17 minute read
The Personal Data Protection Bill: Scope for Transnational Regulatory Sovereignty in Data Law
of the knowledge economy of India has started, but the strategic thinkers need to realize that the disruptive effects of technology reflect the dynamics of leadership, bargaining leverage and diplomatic salience, which makes the case of the negotiating parties accordingly. Having a defeatist approach, which denies cyber and geopolitical realities, is the reflection of a weak state. This also might be considered a reason why the Data Protection Bill is yet pending to be passed. Second, the Union Government, and its supporting/funded organizations are partnering with foreign entities on digital cooperation-related issues, either through sponsored events, or through some funded research projects. Creating a corporate pool of strategic investors matters under Invest India, which of course must have been done in the past. In the domain of technology and international law, India might adopt a West-centric approach. However, aligning with the European Union would be smarter and effective for India to become a regulatory superpower, as compared to the United States when it comes to digital cooperation. Also, the role of companies as a corporate community matters because their strategic approaches would shape the Indian startup ecosystem would emerge. There is no doubt that Indian start-ups are gaining their ground and relevance. The larger lack comes because of issues like flipping, where IANS had reported that out of 54 unicorns which were India-domiciled, 24 of them had flipped, because the depth in markets is not sustainable enough, there are stringent compliance requirements and then even the taxation framework is considered unsustainable (IANS, 2021). That is similar with India’s investment law approaches at a governmental level. The Model BIT has several flaws and the dispute resolution mechanisms in India have not become costeffective yet, for example – Arbitration.
The Personal Data Protection Bill: Scope for Transnational Regulatory Sovereignty in Data Law
Advertisement
Introduction
In the past few years, artificial intelligence (AI) has advanced at a tremendous speed. Nowadays, both commercial and public sector companies worldwide are increasingly using AI technologies. Today and soon, the capabilities of AI provide broad and significant advantages for people, organizations, and
80
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
society.
Even so, these same technical advancements pose significant problems, including concerns about the conflict between artificial intelligence and data protection regulations. As a consequence, we also have an option and a responsibility to assess the efficacy of existing data protection legislation in light of technical realities in the twenty-first century. We need data protection rules and policies that effectively safeguard privacy in an age of AI and the massive data on which it often relies, but also do not obstruct the future expansion of these new technologies. As numerous government and regulatory studies have emphasized, we cannot choose between the alreadyestablished advantages of AI and personal data protection: we must develop realistic methods to ensure both.
Equitable and just process, purpose restriction, collection restriction, legal processing, notification, quality of data, file storage constraint, and accountability are all examples of data protection requirements. Additionally, the law creates a Data Protection Authority (DPA) composed of individuals nominated by the Union Government. The PDP bill was presented in the Lok Sabha in December 2019, after the submission of a report and draft law by a Committee of Experts headed by Justice B.N Shrikrishna in July 2017. The government established an expert committee to draft a data protection strategy and framework after the landmark judgment in K.S Puttaswamy vs Union of India.
The law would apply to all organizations (States, businesses, and people) that handle personal data, including those that provide products and services in India and those that conduct profiling of Indian citizens. It describes personal data as "any information that enables an individual to be recognized directly or indirectly." As per the law, data processing must be permission-based and acquired no later than at the time data processing begins, and this consent must be freely given, informed, explicit, unambiguous, and revocable. The law provides identical rights to data subjects (principals) as the GDPR: access, rectification, data portability, and the right to be
forgotten. Nonetheless, the right to be forgotten does not imply erasure, but rather the prohibition or limitation of a fiduciary's disclosure of personal data. Unlike the GDPR, which enables data subjects to object to judgments based purely on storage and processing, the Indian law does not have such a provision.
As this assessment proceeds, kindly consider that the portion on the comments on the Personal Data Protection Bill might turn out to be outdated, in case in a foreseeable future, a Bill with changes is proposed in the coming months, from the date of publication of this report.
Objective of the bill
Numerous transparency and accountability provisions are included in the law. To begin, every data fiduciary must adopt Privacy by Design rules that include management, organizational, business, and technological systems with the goal of anticipating, identifying, and avoiding damage. Business objectives should be achieved without jeopardizing privacy rights, and data processing must be open. Additionally, a record of data processing should be maintained, and there is a need to perform data protection impact evaluations, as well as an annual audit of policies and practices. When a data fiduciary does large-scale profiling or utilizes sensitive personal data, like biometric data, an impact assessment is required. At least, such an independent analysis must contain a comprehensive explanation of the projected operation and its objective, as well as the data to be utilized; an evaluation of the possible damage to data principals; and methods for mitigating or avoiding such harms. The Data Protection Authority will conduct a review of these determinations and may impose further restrictions or order the fiduciary to cease relevant activity. Organizations that engage in such high-risk data processing are referred to as "major data fiduciaries" and must employ a data protection officer ("DPO"). Organizations with no physical presence in India that fall within the Bill's scope would be required to designate an Indianbased DPO.
82
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
Data sovereignty
The proposed law establishes exemptions for the Indian government's acquisition of data in the interest of India's sovereignty and integrity, national security, cordial relations with other states, and public order. The law defines and specifies terms relating to data collecting, data processing, and data storage. Localization of data, as defined in Section 33 of the law, mandates that all data gathered and processed in India be kept in India, thus prohibiting the movement of personal data beyond the country. This may result in a rise in expenses for multinational corporations, who often keep their data on a global scale. Another idea is Privacy Compliance, which is discussed in more detail in Chapter 6 of the proposed law.
Chapter 6 contains provisions requiring data fiduciaries to be transparent and accountable to data principals. Consent of the data subject prior to collecting their data is a critical notion outlined in Chapters 2 and 5 of the law. On the overall, this measure demonstrates the law's grip over the digital economy's breakneck speed, which has outpaced previous laws such as the Information Technology Act 2000.
Data protection is a legal term that refers to a legislation that safeguards personal information and prevents businesses from abusing or exploiting it. We give data to third parties and businesses when we fill out application forms or make online purchases. Apart from that, data is produced without our awareness. Data protection is critical for exercising the Indian Constitution's Article 21 right to privacy. The amount of data produced and processed, coupled with contemporary technologies like monitoring and artificial intelligence, demonstrates the critical need for strong regulation to guarantee the greatest security of data and to rein in companies. Additionally, the government must enact appropriate legislation to re-establish public trust in the businesses to whom data is disclosed.
Along with data security from businesses, data must be safeguarded against theft, i.e., cybercrime. Cybercrime is
defined as illegal behavior directed against or involving a computer, database server, or network resource. There are many kinds of cybercrime, including online fraud, corporate data theft and sale, cyber extortion, and cyberattacks.
Dilution of Specifications for Data Localization (Sec. 33 and 34 of the Bill)
The obligatory obligation under Section 40 of the Draft Personal Data Protection Bill, 2018 (“the Srikrishna Bill”) to store a mirror copy of all personal data in India has been repealed in the PDP Bill, 2019. The need for localization applies solely to sensitive and essential personal data (stored in India with conditions for transfer overseas). No sensitive personal data may even be handled outside of India [See Sec. 33(2)]. Sensitive personal data (“SPD”) may be transported outside India with explicit consent and a) if the transfer is made pursuant to an agreement or intra-group scheme (authorized by the data protection authority); or b) if the Union Government authorizes the transfer to a nation, institution, or intergovernmental organizations (requisite safeguards for the protection of such personal data are prescribed under these provisions); or c) if the Union Government authorizes the transfer.
Likewise, transfers of essential personal data may be permitted for health or other emergency responders, or if the Union Government authorizes the transfer to a country, institution, or international body. While eliminating the obligatory mirroring requirement is an acceptable move, users/data principals should have control over where their personal data is stored and the state should not impose limitations on data transfer, particularly where express permission has been provided.
The Right to Be Forgotten (Sec. 18 of the Bill)
As under the right to be forgotten ("RTBF"), the Srikrishna Bill did not include a right to erasure (See Sec. 27 of the Srikrishna Bill). (“Key Changes in the Personal Data Protection Bill, 2019 from the Srikrishna ... - SFLC.in”) The PDP Bill, 2019 added the right to erasure to the right to data rectification [See Sec. 18(1)(d)]. When personal data is no longer required for the
84
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
objective of processing, the data principal may request that data fiduciaries erase it. While data fiduciaries have the right to deny such requests for deletion, data principals may compel fiduciaries to take reasonable measures to indicate, alongside the relevant personal data, that they dispute it.
This is a beneficial addition since it strengthens data subjects' rights to seek the deletion of data that is no longer required for processing purposes. This privilege was omitted from the Srikrishna Bill. A right to erasure should have been included in RTBF (Section 20 of the PDP Bill, 2019), since the RTBF now only contains a right to non-disclosure, not erasing.
Union Government may order data trustees to disclose anonymous personal data/non-personal information (Sec. 91 of the Bill)
The Srikrishna Bill, Sec. 105, authorized the Union Government to develop suitable policies for the digital industry in the context of 'non-personal data,' including steps to promote its growth, its security, its integrity, and its protection against abuse. That law did not specify what non-personal information meant or how the government should use it. The 2019 PDP Bill goes one further step, as defined by Sec. 91 – a) it describes nonpersonal data as data not covered by the definition of personally identifiable information (see Sec. 3(28) for the definition of personal data); b) allows the Union Government to direct all fiduciary/processor of personal detail or non-personal information... [See paragraph 91(2) of the Act]. Sec 2(b) of the PDP Bill 2019 provides, for the purposes of the Union Government, that the Bill still wouldn't apply to data that is anonymized, beyond those specified in Sec. 81. The Ministry of Electronics and IT has formed an expert group in September this year to discuss a framework for the management of data on the regulatory framework for 'nonpersonal information.' It would be inappropriate to provide government access to non-personal/anonymized information before publishing the findings of this expert committee for the 2019 PDP Bill. The Committee of Experts is called to welcome public suggestions and to allow civil society to contribute with
non-personal/anonymized data on privacy concerns.
With respect to the request by the Union Government of anonymous and non-personal data from any database trustee, this may represent a costly demand by data trustees. It may also be a difficult job to apply anonymization requirements, particularly for start-ups and SMEs. This clause does not include any protections. What if a data trustee does not
anonymize personal information properly? Or do you provide non personal information which, by combining different data points, may be readily converted into personal data? To protect the privacy rights of the data directors, the Act does not offer protections for such circumstances.
Data sharing transparency and consent management concept (Sec. 17, 21, and 23 of the Bill)
Sec. 17(3) of the 2019 Bill of PDP provides the data managers rights in a location to obtain the identity of the data trustees with whom any (other) information fiduciary has been shared. This may allow data directors to examine the companies that exchange their personal data with a certain data trustee. The right to confirm and access has been added to the clause (this right was contained in Sec. 24 of the Srikrishna Bill). (“Key Changes in the Personal Data Protection Bill, 2019 from the Srikrishna ... - SFLC.in”)
In the PDP Bill, 2019, this supports the legal foundation. Data managers are entitled to know all organizations that process/share their personal information. This strengthens the rights of the data managers in respect of their information privacy by having the ability to withdraw their permission.
The PDP Project of Procedure 2019 additionally presents the idea of "consent managers," which is not in the Srikrishna Bill (See Secs. 21(1) and 23). The word consent managers is not set forth in the defining clause of the bill, but is described under Sec. 23 as a "data fiduciary," allowing a data principal, via an accessible, transparent and intraoperative platform, to obtain their permission, cancelled, reviewed and
86
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
managed. The DPA should register any consent management systems [see Sec. 23(5)].
Reading the idea of "consent dashboards" as suggested in the report by the Srikrishna Committee, it appears as the PDP Bill 2019 presented. Considering this, dashboards may assist to reduce the weariness of consents, but they may raise new problems for the protection of privacy. A metadata trail produced via consent dashboards may assist build a comprehensive user commitment profile online. Metadata produced by such tools may help in the profiling of people when such management techniques are needed to be registered with DPA.
Application of the Act
Personal Data Processing The Bill regulates the processing of personal data that has been acquired, disclosed, exchanged, or otherwise processed inside the Indian territory by: 1. The government, any Indian corporation, any Indian citizen, or any individual or group of individuals incorporated or formed under Indian law; 2. Data fiduciaries or data processors located outside the territory of India, if the processing is carried out in connection with any business conducted in India or any systematic action of offering merchandise to data principals located within the territory of India; or (b) in correlation with any activity involving data principal profiling located within the territorial jurisdiction. 3. However, it would not apply to data that has been anonymized. In regard to personal data, anonymisation refers to any irreversible process of changing or converting personal data into a form in which the data principal cannot be recognized, which satisfies the Authority's criteria of irreversibility; Anonymized data is data that has been anonymized; Obligations of a data fiduciary A 'Data Fiduciary' (referred to as a Collector under GDPR) is any person, whether the State, a business, a juristic organization, or an individual, who decides the purpose and methods of
processing personal data alone or in collaboration with others. The term 'Data Principal' refers to the actual person to whom personal data pertains.
• Prohibition of personal data processing - Personal data may only be processed for specified, explicit, and legal purposes. • Purpose limitation for personal data processing – Any person processing personal data of a data principal shall do so— (a) equitably in a manner that protects the data principal's private information;and (b) for the purpose given consent to by the data subject or for an intention that is incidental to or attached with such intent and that the data principal would reasonably expect. • Limitation on data collection- Personal data must be acquired to the extent required for the purposes of data processing. • Processed personal data quality - The data fiduciary must take appropriate measures to ensure that processed personal data is full, accurate, not misleading, and up - to date, in light of the processing purpose. • Retention of personal data - The data fiduciary must keep personal data for no longer than is required to fulfill the processing purpose and shall erase the personal data at the conclusion of the processing. • Data fiduciary accountability - The data fiduciary is accountable for adhering to the requirements of this Act with regard to any processing carried out by it or on its behalf. • Consent required for processing personal data - Personal data must not be processed without the consent of the data subject at the time of the data's collection. The Data
Principal may revoke consent at any moment. The Data
Fiduciary has the responsibility of establishing consent. Restriction on the export of Personal Data • Personal Data may be processed and stored on servers located outside India a. Sensitive Personal Data must be kept in India and may be moved beyond the country for processing only with the data principal's express permission and subject to certain additional restrictions, including the following:
88
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
a. the transfer is undertaken according to an Authorityapproved contract or intra-group arrangement, and the Authority has made measures for the sufficient protection of the data principal's rights under this Act, including with respect to subsequent transfers to any other person; b. the Union Government, in deliberation with the
Authority, has approved the transfer to a country or to such entity in a nation or to an international organization on the basis of its determination that— (i) such personal data shall apply to an adequate level of security in accordance with applicable laws and international treaties; and (ii) such transfer shall be made in a timely manner. c. Sensitive personal data must be handled and kept only in India. Any crucial personal data may be transported outside India only in the following circumstances: (a) to an individual or entity engaged in the provision of health care or emergency services, where the transfer is necessary for prompt action; or (b) to a country, or to any entity or class of entity within a country, or to an international organization, where the Union
Government has determined that the transfer is essential for prompt action. (3) Any transfer made according to sub-section (2) clause (a) must be reported to the Authority within the time frame prescribed by regulations.
Offenses The Bill establishes the following offenses:
b. Any individual who willfully or intentionally— (a) reidentifies personal data that has been de-identified by a data fiduciary or information processor, as the case could be; or (b) re-identifies and procedures and mechanisms such personal data as stated in clause (a), all without consent of such data fiduciary or data controller, shall be punished with a term of imprisonment not exceeding three years. a. This Act's offenses are cognizable and non-bailable. b. Offenses committed by companies: any individual who
was in control of and accountable to the company for the conduct of the company's business at the time the crime was committed, as well as the company, will be considered guilty of the offence and liable to be prosecuted and punished accordingly. c. State-sanctioned offenses: the head of these kinds of departments, authorities, or bodies shall be presumed guilty of the offense and shall be prosecuted and punished accordingly.
The RBI guidance on data localization
Banks in India have also been required to keep data locally throughout the years, and have usually consulted the RBI, India's financial regulator, prior to making any cross-border transfers. Additionally, the RBI issued a notice in April 2018 ordering payment system providers to guarantee that all data pertaining to payment systems, particularly complete end-toend transaction information, be kept exclusively in an Indian system. Payment transactions may be handled offshore if the payment system providers so wish. However, the full end-toend transaction information must be removed from systems located outside India and returned to India within one working day or 24 hours, whatever is sooner, and kept locally in India. A copy of both the local and international components may be kept overseas for cross-border transactions.
Doctrine of data sovereignty
The concept of sovereignty is predicated on the assumption of the state's internal and exterior autonomy. All members of the United Nations are guaranteed "sovereign equality" under the United Nations Charter. Furthermore, according to the UN General Assembly-adopted Declaration on the Principles of International Law Governing Friendly Relations and Cooperation Among States, sovereign equality includes territorial integrity and political independence, as well as the right of a state to freely choose and develop its political, social, economic, and cultural systems. Historically, the notion of
