As the Joint Parliamentary Committee considers the Personal Data Protection Bill, 2019, MediaNama will publish a series of articles from legal experts focussing on the key aspects of the Bill and how they will affect users and companies. This is the eleventh article in the series. Read our extensive coverage of the Bill here.
By Jyotsna Jayaram
Administrative staff (including security personnel) engaged by housing societies and apartment associations often transform into persons of authority when they are tasked with the responsibility of screening, and recording details of, guests or residents before they enter the premises. More often than not, in an almost police like manner, they ask an entrant to provide several details about themselves such as their name, address, mobile number, vehicle number and, sometimes, even a proof of identity. While conventionally all of this information was jotted down in musty hardbound paper registers, several housing society/community management apps have recently begun to replace the stacks of registers and ball-pens that would be used by these personnel to document entrants. With the introduction of the proposed Personal Data Protection Bill, 2019 (the Bill), a seemingly routine activity could suddenly find itself subject to a number of compliances that these housing societies and apartment associations possibly had not anticipated.
Do housing societies collect personal data?
Housing societies typically collect the name, address, phone number, and vehicle number of visitors. At times, they also take a photograph at the time of entry. Therefore, the information collected by housing societies and associations has always been within the realm of ‘personal information’ even under India’s existing data protection framework under the Information Technology Act, 2000. Personal information has traditionally been defined to mean “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person”. The Bill, widens this definition to include data that has regard to any characteristic, trait, attribute or any other feature of identity of a person, whether online or offline. In this context, it bears mentioning that the Bill applies to processing of personal data by humans and by automated means, though it does carve out some exemptions for manual processing. However, the requirement to obtain consent of the entrants or residents, or to implement robust security safeguards for the collection and processing of such information are new asks and something that the processes adopted by housing societies possibly do not contemplate.
Are housing societies data fiduciaries?
Section 2(13) of the Bill defines data fiduciaries to mean “any person, including the State, a company, a juristic entity or any individual who alone or in conjunction with others determines the purposes and means of processing of personal data”. In a marked departure from the existing regime, the Bill also applies to individuals who process personal data of others. The Bill defines ‘person’ to include “an association of persons or a body of individuals, whether incorporated or not”.
Housing societies or apartment associations are typically registered societies and therefore have a separate juristic personality. Housing societies collect personal information of residents as well as of other entrants for several purposes, including security and safety of their residents. Therefore, they would be considered data fiduciaries under the Bill. Consequently, all the obligations that apply to data fiduciaries under the Bill, such as the requirement to provide notice, obtain consent, and implement necessary security safeguards, would apply to these societies.
The Bill also regulates a class of data fiduciaries known as significant data fiduciaries that may be classified as such by the Data Protection Authority based on factors such as the volume of data processed and the sensitivity of the data that is processed. In the absence of any guidance on this classification, a literal reading of these factors may suggest that housing societies, particularly those dealing with large residential complexes, may fall within this classification. However, in my opinion, a housing society that primarily processes data for internal management and safety purposes and not commercial purposes ought not to be classified as an SDF, particularly because it is not data driven business and the purposes of processing are usually limited.
While it is feasible for most corporate entities that deal with data as a part of their business to understand and comply with the requirements under the Bill, it remains to be seen how housing societies that comprise mostly of residents themselves will employ the necessary technological measures to comply with all the requirements of the Bill. This is particularly relevant as the types of individuals whose data housing societies normally collect is very diverse and could include children, family of the residents, domestic help, delivery agents, etc.
Putting consent into effect
One of the foremost requirements under the Bill is to provide notice to the data principal which, among other things, must specify the purposes for which personal data is to be processed, the nature and categories of personal data being collected, and the basis for processing. This notice must be “clear, concise and easily comprehensible to a reasonable person and in multiple languages where necessary and practicable”. Given the diverse categories of data principals and the different purposes for which their data will be collected, it is likely that housing societies would need to have several customised notices which may be used based on the data principal. For instance, the notice provided to a resident would be entirely different from a notice provided to an Amazon delivery agent whose data is collected before he delivers a package to a resident.
Could housing societies be exempted from the provisions of the Bill?
While the Bill does provide for certain non-consensual grounds of processing (such as actions by the state, for the purposes of employment or for reasonable purposes as specified by the Data Protection Authority), none of these grounds in their present form would be available to the processing of personal data by housing societies. Having said that, Section 36 of the Bill exempts the applicability of certain chapters of the Bill where personal data is processed inter alia in the interests of prevention and detection of any offence. Unlike other exemptions that apply specifically to the State, this section does not seem to exclude the processing of personal data for this purpose by non-State functions, such as for instance the use of CCTV cameras in a commercial complex. It is therefore possible to argue that the collection of personal data by housing societies in the interest of ensuring safety of their residents should fall within the purview of this exemption, and consequently several provisions of the Bill ought not to apply. However, given that the purposes for which a housing society collects personal information of residents and entrants vary and are not only in the interest of security, this argument can be made only in respect of the information that is collected by the society solely for safety reasons and such a distinction may not, in fact, be feasible.
Would a housing society be considered a ‘small entity’?
Section 39 of the Bill provides for certain exemptions for the manual processing of personal data by small entities. The Bill does not specifically define this term and yet again leaves this determination to the Data Protection Authority who will classify a data fiduciary as a ‘small entity’ based on factors such as its turnover, the purpose of collection of personal data for disclosure to other persons, and the volume of the personal data processed by the data fiduciary.
Manual processing (including collection) of personal data by a data fiduciary that is classified as a small entity will be exempt from several provisions of the Bill, including the provisions that pertain to notice, data quality, data retention, privacy by design and security safeguards. While this classification would certainly benefit non-digital businesses, in the absence of a specific definition or thresholds, it is unclear which entities would be classified as small entities. Therefore, at this point, there is no certainty whether housing societies that continue to collect and process data manually would qualify as small entities.
What happens when data is not processed manually?
Visitor and community management apps are now a common feature in most residential complexes and bring with them several additional features that appear to be quite beneficial to residents. For instance, a resident will know each time that their domestic help enters the gate and leaves the premises. Similarly, the resident will be prompted to approve the entry of a delivery agent on the app before they are permitted to enter the premises. As a part of these features, the app will create a profile of each entrant which at the very least has their name, photograph and mobile number along with a description of who they are – such as plumber, driver, delivery agent. Consequently, several additional categories of personal information may be collected as a result of using these apps.
As data fiduciaries, housing societies would continue to remain primarily responsible for the collection and processing of personal data even if they rely on visitor and community management apps. Therefore, in addition to implementing necessary measures and processes themselves, housing societies would need to ensure that the contracts with various community management app providers contain robust provisions on the processing of personal data to ensure that they are able to comply with their obligations under the Bill.
Visitor and community management apps such as MyGate would also need to take a look at their processing activities to clearly demarcate those activities that are being carried out on behalf of their client, that is, the housing society, and any processing that they may carry out to provide services to the residents directly, such as the information collected for creating resident accounts on the platform. This is relevant as these app providers could find themselves switching in and out of the role of a data processor and consequently attract varying obligations under the Bill. Having said that, this determination would differ from app to app, based on the manner in which the app functions and the services are provided.
Given all of the above, housing societies would need to take a close look at the manner of collection and use of personal data of its residents and entrants. A detailed analysis is necessary to determine the varying manner in which each requirement would need to be implemented keeping in mind the different categories of data principals whose data the housing societies would process. For instance, in relation to residents, housing societies are likely to process sensitive personal data (such as financial data for facilitating maintenance payments) in addition to personal data and this would be subject to additional compliances.
Further, some of the requirements under the Bill are in some instances practically infeasible to comply with. For example, when a child enters a neighbouring gated community to play with her friends after school, how is the housing society going to ensure that age verification is conducted and that parental consent is obtained before they collect her name and address at the time of entry? Similarly, how will the housing society comply with requirement to obtain informed consent from domestic helps who are from different states and are not well versed in English and does this mean that they would need to provide notices in several vernacular languages? Evidently, the Bill has a significant impact on every section of society regardless of how internal or contained the processing may be. Therefore, housing societies that so far may have been far removed from data protection regulation are likely to find themselves to be as much of a key player in the proposed regime as a data intensive business.
Jyotsna Jayaram is a Counsel at Trilegal Bangalore and is part of the TMT practice group. She has a breadth of transactional and regulatory experience spanning over nine years. Some of her core areas of expertise include data privacy and cyber security, content regulation, digital communications and telecom licensing. Recently, she has extensively been involved in the submissions made by several industry stakeholders on the Personal Data Protection Bill, 2019.
Edited by Aditi Agrawal