unfortunately, the Bills consider these activities as supposedly
posing least threat to privacy and have failed to provide for distinct legal recognition to these
matters. It could be argued that this is the global model; nevertheless, Indian legislative designers
have a chance to take a revisit the design if it is fundamentally flawed.
Laying down function-specific safeguards with regard to data collection would have been the
best way to prevent misuse of personal data, from the first stage. Further activities like
structuring and storage of personal data, which have a higher level of threat to the autonomy of
the individual providing such data, require appropriate safeguards with respect to each. This is
also absent in the Bills. Although the two categories discussed above, i.e. collection-recording
and storage-structuring are entirely different and pose varying levels of threat to personal data
privacy, the Bills have incorporated all of them under the single term „processing‟, and specified
that consent for such „processing‟ can be obtained as a whole.
It is surprising that functions like alteration, dissemination and deletion, which pose the highest
level of threat to individual privacy, are also part of the reduced terminology of „processing‟. The
absence of legal provisions providing activity-specific granular consent shall create
unmanageable ambiguity in establishing the clarity of such consent. The same has been
overlooked by the Bills. It shall be very difficult to address, litigate or remedy any breach of
consent rule, as technologies become more pervasive.
I.03 Separate Legal Regimes dealing with purposes of State and other purposes
Both the Bills seem to have classified data processing broadly into two: i.e., for the purposes of
the State and for non-state purposes. The entire idea of non-consensual data processing seems to
flow from the distinction between State (public) and non-State purposes. The Bills have
established categories in state purposes such as ordinary functions of the state, surveillance and
law enforcement functions, delivery of public services, emergency and disaster management,
public health emergencies, security and integrity of the State, foreign relations, etc., and provide
for non-consensual data processing in these cases. As an extension of the list, public-spirited
purposes such as research activities, journalism, whistle-blowing, prevention and detection of
11
any unlawful activity, including fraud, are also listed. For all the above-mentioned purposes, data
can be processed without obtaining consent from the concerned individual. Furthermore, for a
majority of the above purposes, the Bills grant a general exemption from data protection
obligations addressing the rights of the data principal, as well as exemption from compliance
with transparency and accountability measures, for data fiduciaries and processors.
Though this design seems to be well-thought-out and well-planned, the Bills are silent about
non-State purposes for which data processing may be used and how it should be performed. For
example, the phrase „commercial purposes‟ gets minimal reference in the Bill. The distinct
activities involved in personal data processing in a developing digital economy, and the
commercial aspects associated with it, get no mention in either of the Bills. The commercial
aspects involved or hidden in the above public-spirited functions also get no space in the
conceptual framework of the Bills. The extent to which data can be collected, stored, analysed,
altered and disseminated in the course of the commercial activity is regulated only by the general
provisions of the Bills. The issues related to each of these stages of data processing for a
commercial purpose have not been addressed in the Srikrishna Committee report either.
Furthermore, the Bills do not speak about the contracting-out of data processing work for State
purposes to private parties. Although the Bills have envisaged a distinction between a data
fiduciary and a data processor, the responsibilities of the data processors are nevertheless very
limited when compared to that of the data fiduciary. None of the provisions of the Bills
prescribing penalties shall apply to the data processors, other than a contributory compensation
in the case of a personal data breach. Even in the case of compensation, the liability of the data
processor is limited to acts done contrary to, or outside the scope of, the instructions of the data
fiduciary.
Considering the scale of functions to be performed, the State is recognised as a significant data
fiduciary under sections 38 and 26 of the 2018 and 2019 Bills respectively. At the same time,
extensive outsourcing of data processing to private entities is also expected. But the Bills are
silent about the activities undertaken by private data processors and the responsibilities
associated with such activities. Given that no limitation has been placed upon the state in
contracting-out its functions, the state may even contract-out its core functions such as policing,
surveillance, law enforcement and other security-related functions. This is a serious violation of
the legitimate expectations of the individuals about good and responsible governance.
In conclusion: the combined effect of the legal provisions and chapters reduces the difference
between legal regimes dealing with data processing for State functions and non-State functions
and also, as previously discussed, the gap between sensitive personal data processing and
personal data processing. The Bills, though inspired from the notions of a digital economy, also
fail to develop a separate legal regime dealing with personal data processing for commercial
purposes. These uncertainties associated with the Bills, related to personal data processing and
its various categories, shall definitely adversely affect the capacity of the individual in protecting
their data. The standards used in the latest Bill also seem to be much lower than that of the 2018
Bill. This shall be discussed in detail in Part III.
12
PART II
Theoretical Background Constituting the 2018 and 2019 Bills
The conceptual framework which has been used by the Bill and the ambiguity intrinsic to the
legal provisions developed from the framework necessitate an investigation of the theoretical
origins of the Bill. As we have discussed earlier, the fundamental intention for which the
committee was constituted was based on securing the individual‟s interest by protecting thier
right to privacy. However, the secondary objective of „unlocking the data economy‟ radically
relegates the primary goal of personal data protection to an ancillary provision. The drafting
committee has overlooked this crucial transformation and has decided to proceed further with
their twin objectives of protecting personal data and promoting the data economy.
It is interesting to point out that the theoretical bases, which have driven this work, have been
chosen very selectively and subjectively. The committee has based the personal data protection
Bill on the idea that rights are not deontological categories and that they should yield for
common constitutional objectives. Scholars like Joseph Raz and Ronald Dworkin have been
explicitly quoted and marked in the report. The committee seems to believe in the idea that the
growth of the digital economy would provide the individuals a „real choice‟ and not the illusory
notion of it. The committee seems to have accepted the realities of the present unregulated digital
space and economy as normal and sometimes even normative. The fairness and reasonableness
of the present-day activities of the digital economy have not been tested by the committee.
The committee seems to believe that a compromise of individual autonomy is essential in
making the digital economy a real choice, and it also believes that the purpose of creation of a
digital economy has the backing of constitutional objectives. It quotes Richard Pildes in saying
that rights must be subjected to a decision of state action in a given context that is necessary to
serve the common good. Such a theoretical stand has cost the Indian data protection law at least
on two counts. It compromises not only individual rights but also sovereign interests in an urge
to promote the private and mercantile interests of the digital economy.
Firstly, the proposed Bills reduce the inherent fundamental right to privacy of the individual to a
trade-able commodity. Personal data is treated as a commercial good, whereas it simply is not.
Personal data is part of one‟s own self and individuality, and no one can be compelled to transfer
or give away information regarding their self to another individual or to other entities. The sole
exception is the requirements of sovereign function, where the State is the recipient and holder of
such information shared by individuals for better governance. Thereto the modern civilized law
embodied in the Constitution keeps reasonable restrictions and limitations. The needs of the State
to have surveillance capabilities cannot be counterpoised for developing a conception of the
digital economy whereby everyone has to trade or part away with personal data. Unfortunately,
that is what the committee report and the Bills do. What is even more disappointing is that after
commercialising personal data, the committee fails to reconcile the distributional effects of the
legislation they propose.
A free and fair digital economy is one where entities are responsibly share data, and everyone
uses such data, which has immense potential for empowerment, in a manner that promotes
overall welfare. In fact, the conception of the personal data as a commodity enabling the
13
possibility of digital economy, in turn furthering the economic development of society and the
nation itself, is flawed. Tradable goods and commodities are objects which can be privately
owned and enjoyed by the holders to the exclusion of others and the holder cannot be forced to
part away with such goods. However, the Bills seem to argue that personal data is a developing
area of trade and commerce and the autonomy of the individual to decide what to do with his
personal data is important merely because it constitutes the common good of a free and fair
digital economy. Therefore, the Bills lay down no meaningful limitations on the collection,
transfer and processing of the data. They only address the misuse of personal data or personal
data breach. Only very limited preventive mechanisms are prescribed by the Bills.
Secondly, the Bills do not protect State interests either. The wide discretionary powers given to
the State, to exempt certain categories of data processing from the provisions of the proposed
law, are not sufficient to safeguard against possible breaches of data held by or on behalf of
government. It absolves employees or private parties from all responsibilities and lets them
remain self-regulated or answerable for contractual liabilities only. The Bills have failed to
recognize the State‟s role in the digital space in its entirety. This is perhaps due to a
preoccupation with the perception of the digital world as market and economy, rather than a
public space. The State‟s role, functions and interference are much more voluminous and
extensive in a public space than in a market. It is pretty discernible that the committee and Bills
have failed to identify the constitutional objective behind the terms of reference. The committee
has diluted the public interest by looking at the matter solely from the perspective of economic
interests.
The Bills and the committee report, if analysed threadbare, present a remarkable case-study on
how the demoting of individual rights loosens sovereign interests as well. The moment
individual rights are conceived as less important, private and sectorial interests capture the legal
and judicial space. A major portion of the texts of the 2018 and 2019 Bills has been spent on
specifying the responsibility of digital fiduciaries (mainly the state), i.e., obligations to respect
the rights of the data principal, transparency and accountability measures, penalties, and
compensations. Data processors (predominantly likely to be private business enterprises) who
really handle the data have received very little attention. The texts seem to have no objection in
alienating core state functions, requiring data processing, to private parties. It does not even
make an attempt to establish liabilities upon these processors, whereas the legal consequences of
the actions of the individual offering personal data are all fixed in the Bill.
This means if we take the spectrum of entities providing data, processing data, and receiving
data, the entities processing data (mostly profit-making service providers) and their actions are
less regulated, while entities providing personal data (natural persons) and entities receiving data
(especially significant data fiduciaries such as the State) and their actions have fixed
responsibilities and consequences. Even there, the natural persons are struck with loose
provisions, whereby the State can waive off all its responsibilities towards the data principal.
The rights and remedies under the act have reduced the individual‟s inherent right to privacy and
the right of self-determination into an endowment which the individual receives as a holder of
personal data. This means the State can take away, abridge or alter an entire set of rights and
obligations at its will. Going by the provisions of the Bills, an individual is not offered a „real
choice‟ as to the retention or giving away of his personal data to data processing entities. An
individual is implicitly mandated and forced in most of the cases to provide the data required by
14
the entities. He may or may not get some remedies or compensation in case a data breach occurs,
when he applies for it. But he is literally incapacitated from taking any measures to prevent the
data breach. The legislative Bills seem to have only a curative aspect to it. The preventive
mechanisms are not elaborate and effective.
15
PART III
Interpretation of Important Provisions of the 2019 Bill
The provisions of the Bills providing for personal data protection contain certain conceptual
ambiguities, which definitely need to be discussed. It is necessary to pay significant attention
towards such ambiguities and get them clarified. This is possible only with a clause by clause
interpretation of the Bills. This part shall bring forth significant sections of the 2019 Bill and
discuss them in a detailed way so that lack of clarity can be measured and remedied. This shall
initiate further analysis and appreciation.
III.01 Personal Data, Data Principal, Data Fiduciary and Data Processor
According to section 3(28) of the 2019 Bill, "personal data" means data about or relating to a
natural person who is directly or indirectly identifiable, having regard to any characteristic,
trait, attribute or any other feature of the identity of such natural person, whether online or
offline, or any combination of such features with any other information, and shall include any
inference drawn from such data for the purpose of profiling. The Bill further identifies an
individual providing such personal data for the purpose of processing as the “data principal”.
According to section 3 (14) "data principal" means the natural person to whom the personal
data relates. As per section 3 (13), "data fiduciary" means any person, including the State, a
company, any juristic entity or any individual who alone or in conjunction with others
determines the purpose and means of processing of personal data.
Apart from these two entities there exists another entity called the „data processor‟ and section
3(15) defines a “data processor” as any person, including the State, a company, any juristic
entity or any individual, who processes personal data on behalf of a data fiduciary.
It is to be understood that a data processor performs the activities of processing on behalf of the
data fiduciary. It is the data fiduciary who is still responsible for misuse of personal data. The
data fiduciaries hence face the consequences of non-compliance with the provisions of the Bill.
Comments
A data principal can be any natural person to whom such personal data relates. Processing of
personal data would ultimately affect (either positively or negatively) the individual providing
such data. Hence, the data principal is seen to be the focal actor of the digital economy. The
report of the committee clearly identifies that it is entirely based on fundamental expectation of
trust, an individual provides data to an entity. Hence such entities have been referred to as “data
fiduciaries” under both the Bills. These terminologies are different from what is being used
under other jurisdictions. For instance, the EU GDPR uses the term “data subject” to refer to an
individual whose data is being collected and “data controller” to refer to the entity that
determines the purpose and means of processing the data.
The Bills recognise the relationship between the data principal and the data fiduciary and state it
as necessary to ensure a free and fair digital economy. Free here means to protect the autonomy
of individuals and fairness aims to reduce the inequalities of bargaining power. But looking at
the provisions of the Bills, it clearly fails to address the question of „how‟ to protect the
autonomy of individuals (right to privacy, in this case). The committee report and the draft Bills
16
are clear as to what needs to be protected and the system of classifying them effectively for
differential treatment, but at the same time fail to specify the means of protecting such personal
data by applying different protection measures. Therefore, it remains unclear how the Bill
protects the autonomy of an individual.
III.02 Sensitive Personal Data
Not all personal data, when processed by the data fiduciaries, result in similar consequences to
the data principal. Therefore, further classification of personal data is done based on the intensity
of importance of such data, and on the extent of harm the data principal might need to suffer
while facing the consequences of processing of such data. According to the 2019 Bill, as per
Section 3 (36), financial data, health data, official identifier, sex life, sexual orientation,
biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or
political belief or affiliation are some of the personal data identified as sensitive personal data.
Further, according to Section 15 of the 2019 Bill, the Central government may notify such
personal data to be sensitive personal data on the basis of significant harm that it may cause to
the individual, on legitimate expectation of confidentiality, and the risks associated with it.
Comments
However, it needs to be understood that intensity of importance of any personal data is highly
subjective and it doesn‟t mean that only sensitive personal data can cause significant harm or risk
to the data principal. Sensitivity of personal data should be determined either on the basis of an
individual‟s consideration or based on requirement. For example, X may be very sensitive about
his genetic data and feel that it needs to be highly protected. At the same time, Y may feel data
regarding his genetic identity is least important for him and may be freely willing to share such
data in the public domain. The above example explains the determination of sensitivity by the
data principal. As the example discusses, not every data principal perceives sensitive personal
data the same way as prescribed under the Bills.
Another illustrative example could be that of a Human Rights defender wanting to keep his
family‟s address and location hidden from a popular vigilante. If his address is not considered as
sensitive, an address shared by him for receiving e-commerce services may be disseminated and
made available in the public domain. The risks associated thereafter need to be faced by him and
hence it is the requirement of his profession for his personal data to be sensitive. Therefore, the
choice of determining sensitivity and the choice of consenting for the processing of such data
needs to lie in the hands of the data principal, rather than with the Authority or State or any other
entity. After all, being the focal actor of all processing activities, it is the data principal who
would face the consequences of breach of such sensitive data.
It is to be noted that “passwords” were also recognized as sensitive personal data under the 2018
Bill. The 2019 Bill has not incorporated it as sensitive personal data referring to the laws of other
jurisdictions.
III.03 “Processing”
According to Section 3(32) in the 2019 Bill, "processing" in relation to personal data means an
operation or set of operations performed on personal data, and may include operations such as
collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use,
17
alignment or combination, indexing, disclosure by transmission, dissemination or otherwise
making available, restriction, erasure or destruction.
Comments
The definitions of the term „processing‟, as proposed by both the Bills, are highly reductive.
Activities under „processing‟ may include collection, recording, organising, structuring, storage,
alteration, dissemination, erasure or deletion. It needs to be understood that incorporating
entirely distinct functions under a single term makes it ambiguous as to the meaning it conveys
in different contexts. Activities like collection, storage, analysis, and dissemination are different
activities involved in the idea of processing, generating significantly different consequences. The
2019 Bill is silent when it comes to defining these distinct functions that are part of the term
„processing‟. These activities or the stages of data processing involving these activities need to
be properly defined under the Bill and clearly mentioned wherever necessary. They are:
Collection: Being the very first stage of the data life-cycle, it is the most critical element to be
considered while addressing data privacy. Though mere collection of personal data doesn‟t cause
any significant consequence to the data principal, it stands as the base for further activities to be
performed. As discussed earlier, collection is where processable personal data is born and the
interference with the right to privacy of the individual begins. Although section 6 of the 2019
Bill states personal data shall be collected only to the extent that is necessary for the purposes of
processing of such personal data, the extent of necessity here is to be determined by the data
fiduciary. This means that the data fiduciary can determine any personal data as necessary for
providing a service and request the data principal to provide the same. It is the right of an
individual not to provide data if he/she feels insecure about providing such personal data. Hence
it is important to prescribe statutory measures regulating this very initial stage of collection in
order to ensure effective protection of personal data. The Puttaswamy judgement recognizes
collection regulations as the primary rule of the data protection regime.
Storage: Storage of personal data is yet another distinct activity to which significant attention
needs to be paid in the current age of rapid technological development. After the identification of
data into different types, it becomes essential that the distinct protection measures to prevent data
breach be clearly laid out. The Bill also lacks conceptual clarity when it comes to cross-border
transfer and storage. Technologies like blockchain and cloud storage do not store data on a single
server but on multiple servers across the globe. Such complications have not been discussed in
the Bill. This further adds to the ambiguity with regard to incorporating new and developing
technologies used in the processing of data.
Analysis: This activity of processing is the core purpose for collection, organisation and storage
of data. It is for this purpose of „analysis‟ that the above-mentioned activities are carried out.
Further, this activity is carried out to meet the purposes of processing of personal data and to
arrive at results, implications, inferences and conclusions which satisfy the needs of the data
fiduciary. Hence, it is critical to prescribe data protection measures at this stage, whereas the Bill
speaks of no such distinct measures with regard to this activity as well.
Dissemination: This activity of processing poses the highest level of threat to an individual‟s
privacy, as it involves sharing of personal data widely. It is also one of the critical elements of
processing, which can directly cause significant harm to the data principal. The Bill has
incorporated all of the above-mentioned activities under the single term „processing‟ and consent
18
for such „processing‟ can be obtained as a whole. This ignores the possibility that an individual
might have consented for collection and storage but not for dissemination. The individual is
denied the choice of providing granular consent where he/she can provide consent for each of
such above-mentioned distinct activities that form a part of processing.
Other similar activities such as „alteration‟ and „modification‟, which have different
consequences when performed, are also defined separately. The drafters of the Bill have failed to
specify the protection measures that need to be undertaken at each of the stages of processing.
These measures and other regulations need to be clearly laid out in the Bill, rather than being
specified later by the Authority, as this would be the core purpose of this Bill being put forth for
discussion and implementation. Although the Bill clearly lists out as what needs to be protected
and is clear as to why data needs to be protected, a Bill titled „Personal Data Protection Bill‟
cannot be so vague in laying out specific protection measures to be undertaken for the different
types of data especially those identified by the same Bill.
III.04 Obligations of a Data Fiduciary
While processing personal data provided by the data principals, the data fiduciaries have certain
obligations which the law expects them to fulfil. Section 4 of the 2019 Bill allows for personal
data to be processed only for a lawful purpose that is specific and clear by stating that “No
personal data shall be processed by any person, except for any specific, clear and lawful
purpose”. Additionally, Section 5(a) of the Bill provides for personal data to be processed in a
fair and reasonable manner and ensure the privacy of the data principal. As per Section 5(b),
the purpose of processing is limited for the purpose consented to by the data principal or which
is incidental to or connected with such purpose, and which the data principal would reasonably
expect that such personal data shall be used for, having regard to the purpose, and in the context
and circumstances in which the personal data was collected.
Section 6 of the 2019 Bill states that personal data shall be collected only to the extent that is
necessary for the purposes of processing of such personal data. In compliance with Section 7,
every data fiduciary shall provide the data principal with a notice, at the time of collection of the
personal data, or if the data is not collected from the data principal, as soon as reasonably
practicable, containing information about the purpose of collection of their personal data, nature
and categories of such data being collected, the identity and contact details of the data fiduciary,
data processor (if any), process and consequences of withdrawal of consent and other necessary
information as mentioned under the section.
Comments
It needs to be observed that under Section 6, it is fair for collecting such personal data that is
only necessary for processing. But the necessity of such data is totally left to the data fiduciary
i.e., to determine what is necessary and what is not. This way there is a high risk of the data
fiduciary classifying irrelevant (unnecessary) personal data to be necessary for processing and
request access to those from the data principals. Also, no other provision of the Bill provides for
the review of the actual necessity of personal data for processing, as determined by the data
fiduciary.
19
It should be noted that Section 7 of the Bill includes the phrase “at the time of collection of the
personal data” which provides scope for the data fiduciary to not comply with the information
provided as per the notice. This is again because, further provisions of the Bill don‟t speak about
„whom to‟, „when to‟, and „how to‟ inform about any change in the information which was
provided earlier in the notice. Furthermore, using the clause “as soon as reasonably practical”,
the proposed law is providing for instances of no-pre-consent mode of data collection, storage,
analysis and dissemination.
III.05 Consent and Explicit consent
Consent is seen to be necessary for the processing of personal data. Though written consent is
not explicitly mandated, according to Section 11(2) of 2019 Bill, consent obtained from the data
principal needs to be:
a) Free – must meet the standards specified under section 14 of the Indian Contract Act,
1872. This means that consent should not be caused by coercion, undue influence, fraud,
misinterpretation or mistake.
b) Informed – The data principal needs to be provided with the information required as per
Section 7 of the 2019 Bill, through a notice. This section, as discussed earlier, requires
information such as information regarding purposes for processing, categories of data
collected, contact details of data fiduciary and data processors, procedure for grievance
redressal, etc. to be informed to the data principal.
c) Specific - The Bill stipulates that the data principal can determine the scope of consent in
respect of the purposes of processing or not.
d) Clear - The Bill require the consent to be indicated through an affirmative action that is
meaningful in a given context. As mentioned earlier, there must be clarity of consent, it
must be clear and explicit on the document evidencing such consent, and should not be
read into by interpreting subsequent practice or conduct.
e) Capable of being withdrawn – Consent once given must be capable of being withdrawn
by the data principal, having regard to whether the ease of such withdrawal is comparable
to the ease with which consent may be given. This means that withdrawal of consent
should not be a strenuous process when compared to the procedure with which consent
was given.
In addition to the above conditions, as per Section 11(3), explicit consent is necessary for
processing sensitive personal data. Explicit consent here means consent which is obtained after
the individual who gives such consent is made aware of the significant consequences of
processing such data. The Bill clarifies that the consent must be clear without having recourse to
inference from context. The clarity of such consent therefore should not be based on any
secondary interpretation. Such consent also needs to be specific about whether the data principal
is given the choice of separately consenting to the purposes or operations performed under
„processing‟. It is to be noted that a written consent is not a must.
Comments
A fiduciary relationship is a situation where one has a duty to protect the interest of the other
without using one‟s influence to one‟s own advantage. However, as per section 11(2)(a), when
consent is required to be free, it is important to note that many data fiduciaries request online
consent, which is to be compulsorily provided by the data principal in order to avail the service
20
offered by the data fiduciary. The denial of such consent would mean denial of service. This
means there is always the element of undue influence present in the agreements providing for
access to personal data. There is always a dominant position enjoyed by the data fiduciary.
Though the denial of service is outlawed in the Bill, the service providers are given complete
autonomy to decide the extent of personal data required to perform the functions undertaken by
them, and the data principals are made completely responsible for not providing consent for
accessing such personal data as determined by the service providers. This leaves the provision
prohibiting denial of services defunct.
We have seen that consent for processing includes a general permission to the data fiduciaries
and processors to do whatever they deem fit in handling such data. It must be further noted that
the laws provide for self-regulation by the data fiduciaries when it comes to limitation of data
collection, notice of data collection, and retention of personal data. The Bills do not stipulate
anything which could effectively regulate the exercise of self-regulatory capabilities provided to
the fiduciaries. The explanation given for clarity of consent is also quite ambiguous when
compared to the definition given for the clarity of explicit consent.
Explicit consent simply means the individual who gives such consent must be made aware of the
significant consequences of processing such data. The Bills do not mandate a written consent,
although it comes up with high standard for „clarity‟. The Bills state that the consent must be
clear without having recourse to inference from context. The clarity of such consent therefore
should not be based on any secondary interpretation. It must be clear and explicit on the
document evidencing such consent and should not be read into by interpreting subsequent
practice or conduct. However, these explanations make the provision prescribing standards of
consent in Section 11 clause (a) and the requirements of notice of Section 7 ineffective. It leads
to the negative interpretation of these provisions. A notice under section 7 therefore can be
argued as not requiring an explanation of the significant consequences of processing personal
data to the data principal. This means the standard of „informed‟ consent differs in the cases of
personal data and sensitive personal data processing, while the difference between personal data
and sensitive personal data is of no consequence in deciding the standard of informed consent. It
allows the data fiduciaries to keep silent about the harmful or negative consequences of the
processing even when they have perfect knowledge about such consequences.
Similarly, consent obtained in the case of processing of personal data can be argued to not to
involve the standard of clarity as required by sensitive data. There is simply no intelligible
difference between these two categories of data having a rational connection with the differential
prescription of standards of clarity. The standard fixed for sensitive personal data, i.e. explicit
consent, is further defined as consent which is evincible without secondary interpretation of the
agreements and that has been given following a comprehensive understanding of the
consequences of such consent and the legal remedies. However, the drafters fall short in not
mandating „granular consent taking‟, stating the issue of consent fatigue.
Though granular consent is prescribed under the section 13(3)(c), the language used in the texts
does not bother about whether the individual actually exercises it or not. Once again, when it is
the data fiduciary deciding about the necessity of data, legal provisions safeguarding against
denial of service cannot function effectively. Even allied or ancillary functions can be clubbed to
the main function or service feature provided the data fiduciary, and compel data principals to
consent to all of the options given. Though the report of the Justice B. N. Srikrishna Committee
21
considers this issue of consent fatigue, i.e. users of the digital instruments feeling annoyed or
demotivated upon reading numerous clauses before they give consent, it doesn‟t prescribe any
innovative solutions to circumventing the same.
Looking closely at the differences in legal regimes of personal data, sensitive personal data and
critical personal data, consent needs to be explicit according to the above-mentioned conditions
when it comes to processing of sensitive personal data, whereas when it comes to the processing
of personal data, it need not be. Nevertheless, the Bills are ambiguous about what they mean by
explicit consent.
III.06 Grounds for Non-consensual Processing and Exemptions
The committee report recommends that personal data and sensitive personal data shall be
processed without consent in certain specific cases. These cases include: functions of the state,
compliance with law, order of court or tribunal, purposes of employment, in situations where the
individual is incapable of providing consent and other reasonable purposes. It is to be noted that
the data fiduciary obligations, data principal rights, transparency and accountability measures are
still applicable in these cases. Nevertheless, certain other functions are additionally exempt from
these obligations and measures as well. This gives a significant leeway for certain data
fiduciaries and processors to circumvent all the regulations put in place by this legislation. The
following are the grounds providing for such processing, along with a discussion of their
implications.
a) State functions and the security of the State:
According to section 12 of the 2019 Bill, the State may process data without consent if it
is necessary for any function of Parliament / State legislature. It is to facilitate the
provision of any service or benefit to the data principal from the State. It is also for
certification and licensing purposes. The Bill does not distinctively treat personal and
sensitive personal data in this regard, and allows for both to be processed without consent
to perform state functions. While the Bill provides this broader category of general State
functions as grounds for non-consensual processing, it establishes security of the State as
a separate category and empowers the state to exempt the data processors and fiduciaries
processing personal data. According to section 35 of the 2019 Bill, for protecting the
interest of sovereignty and integrity of India, the security of the State, friendly relations
with foreign States, or public order, the central government may by order exempt any of
these agencies of the state. The order issued shall also prescribe such procedure,
safeguards and oversight mechanism to be followed by the agency. Interestingly, the Bill
does not seem cognisant enough about the boarder category of state functions, which may
include widely disparate operations such as policing, surveillance, economic re-
distribution and development activities, etc. To provide for blanket exemption to all these
categories from the rule of consent is excessive in nature.
It is important to note that the earlier Bill of 2018 didn‟t empower the state from waiving
off its obligations with respect to three specific sections. These included directions to
respect the individual‟s right to privacy, promote free and fair processing, follow the
safeguards to be prescribed by Data Protection Authority, were still applicable. But the
provisions of the 2019 Bill have given additional powers to the central government to
exempt all the agencies of the government from all the obligations under the Bill. This
22
can be reasonably presumed to be the same case even when a private party is contracted
for outsourcing of State functions involving data processing.
Furthermore, the scope of the section 35 is such that the data principal loses all the rights
enshrined under this law. This means he is no longer eligible to realise his rights to
confirmation, access, correction, erasure, data portability and even the right to be
forgotten in the case of exemption declared by the State. This means a data principal can
be even denied to access and confirm the personal data provided by him, correct incorrect
data, or even furnish incomplete data. The data principal loses even the right to be
forgotten which makes this provision absolutely unreasonable.
It is to be kept in mind while imagining the impact of this provision that already
according to the proposed provisions of the Bill data processors have no penalties or
consequences legislatively fixed, except for the contributory compensation to be paid to
the data principal in cases of personal data breach. This means a large number of
institutions which are collecting, storing, analysing and disseminating personal data are
left to be regulated only by the contractual relations they may undertake with the data
fiduciaries. Most of these contracts are drafted by highly paid lawyers and come with
stringent clauses limiting the liabilities of these processors. The nature of contracts also
differs from case to case; for example, it may be a professional services agreement or a
service execution arrangement. The liability clauses differ in both. This leaves the rights
of individuals in jeopardy, because the proposed Bill does not fix even minimum
standards of processing responsibilities for data processors.
Justice B. N. Srikrishna himself commented that this provision “will weaken the Bill and
turn India into an Orwellian State”. This poses a high threat to the privacy of an
individual. When private data processors are exempted from any (or all) of the sections of
the Bill, personal data becomes highly vulnerable for misuse and security measures in
such cases may not be applicable, and in the end, it would be the data principal facing all
its consequences without having adequate remedies.
b) Judicial and legal proceedings:
According to section 12, non-consensual data processing is permitted with regard to
judicial and legal processes explicitly mandated by law. The Bill states that data can be
processed without consent, if it is „necessary‟ for compliance with law or any order of
any court or tribunal. This is done to avoid inconsistency with obligations under other
laws, regulations and judicial orders. Though personal and sensitive personal data can be
processed without consent in this regard, other provisions are still applicable.
Apart from this, according to section 36, personal data processed for legal proceedings
with regard to the interests of prevention, detection, investigation and prosecution of any
offence or any other contravention of law have been exempted from certain specific
chapters of the Bill. Chapters II to VII of the 2019 Bill have been exempted for
processing on the above-mentioned grounds. These exempted chapters, as mentioned
earlier, are the ones establishing data fiduciary obligations, grounds for non-consensual
processing, data principal rights, transparency and accountability measures, and
23
restrictions on cross-border transfers. Among these chapters, the only applicable sections
include section 4, which speaks about processing for a specific, clear and lawful purpose,
and section 24, which speaks about security safeguards to be opted.
At this point, it is important to look at those provisions which are exceptions to the
provisions providing for the above mentioned exemptions. Section 24(1) of Bill 2019
states that “having regard to the nature, scope and purpose of processing personal data
undertaken, the risks associated with such processing, and the likelihood and severity of
the harm that may result from such processing, the data fiduciary and the data processor
shall implement appropriate security safeguards including—
(A) use of methods such as de-identification and encryption;
(B) steps necessary to protect the integrity of personal data; and
(C) steps necessary to prevent misuse, unauthorised access to, modification,
disclosure or destruction of personal data.”
It is to be noted that the section which is applicable to all cases (except in the case of
exempted state purposes), fails to lay out minimum guidelines as to what the „appropriate
measures‟ are or how they need to devised. The Bill neither prescribes nor obligates the
Data Protection Authority to establish such guidelines. The steps which are necessary to
be taken by the data fiduciaries to protect the integrity of personal data or to prevent its
misuse have not been mentioned anywhere, and it has been totally left to the data
fiduciaries to determine and apply them.
Further, the Bill doesn‟t prescribe any models for periodic review of these safeguards,
self-designed and implemented by data fiduciaries and processors. It does not even fix the
periods after which reviews need to be undertaken. Section 24(2) provides that after a
periodic review, data fiduciaries and processors may follow appropriate measures
accordingly. Nevertheless, the appropriateness is again determined by the fiduciaries and
the processors. It is also doubtful and unclear as to what may be recognised as
appropriate measures.
c) Prompt action requirements
According to section 12(d), (e), (f) of the 2019 Bill, personal data can be processed
without consent during the times of public health, medical and disaster emergencies. This
is because an individual may be incapable of providing consent in such critical situations.
It is to be noted that both personal and sensitive personal data can be non-consensually
processed only when it is „necessary‟, with no differential treatment. The necessity of
accessing sensitive personal data for prompt action needs to be reviewed and then
incorporated into this section. Nevertheless, the proposed law which allows for this rule
uses the language of exemption, not that of process regulation. These unregulated
exemptions with easy thresholds provide for expansive use of personal data, sometimes
for unintended purposes as well. The personnel of data fiduciaries and processors
handling such data during these emergencies need to take special care and precautions for
not compromising the right to privacy of the individuals concerned.
24
d) Employment purposes
According to section 13 of the 2019 Bill, personal data for employment purposes may be
processed without consent, when the processing under consent would involve
disproportionate efforts (for the employer) or the employment relation makes such
consent inappropriate. Employment purposes may include recruitment, termination,
assessment of performance, verifying attendance, and for providing any service or benefit
to the employee. According to the Bill, only personal data can be processed without
consent for employment purposes, where necessary. Sensitive personal data cannot be
non-consensually processed for employment purposes. A clear distinction has been made
for the first time for differential treatment of personal data and sensitive personal data.
Nevertheless, the Bill fails to mention that the employee should not be forced to part with
his personal data for receiving mandatory social security or employee benefits.
e) Reasonable purposes
Personal data can be processed without consent under the grounds of reasonable
purposes. These purposes may be specified by the Authority being established, along
with safeguards. The Authority may specify such reasonable purposes after considering
(A) the interest of the data fiduciary in processing for that purpose;
(B) whether the data fiduciary can reasonably be expected to obtain the consent of
the data principal;
(C) any public interest in processing for that purpose;
(D) the effect of the processing activity on the rights of the data principal; and
(E) the reasonable expectations of the data principal with regard to the context of
the processing.
The Bill provides for both personal and sensitive personal data to be processed without
consent in the case of reasonable purposes. These reasonable purposes may include
prevention and detection of unlawful activity, including fraud, whistle blowing, mergers
and acquisitions, network and information security, credit scoring, recovery of debt,
processing of publicly available personal data and operation of search engines. It is to be
noted that non-consensual processing for the operation of search engines has been
provided for only in the 2019 Bill and not in the previous version. This has now increased
the threat to personal data in the digital arena. The Authority needs to ensure that the
specified appropriate safeguards have been complied with, so that misuse of personal
data, under the guise of reasonable purposes, can be prevented.
The Bill here essentially fails to recognise that credit scoring and the operations of search
engines involve lot a commercial interest. The benefits which credit scoring agencies and
search engine providers receive by generating large data pools and resources are not
taken into account by the Bill. The credit scoring undertaken by an agent at the request of
the credit provider is different from the credit scoring undertaken without a specific
request. Similarly, data processing for the purposes of search engines to optimize search
25
results also varies when it comes to optimisation requested and not requested. Often, the
purposes of search engines are to provide targeted delivery of goods and services to the
consumer. When these are not essentially requested by the consumer, or when the
consumer has not been given an opportunity to opt out, it is a blatant violation of
consumer law principles.
There is nothing provided in the Bills to address such issues. A significant mass of the
statutory text is used to provide exemptions for the law, whereas there is little when it
comes to regulatory standards to be applied in the relationship between various
stakeholders in the data economy.
f) Public-spirited activities like journalism and research purposes:
According to section 36 (e), processing of personal data found necessary for or relevant
to a journalistic purpose, is exempted from chapters II to VII. Applicable restrictions
include lawful purposes and security safeguards, provided under sections 4 and 24
respectively. However, it is necessary for such a journalistic purpose to be in compliance
with any code of ethics issued by the Press Council of India, or by any media self-
regulatory organisation. This exemption is granted protecting the fundamental right of
freedom of speech and expression.
According to section 38, where processing of personal data is necessary for research,
archiving, or statistical purposes, the Authority may, by notification, exempt such class of
research, archiving, or statistical purposes from the application of any of the provisions
of this Act as may be specified by regulations. However, processing of personal data for
research, archiving and statistical purposes is exempted from any provision only when:
(A) the compliance with the provisions of this Act shall disproportionately divert
resources from such purpose;
(B) the purposes of processing cannot be achieved if the personal data is
anonymised;
(C) the data fiduciary has carried out de-identification in accordance with the code
of practice specified under section 50 and the purpose of processing can be
achieved if the personal data is in de-identified form;
(D) the personal data shall not be used to take any decision specific to or action
directed to the data principal; and
(E) the personal data shall not be processed in the manner that gives rise to a risk
of significant harm to the data principal,
Sections regarding fair and reasonable purposes, security safeguards and data protection
impact assessment, which were earlier part of the 2018 Bill, are not applicable under the
2019 Bill. The Authority being established has to specify such exempted categories of
research, archiving or statistical purposes which are exempted from the provisions.
In this case, proper clarity needs to be established with regard to the type of research
which is being undertaken. For instance, the protection of personal data need not be
compromised for a research for business purpose. Such a research may not benefit the
data principal directly or even significantly. Therefore, the Authority must look into the
benefit of such research to the data principal before exempting such class of research
26
from any of the provisions. It must be also noted that section 38 is in conflict with earlier
provisions exempting search engine operations from the consent requirement. The search
engine collection and analysis of data could have been regulated under this section or
using similar principles which would effectively set limitations or regulations dealing
with automatic search engine operations and targeted delivery of advertisements or
search suggestions.
g) Purely personal and domestic purposes:
Personal data processed by a natural person in the course of a purely personal or domestic
purpose, is exempted from chapters II to VII (contents have been discussed earlier).
Again, applicable restrictions include lawful purposes and security safeguards, provided
under sections 4 and 24 respectively. This exemption is not applicable when processing
of such personal data involves disclosure to the public, or is undertaken in connection
with any professional or commercial activity. Hence the term „purely personal‟ was
coined by the committee. It is clear that a restriction cannot be imposed on the smallest
level of intrusion of privacy using mobile cameras, audio recorders or CCTVs. The
activities which are considered to be purely personal or domestic need to be clearly listed
out by the Bill while exempting them from provisions of the Bill. However, it is doubtful
that whether these exemptions can apply when the domestic collection and processing of
personal data involves third party‟s personal data.
h) Manual processing by small entities:
According to section 39 (1), the provisions of sections 7, 8, 9, clause (c) of sub-section
(1) of section 17 and sections 19 to 32 shall not apply where the processing of personal
data by a small entity is not automated. Not all personal data is digitally processed by
automated means. Personal data can be processed by small entities which need not
comply with the above-mentioned sections. These sections essentially speak about
requirement of notice, quality of personal data processed, restriction on retention of
personal data, specific data principal rights, and all transparency and accountability
measures. It also needs to be noted that a "small entity" means such data fiduciary as may
be classified, by regulations, by Authority, having regard to— (a) the turnover of data
fiduciary in the preceding financial year; (b) the purpose of collection of personal data
for disclosure to any other individuals or entities; and (c) the volume of personal data
processed by such data fiduciary in any one day in the preceding twelve calendar
months. Therefore, it is again the Authority who needs to specify such entities who can
manually process data as per these exemptions. As per this provision, the purposes for
which small entities process personal data can be determined by such an entity and they
need not provide a notice as required by section 7. It also doesn‟t fit into the restrictions
placed on retention, i.e., storage of such data. Hence this would give small entities a
chance to compromise the privacy of an individual by non-consensually processing
personal data without complying with protection measures as specified by the Bill.
It is contended that the purely domestic, personal and manual processing needs no
exemptions from all the provisions of the Bill. On one hand, the provisions which may
unreasonably burden such activities need not continue to apply in these cases, while all
27
adequate levels of precaution and remedies in the cases of personal data breach may still
apply. The right to privacy of the individuals need not be compromised for these
purposes.
These provisions have a cultural outlook, whereby the proposed law is seeking to protect
community and family interferences with the personal lives of the people. While such
interferences with the right to privacy per se need not be treated with contempt, there
should certainly be some reasonable limits to set to such interferences as well.
28
PART IV
RECOMMENDATIONS
Conceptual Core
“Shadkarnath Bidhyethe Mantrah:”
“That which is heard by a third pair of ears is no more personal or private.”
(Chanakya)
The below are the recommendations made to resolve certain issues identified above.
1. Separate legal regimes for the distinct stages of processing need to be developed and
incorporated into the provisions of the Bill. For instance, major stages involved in
“processing” may be reasonably classified into Collection-related activities, Storage-
related activities, Analysis-related activities and Dissemination-related activities. The
legislation can issue directives in order to take different activity-specific protective
measures at each stage. 2. The doctrine of essentiality: Personal data should be processed only on the grounds of
'essentiality' rather than the current standard of 'necessity'. Not only access and collection
but also the scope of activities such as organisation, storage, analysis, and dissemination
should be limited under the same rule. Individuals must have the right to contest the
decision of essential requirements by the data fiduciary or processor.
3. Single Standard of Informed Consent for the processing of the all types of data: The
consent to be obtained should be
a. free, having regard to whether it complies with the standard specified under
section 14 of the Indian Contract Act, 1872;
b. informed, having regard to whether the data principal has been provided with the
information required under section 7 of bill 2019 and the purpose of, or operation
in, harm to the data principal, and estimated probability of such occurrence of
such harm;
c. unambiguous and clear, having regard to whether it is indicated through an
affirmative action that is meaningful in a given context and without recourse to
inference from conduct in a context;
d. granular, providing the data principal the choice of separately consenting to the
different stages of processing; and
e. withdraw-able, having regard to whether the ease of such withdrawal is
comparable to the ease with which consent may be given.
The Data Protection Authority may specify field-specific additional requirements, after
analysing the special needs of the said field.
4. Self-determination of sensitivity: An individual should be able to deny consent for the
processing of personal data based on what he considers as sensitive for his life, and his
privacy. Denial of consent by the person on the grounds of sensitivity should not lead to
denial of service. The Data Protection Officer of the Data Fiduciary or Processor must
attempt reconciliation strategies. Any dispute may be referred to the Adjudicator‟s office.
29
The fees charged at the Adjudicator‟s office must be reasonable and affordable. Legal aid
may be sought by aggrieved individuals.
5. Default machine settings or consent on usage restrictions: Active choice option needs
to be present for obtaining consent from the data principals. No person shall be
automatically dragged into a situation where consent is assumed or implied just by
availing a service.
6. Statutory Liabilities for Data Processors: Statutory liabilities for Data Processors are
the only way by which state interests, as well as human rights, can be safeguarded.
7. Single Legal Regime for Data Fiduciaries and Data Processors: All data recipients
(whoever receives or works with personal data of data principals) should be statutorily
liable and should not escape from the scope of law by way of characterising their roles
differently as fiduciary, processor, controller, agent, or others.
8. Expand Access to Justice: The legislation of the present model, without exception,
must call for tribunals in every state and Adjudicators in every district.
9. Indicate Provisional Measures: Since data breach or privacy violation is most likely to
be continuous in nature, the legislation must provide for provisional measures to be taken
by Data Protection Officers, Adjudicators, Tribunals, and Data Protection Authority,
pending any decisions on the issues they are handling.
10. Duty of the Data Principal: Along with the various rights of the data principal, it
should be a duty of the data principal to follow digital discipline by becoming aware of
the digital world, its players and create digital content judiciously.
xxviii
ANNEXURE 1
xxix
xxx
xxxi