Data privacy in India

By Shahana Chatterji and Sohini Chatterjee, Shardul Amarchand Mangaldas & Co

India is working quickly to establish its foundation law on data protection

The present legal framework on data privacy in India is limited in nature. It consists of the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI rules) issued under Section 43A of the IT Act. Norms relevant to data protection and privacy are also dispersed across statutes pertaining to diverse sectors such as taxation and health, leading to the lack of a coherent regulatory framework.

data protection
Shahana Chatterji
Shardul Amarchand Mangaldas & Co Advocates & Solicitors
Tel: +91 11 41590700

In August 2017, the requirement for a law on the protection of personal data was first recognized by the Supreme Court of India in Justice KS Puttaswamy v Union of India. It explicitly recognized an individual’s fundamental right to privacy and paved the path for a foundational legislation on the protection of personal data. It was closely followed by the release of the report and draft law by the Committee of Experts, chaired by Justice B N Srikrishna.

On 27 July 2018, the committee submitted the draft Personal Data Protection Bill, 2018, along with its report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians” to the central Government. The passage of the bill will lead to a shift in the legal framework and replace section 43A of the IT Act and the SPDI rules issued under it.

The need for a comprehensive data protection regime that entrenches informational and data privacy within our legal system was subsequently reiterated by the Supreme Court in the Aadhaar judgment on digital identity (Justice K S Puttaswamy v Union of India (2019)). Both the bill and the report thus represent a critical development.

At the time of writing this article, the parliament of India is in session and the Ministry of Electronics and Information Technology (MeitY) has indicated that the passage of the bill is a priority for the new government in its second term. It is likely that the bill will soon be introduced in the parliament to be made into law, and it is possible the final version will be at variance from the draft. The authors have based the present article on the draft bill released in July 2018.

Data privacy: Legal framework

data protection
Sohini Chatterjee
Research Fellow
Shardul Amarchand Mangaldas & Co Advocates & Solicitors
Tel: +91 11 41590700

The coming into force of the EU General Data Protection Regulation (GDPR) in May 2018 established a global norm in personal data protection. The draft bill reflects principles contained in the GDPR, while simultaneously attempting to tailor the law to Indian needs. Some of the principles that are visible in both frameworks are purpose limitation, data minimization, limited grounds of processing, data quality and security, and privacy by design.

However, the bill differs in certain fundamental ways, which is indicative of the unique Indian nuances the Expert Committee had to grapple with while drafting the law. The relationship between data principals and data fiduciaries is viewed through the lens of an expectation of trust. Data fiduciaries have a duty of care to handle data in a fair and responsible manner for purposes that are reasonably expected by the data principals. This is an interesting construct that has not been seen in any other privacy framework so far.

In order to construct a meaningful notice and consent mechanism, the bill has set out conditions for the validity of ordinary consent, namely that it should be free, informed, specific, clear and capable of being withdrawn. The burden of proving that the data principal has given valid consent lies with the data fiduciary. Further, sensitive personal data are subject to heightened consent requirements. Such sensitive personal data refer to personal data that reveal, relate to or constitute passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation, or any other category specified by the Data Protection Authority.

Apart from consent, the bill recognizes other grounds of processing such as functions of the state, compliance with law or any order of any court or tribunal, prompt action, employment and reasonable purposes. While the bill is applicable to the state, it has given the state wide room for non-consensual processing of personal data. Personal data may be processed by the state for any function of parliament or any state legislature, or if such processing is necessary for the exercise of any function of the state authorized by law for the provision of a service or benefit, or the issuance of a certification, licence or permit.

Further, the bill does not provide for contractual necessity as a ground for processing. The report states that this is due to the scope of the ground to be easily misused, where data fiduciaries may unilaterally insert obligations into the contract. The ground of “reasonable purpose” appears to be an improvement to the comparatively broader ground of “legitimate purpose” in the GDPR.

The bill imposes restrictions on the cross-border transfer of personal data. This is achieved by a non-exclusive localization mandate where a data fiduciary is to ensure the storage of one serving copy of all personal data. Additionally, an exclusive localization mandate requires that critical personal data shall only be processed in a server or data centre located in India. What constitutes critical personal data shall be notified by the central government.

Localization requirements are an attempt to assert data sovereignty, and have also been seen in the Reserve Bank of India’s directive on storage of payment system data (2018) and the Department of Industrial Policy and Promotion’s draft national e-commerce policy (2019). It is worth considering whether the benefits of localization may be achieved through potentially less restrictive means.

Additionally, the bill highlights conditions for cross-border transfer of personal data that are not sensitive personal data, including the transfer being made subject to standard contractual clauses or intra-group schemes approved by the authority, the authority’s approval due to necessity, consent of the data principal, etc.

The bill seeks to establish a regulatory authority for monitoring and enforcing the provisions of the act. It is the duty of the authority to protect the interests of the data principals, prevent misuse of personal data, ensure compliance of data fiduciaries with the provisions of the law and promote awareness of data protection.

The functions of the authority include specifying additional categories of sensitive personal data, specifying the circumstances where a data protection impact assessment may be required, specifying the criteria for assigning a rating in the form of a data trust score by a data auditor, examination of data audit reports and issuing codes of practice.

Graded penalties commensurate to the conduct of the data fiduciary have been set out. For instance, if obligations concerning taking prompt and appropriate action in the event of a data security breach, undertaking a data protection impact assessment for significant data fiduciaries, or conducting a data audit by a significant data fiduciary are contravened, the data fiduciary or significant data fiduciary is liable to a penalty of up to ₹50 million (US$721,000) or 2% of its total worldwide turnover in the preceding financial year, whichever is higher.

Harsher penalties are imposed for unlawful processing of personal data or sensitive personal data, unlawful processing of children’s personal data, failure to adhere to security safeguards, and unlawful cross-border transfer of personal data.

The enactment of the bill will effectuate a shift in the data protection framework in India. It will also impose substantial compliance requirements on entities processing personal data of individuals. These include organizational obligations such as a data trust score, data protection impact assessment, annual data audits, appointment of a Data Protection Officer and a transparent mechanism for data processing to enable access by data principals.

The participatory process followed by MeitY and the Committee of Experts in the formulation of the bill and its companion report on a free and fair digital economy is uncommon in the making of law and policy in India.

While the bill is a milestone in the evolution of data privacy norms in India, certain provisions imposing data localization and restricting cross-border data flows stand out as onerous and may act as deterrents to the growth of data-intensive products and services in India. It is hoped that the final version of the law is able to secure a free and fair digital economy that empowers Indian citizens.

data protectionShardul Amarchand Mangaldas & Co
Advocates & Solicitors
Amarchand Towers
216 Okhla Industrial Estate, Phase III
New Delhi 110 020
Tel: +91 11 4159 0700, 4060 6060
Contact: Pallavi Shroff