First published by indiacorplaw.in.
[This series seeks to address the loopholes in the Draft Data Protection Bill formulated by the Committee under the Chairmanship of Justice (Retd) B.N. Srikrishna and to analyze the impact the proposed law would have on financial institutions. In furtherance of its objectives, the first part traces the aims and objectives of this Bill and draws attention to certain remarkable features of the European Law on the subject. In the second part, it envisages the efforts that are called for from the financial sector to be compliant with this law. The series closes by stressing on the need for this much-awaited law despite the various hurdles that may come in the way of its implementation and compliance.]
Introduction & Background
This post aims to critically examine the Draft Personal Data Protection Bill, 2018 and attempts to provide solutions. If enacted, the law would have significant repercussions over various sectors domestically, similar to the widespread effects created by Europe’s General Data Protection Regulations (‘GDPR’). Financial Institutions such as banks and non-banking financial institutions process huge amounts of personal data on a daily basis which is handled by various internal departments. Thus, it also aims to analyze the impact this law would have on financial institutions and information.
A historic order passed by the Supreme Court of India on August 24, 2017 in Justice K.S. Puttaswamy v. Union of India recognized the right to privacy as an integral part of Article 21 and Part III of the Indian Constitution. A committee of experts on a data protection framework for India under the Chairmanship of Justice B.N. Srikrishna released its white paper on November 27, 2017. The white paper explored notions such as fiduciary relationship between individuals and service provider entities having access to such data and the liability placed by such relationship against abuse of power by service providers. The Committee sought to settle for once the domain of sensitive personal data. A crucial step frontwards has been taken by the Committee by bringing in consent-based processing and stipulating the unambiguous grounds for immunity from compliance. The draft Bill leads an array of concepts such as autonomy, transparency and accountability presently absent under Indian law . The draft Bill formulated by the Committee is projected to be tabled in the Parliament in December 2018.
In Karmanya Singh Sareen and Anr. v. Union of India and Ors.[1] a privacy policy rolled out by the popular smartphone app ‘Whatsapp’ in 2016 was challenged. Whatsapp was launched in 2010 and acquired by Facebook in 2014. It was contended that the challenged policy was pervasive to user privacy, in that it permitted retention of past information for the undefined period despite deletion of the app by users. The Delhi High Court rejected this petition on September 23, 2016, while ordering the deletion of data collected up to September 25, 2016, and directing the Telecom Regulatory Authority of India to consider bringing similar smartphone apps under its regulatory ambit. Aggrieved by this order, a Special Leave Petition was filed in the Supreme Court seeking, firstly, whether the privacy policy violates the right to privacy of its users, secondly, whether the omission of an option to the user of not sharing their data with Facebook is contrary to law and, thirdly, whether the manner of obtaining user consent by Whatsapp is deceitful. By its order dated September 6, 2017, The Supreme Court required Facebook and Whatsapp to file affidavits explaining what data is being shared by them. The Court emphasized the need for this law and highlighted the efforts made by Shrikrishna Committee.
Though previously an unsuccessful attempt was made to formulate a framework on data protection by a committee headed by A.P. Shah in 2012, the odds are in favour of passing the present draft Bill in light of the decisions such as the Puttaswamy and Whatsapp Privacy cases.
A Critical Analysis
The Draft Bill is strikingly inspired by the European Union’s GDPR. It recognizes four rights of citizens: firstly, the right to consent and access encompassing the right to know ‘the how and where’ of an individual’s data utilization and to prohibit usage of such data without consent; secondly, the right to correction incorporating the right to get corrected any mistakes in one’s published personal data; thirdly, the right to data portability encircling the right to procure all details of one’s personal data generated during the usage of service provider’s facility; and fourthly, the right to erasure of data. It is pertinent to note that the right to the erasure of data is limited to publication, in that it does not include compelling an entity to delete records. In Europe, this right is stretched to the erasure of publication in its complete sense.
Similar to GDPR, the Draft Personal Data Protection Bill is clear about its extraterritorial applicability and includes within its realm processing taking place outside the Indian territory if it involves a citizen subject. Among the key provisions is the penalty extending up to 2% of the annual global turnover or INR 5 crores, whichever is higher, for its most serious infringements.
The right to consent and access provides that the same can be overridden in public interest, for prevention and detection of unlawful activities, for whistleblowing and to further network and information security. Sensitive personal data can only be dealt with after obtaining explicit consent or for certain functions of the state such as compliance of the law or any order of a court/tribunal, and for situations requiring prompt action. Under the GDPR, legitimate interest can be used to process records if such processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract. In the author’s opinion, this can be misused by unscrupulous service providers unless controlled or subjected to a conditional limitation. Such a provision remains absent in the Indian draft Bill showing a more thoughtful approach by the Committee. However, processing may be required for opening of accounts, approval of representatives to an account or even for conducting know-your-customer (KYC) checks.
There are constraints on cross-border transferability of personal data. A copy of personal data is necessary to be retained at a server or data centre in India thereby placing an unnecessary economic burden on corporates especially international tech giants and multinational companies. GDPR has addressed the issue of effecting compliance in an easier manner by requiring a local representative who would be held liable for any transgressions to the law. This provision of the draft Indian Bill has received backlash from the industry. Further, it mandates that critical personal data cannot be processed outside India, which has also caused debates and discussions among the citizens as it lays wide powers with the Government to determine what would be ‘critical personal data’, rather without laying down any guidelines on these limits.
[to be continued]
[1] SLP No. 804/2017 Diary No.- 42134 – 2016. (pending).
Comments