Personal Data Protection Bill 2019

The Personal Data Protection Bill 2019, as adopted by the Joint Parliamentary Committee on 16th December 2021 has few interesting takes and lot of open questions that will have to be addressed in times to come. With Privacy being recognized as fundamental right, data being considered as new class of Assets, extensive commercial usage of this data has led to declining trust and hence the aim is to foster an environment or create a relationship of trust between persons and entities processing the personal data.?Perhaps this is why ‘Data Fiduciary’ is the term assigned for Data Controller as understood under GDPR.

Quite like GDPR, the law is also expected to apply to Data Fiduciaries or Data Processors Not present within the territory of India, if such processing is—

(i)??????????????in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or

(ii)?????????????in connection with any activity which involves profiling of data principals within the territory of India.

While this extraterritorial reach is the need of the hour, however the enforcement, could raise significant barriers in absence of a provision for the nominated/assigned/identified representative of such Data Fiduciary/Data Processor, based out of India, required to be notified/registered with Data Protection Authority who could be possibly be accountable for any violation, threatened violation of this Law.

Consent based processing has been widely debated. While GDPR recognizes five other bases apart from Consent for processing of personal data, it is important to mention that each of that bases provides material protection/justification and supports in ensuring that consent-based processing is not stretched as much or interpreted as widely that it loses the significance. ?Needless to mention, given the scope of processing as the informational society demands, it could be a challenge to signal out every possible step inorder to be precise, clear, unambiguous and comprehensive. Further 7(1)(d) identifies that the Data Principal must be informed about the possibility and process to withdraw consent, however practically this right can be exercised only after an order by an adjudicating officer appointed by the DPA. Direct Marketing or interest of the Data fiduciary to apprise its customers about the offers/products/new launches, initiatives could be difficult to balance between ensuring right amount of information - to the right to receive information as may be needed.

Trust Score: The significant data fiduciary shall have its policies and the conduct of its processing of personal data audited annually by an independent data auditor under this Bill. The qualifications and the nominations of such Auditors shall be made available by the Data Protection Authority. The Trust score shall be based on section 7,22,23, 24 and 25 of the Bill

This Trust score is likely to be a good indicator of the robustness of policies or commitment of the Significant Data Fiduciary/Data Processor in protecting and processing the personal data as allowed under the law. While this again sounds similar to certification mechanism under GDPR, however it may be lot more subjective unless for the consistency of interpretation, comprehensive guidelines are devised by the DPA.

Consent Manager: Essentially, Consent manager is a Data Fiduciary, to be registered with the DPA, and is supposed to enable data principal gain/withdraw/review consent though accessible, transparent, interoperable platform. The Consent Manager is likely to handle lot of personal data, that further raises the risk of contravention of the provisions for management of such data. Conceptually this can be exercised by the Data principals, thereby reducing the risk of a layer of processing. ?

Sandbox. Innovation is the key to subsistence. It is essential that the ecosystem supports innovation which could include dealing with highly sensitive subjects. Data fiduciary whose privacy by design policy is certified by the DPA under sub-section (3) of section 22 shall be eligible to apply, in such manner as may be specified by regulations, for inclusion in the Sandbox created under sub-section (1). ?

The DPA is authorized to include such Data Fiduciary in a sandbox for a maximum period of 36 months along with specifying safeguards including terms and conditions in view of the obligations including the requirement of consent of data principals participating under any licensed activity, compensation to such data principals and penalties in relation to such safeguards.

Personal data can be transferred to other jurisdictions including Sensitive Personal Data subject to a copy being retained in India subject to fulfilment of other conditions. Transfer of Critical Personal Data is prohibited except where such transfer is in accordance with 34(2) of the Bill.

Code of Practice: The DPA may approve any code of practice after consulting the sectoral regulators submitted by an industry or trade association, an association representing the interest of data principals, any sectoral regulator or statutory Authority, or any departments or ministries of the Central or State Government.

It is within the context to say that a comprehensive overarching legislation would be of better fit, nevertheless it is the sectoral regulations wherever applicable will have to be aligned to rule out possible conflicts. Detailed opinion/guidance note as may be termed could be further formulated especially keeping in view the quantum of data that is processed in India including offshored data as the country continues to be the preferred destination for data processing and analytics.

a.?????Organizational and Technical measures that could demonstrate commitment to manage the personal data as may be necessary.

b.?????Acceptable Pseudonymisation and Anonymization methods

c.?????List of approved destinations where personal data can be transferred for further activities

d.?????Standard Contractual clauses/model clauses both for intra group and inter entity transfers.

e.?????Forms and formats of consent-based approach.

f.??????Automated decision making- Usage of AI considering the risk categories of High/medium and Low