Have you ever clicked on I Agree for accepting terms & conditions of a mobile application or on any website like Facebook, Amazon, Netflix?
I am sure, everyone has but did you know when you click I Agree you are agreeing for the interface to collect your personal information and other data, however, you cannot do anything about it but to provide such information to access the website or the application. So, to protect its citizens, the Government of India has introduced a Personal Data Protection Bill, 2019 (Bill) in the parliament to safeguard the right to privacy of the people.

Where it all started:
Sweden was the first nation to pass Data Act (Datalagen) in May 1973, which criminalized theft of data and gave freedom to data providers to access their information. In 1978, the German Federal Data Protection Act (Bundesdatenschutzgesetz) defined basic data protection requirements, such as the need for approval for the processing of personal data. By 1979, several EU (European Union) member states had introduced data protection regulation as fundamental rights into their legislation.

In 1995 EU enacted Data Protection Directives, which regulated the processing of personal data within the EU, the free movement of such data and aimed to protect the fundamental right to privacy of the citizens of EU member states. In 2016, EU enacted GDPR (General Data Protection Regulation) which was implemented in 2018, it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU and defined the terms such as Personal Data, Data processing, Data subject, Data controller, Data processor etc. which broaden the horizon of data protection throughout the world.

In 2017, the Supreme Court of India, in the landmark case, K.S. Puttaswamy vs. Union of India[1] passed a judgement affirming the right to privacy as the fundamental right under the constitution of India. Thereafter, to address the need for protection of the personal information, the Government of India constituted a Committee of Experts on Data Protection under the chairmanship of retired Justice B. N. Srikrishna to prepare an act which can protect the personal information of the citizens. In 2018, the committee submitted its report titled A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, which led to the introduction of Bill in the parliament in December 2019.

The current regulatory framework in India:
Presently in India, the relevant laws pertaining to privacy or personal data are the Information Technology Act, 2000 and the Indian Contract Act, 1872. Information Technology Act, 2000 only deals with the data which is present online or electronically, it does not cover the manually processed data or personal information.

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, hold the companies using the data liable for compensating the individual, in case of any negligence in maintaining security standards while dealing with the data and the IT Act applies only to companies, not to the government. Furthermore, the rules only deal with the sensitive personal data and the definition of such is narrow, and some of the provisions can be overridden by a contract. Perusal to this, the Government of India introduced the Bill to overcome the shortcomings in the present laws.

What's in the bill
Applicability:
The Bill governs personal data relating to individuals, and the processing, collection and storage of such data. The Bill defines a Data Principal is an individual whose personal data is being processed. The entity or individual who decides the means and purposes of data processing is known as Data Fiduciary. The Bill provides the processing of data by the government, any Indian Company, any citizen of India or any person or body of persons incorporated in India and Foreign companies dealing with personal data of individuals in India[2]. However, the Bill does not apply to the processing of anonymised data, other than the anonymised data or other non-personal data which enable Central Government to frame any policy for the digital economy[3].

Definitions:
The Bill aims to broaden the definition of Personal Data to read as personal data means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include inference drawn from such data for the purpose of profiling[4].

The term inference in the definition refers to any inference drawn from personal data for profiling; as such inference usually results in an indirect identification of an individual as some companies that use digital technology for targeted online advertising by monitoring the online activity pattern of a person to customize their advertisements will now be regulated under the Bill.

The Bill defines Sensitive Personal Data as personal data, which may, reveal, be related to, or constitute financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political beliefs or affiliation[5].

The definition does not include passwords, and the decision to not include passwords in the definition taken by the Government is in the view to make it easier for both Indian and foreign multinational companies to comply with the provisions of the Bill, as the rigid provisions related to the protection of Sensitive Personal Data will not be applicable on passwords.

Processing of the personal data:
The Bill proposes the processing of data by Fiduciaries only if the consent is granted by the Data Principal. Certain exceptions provided under the Bill are:

1. if required by the State for providing benefits to the individual
2. under any law for the time being in force
3. legal proceedings (iv) to respond to a medical emergency
4. employment-related
5. necessary for reasonable purposes such as prevention of fraud, mergers and acquisitions, recovery of debt, etc.[6]

Rights of the data principal:
The Bill grants Data Principal

1. The right to confirmation and access:
   1. to obtain confirmation from the Fiduciary on whether their Personal Data has been processed
   2. a summary of processing activities undertaken by the Data Fiduciary for processing the Personal Data
   3. Data Fiduciary will concisely provide the abovementioned information and that is clear to a reasonable person
   4. to have information about and access to, the Data Fiduciaries with whom Personal Data of the Principal has been shared/stored[7].
      
2. The right to correction and erasure:
   the Data Principal will have the right to seek correction of inaccurate data, complete the incomplete data, update the data or erase the data which are no longer needed by the Data Fiduciary[8].
   
3. The right to data portability:
   Data Principal shall have the right to receive the Personal Data provided to Data Fiduciary, the data which form part of any profile on the Data Principal, or which the Data Fiduciary has otherwise obtained or the data which have been generated in the course of the provision of services or use of goods by the Data Fiduciary[9].
   
4. Right to be forgotten:
   The Data Principal shall have the right to restrict the data provided to Data Fiduciary where such disclosure (i) has served the purpose for which it was collected or is no longer necessary for the purpose, or (ii) was made with the consent of the Data Principal and such consent has since been withdrawn[10].

Privacy by design policy
The Bill provides that Data Fiduciary is required to prepare privacy by design policy, containing[11]:

1. the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the Data Principal;
2. the obligations of Data Fiduciaries;
3. the technology used in the processing of Personal Data is in accordance with commercially accepted or certified standards;
4. the legitimate interests of businesses including any innovation are achieved without compromising privacy interest;
5. the protection of privacy throughout processing from the point of collection to deletion of Personal Data;
6. the processing of Personal Data in a transparent manner; and
7. the interest of the Data Principal is accounted for at every stage of processing of Personal Data.

The privacy by design policy shall be published on the website of Data Fiduciary.

Duties of data fiduciary:
The processing of Personal Data will be subject to:

1. a particular, clear and lawful purpose,
2. notice is required to be provided by Data Fiduciary to Data Principal for collecting or processing the Personal Data.
3. Personal Data shall only be kept for the reason for which it was collected and shall be removed/deleted at the end of the processing.
4. the collection of Personal Data shall be limited to such data as is required for the purpose of processing,
5. consent must be obtained from the Data Principal at the outset of processing the data.
6. the Data Fiduciary shall verify the age and obtain parental/guardian consent before processing the sensitive children's personal data.

The processing of Personal Data will be subjected to certain transparency and accountability measures such as:

1. taking the required measures by Data Fiduciary to ensure transparency in the processing the Personal Data by enforcing security protections;
2. notifying the authority of any infringement of Personal Data;
3. amend/go through the privacy by design policy annually;
4. data protection officer is to be designated for advising and controlling the activities of the Data Fiduciary;
5. to create a grievance resolution mechanism to deal with grievances from individuals/Data Principal.

Restriction on transfer of data outside India:
Sensitive Personal Data may be transferred outside India for processing only if the Data Principal gives express consent. However, such Sensitive Personal Data should still be kept in India[12].

Exemption for government agencies:
The Bill empowers the Central Government to exempt any governmental agency from complying with the provisions of the Bill wherein the same is deemed necessary or expedient in the interest of the sovereignty and integrity of India, the security of the country, friendly relations with foreign states, public order, or to prevent the incitement of commission of any offence relating to any of the above[13].

The processing of Personal Data is also excluded from the provisions of the Bill when:

1. Personal Data is processed in the interests of prevention, detection, investigation and prosecution of any offence;
2. disclosure of Personal Data is necessary for enforcing any legal right or claim, seeking any relief, defending any charge, opposing any claim, or obtaining any legal advice from an advocate in any impending legal proceeding;
3. processing of Personal Data by any court or tribunal for the exercise of any judicial function;
4. Personal Data is processed by a natural person for any personal purpose; or
5. processing of Personal Data is necessary for a journalistic purpose[14].

Creation of sandbox[15]:
The Bill provides for the creation of Sandbox by the authority for encouraging innovation in artificial intelligence, machine learning or any other emerging technology in the public interest. The companies under the scope of Sandbox shall be allowed an exemption of certain provisions of the Bill.
Any Data Fiduciary whose privacy by design policy is certified by the authority shall be eligible to apply for inclusion in the Sandbox. The term for which a qualifying Data Fiduciary can be included in the Sandbox shall not exceed 12 (twelve) months and shall not be renewed more than twice, resulting in a total of 36 (thirty-six) months.

Penalties under the bill:
The Bill proposes the penalty on the failure of the Data Fiduciary to fulfil its obligations for data protection and shall be punishable with a penalty which may extend to INR 5 crores or 2% of its total worldwide turnover of the preceding financial year, whichever is higher[16]. And violation of processing data is punishable with a fine of INR 15 crores or 4% of the annual turnover of the Data Fiduciary, whichever is higher[17].

Conclusion:
The Bill is a great step towards improving the laws related to personal privacy of an individual by providing a more accountable and transparent system for processing Personal Data of the individual. It aims to provide certain rights to the individual to safeguard their interest.

India is a part of fast-growing technology, and in such an environment concept of Sandbox will play a very vital role in promoting technological advances in the country, but providing the government with unchecked and expansive powers to exempt government agencies from the provision of the Bill may, under some circumstances violate individual's fundamental right to privacy.

As the Bill is still under the consideration of Joint Parliamentary Committee and the committee is expected to submit a report on the Bill soon. It is expected that all the shortcomings of the Bill will be addressed before the same is adopted and introduced. The Bill is projected to have a far-reaching effect on Indian companies and multinational corporations doing business in India.

End-Notes:

1. K.S. Puttaswamy vs. Union of India (2017) 10 SCC 1
2. Personal Data Protection Bill, 2019 § 2 (India)
3. Personal Data Protection Bill, 2019 § 91 (India)
4. Personal Data Protection Bill, 2019 § 3(28) (India)
5. Personal Data Protection Bill, 2019 § 3(36) (India)
6. Personal Data Protection Bill, 2019 § 12 (India)
7. Personal Data Protection Bill, 2019 § 17 (India)
8. Personal Data Protection Bill, 2019 § 18 (India
9. Personal Data Protection Bill, 2019 § 19 (India)
10. Personal Data Protection Bill, 2019 § 20 (India)
11. Personal Data Protection Bill, 2019 § 22 (India)
12. Personal Data Protection Bill, 2019 § 33 (India)
13. Personal Data Protection Bill, 2019 § 35 (28) (India)
14. Personal Data Protection Bill, 2019 § 36 (India)
15. Personal Data Protection Bill, 2019 § 40 (India)
16. Personal Data Protection Bill, 2019 § 57 (1) (India)
17. Personal Data Protection Bill, 2019 § 57 (2) (India)

Written By: Shrishti Agarwal