India has waited many years for its general data protection legislation. This key legislation will regulate the data of over 1.4 billion people, impact businesses ranging from corner stores to conglomerates, and create what may be the most powerful regulator in India. International data flows, including in the prolific India-Singapore economic corridor, will need to be compliant with it.
The Justice Srikrishna Committee report, prepared after extensive consultation, was a strong step in the right direction, in developing such legislation. The draft data protection bill proposed by the committee, somewhat worse for the wear, was finally introduced in the Lok Sabha in December 2019 as the Personal Data Protection Bill, 2019 (2019 Bill). This was referred to a joint parliamentary committee (JPC) for review. The JPC, during its two-year tenure, was extremely prominent and active, conducting over 78 sittings.
As its term coincided with several high-profile data breaches and major geopolitical developments in the data privacy space, the JPC had the unique opportunity to balance the interests of various stakeholders.
The eagerly awaited committee report was tabled before parliament on 16 December 2021. It proposed nearly 90 drafting and 90 substantive changes to the 2019 Bill and proposed the draft Data Protection Bill, 2021 (2021 Bill).
The committee has expanded the 2019 Bill to cover non-personal data, which it defines as all data other than personal data. The requirement to report any “accidental disclosure, acquisition or loss of access” to all such data is clearly very onerous. Moreover, regulating personal and non-personal data, which are fundamentally different in character, through the same legislation will likely prove difficult.
The 2021 Bill also proposes to restrict entities from sharing or transferring personal data as part of business transactions, except where permitted. This may prove problematic if it is read to require data principals to grant fresh consents to each entity receiving data even where broader consents exist.
The JPC has recommended that all data protection officers be key managerial personnel, which may shrink an already scarce pool of manpower, and that social media platforms be treated as publishers and be required to have local operations, which could make operating them all the more difficult.
The JPC has also recommended expanding the definition of harm to include “psychological manipulation which impairs the autonomy of the individual”. This may result in several types of targeted advertising falling within this category and may restrict it.
Data fiduciaries can no longer deny data portability, even if it reveals trade secrets, and must enable it where feasible. Data fiduciaries will also be required to demonstrate fairness of algorithms or methods of processing. This raises the spectre of algorithmic disclosure.
Of key relevance to international business are the changes in the 2021 Bill which propose stringent conditions for cross-border transfers of sensitive personal data. This will include all financial, health and biometric data, official identifiers, religious or political beliefs or affiliations. Transfers of sensitive data are not permissible if they violate public or state policy. This requirement may create a need for case-by-case approval from the Data Protection Authority (DPA) and may result in delays and significant business disruption. The restriction on sharing transferred data with foreign governments or agencies may result in hard localisation of all sensitive personal data.
Fortunately, the 2021 Bill continues to provide for a “green channel” enabling transfers where the central government, after consultation with the DPA, has allowed transfers to a particular country on the basis the data will be subject to adequate protection. But now it also includes the express condition that sensitive data cannot be shared with a foreign government or agency unless approved by the central government.
The JPC has recommended a phased implementation of the 2021 Bill, suggesting a maximum period of 24 months to implement all the provisions in the bill. Establishing a data equivalence and sharing arrangement between India and Singapore, enabling the free and fair flow of data on a predictable and reasonable basis will be an important objective if the 2021 Bill is enacted in its present form.
Arun S Prabhu is a partner and the head of TMT at Cyril Amarchand Mangaldas. Principal associate Anirban Mohapatra, senior consultant Molshree Shrivastava and associate Arpita Sengupta also contributed to this article
Cyril Amarchand Mangaldas
Peninsula Chambers, Peninsula Corporate Park
Mumbai 400 013, India
Tel: +91 22 2496 4455