The Personal Data Protection Bill should remove non-personal data from its ambit, BSA, the global software alliance, wrote in its submission to the Joint Parliamentary Committee on the Bill. The clause is too broad and encompasses all data other than non-anonymised personal data, BSA argued. This goes beyond the ambit of Personal Data Protection Bill and there is already a MeitY Committee to deliberate on governance of non-personal data through a “more deliberative and consultative process”.
BSA, whose members include Cisco, Amazon Web Services, Microsoft, and Salesforce, also recommends the revision of “personal data” to remove inferred data from it. An exhaustive list of sensitive and critical personal data categories needs to be given and any new categories should be added through amendments to the law, not through government notifications. The concept of consent managers should be removed completely.
Ease up on data localisation
- Remove Clause 33 that mandates data mirroring for cross-border flow of sensitive personal data as such restrictions don’t help with data protection. They disrupt companies’ operations and increase service costs in India. Instead, recognise the role of private contractual arrangements, internationally recognised certification mechanisms, and other transfer mechanisms to promote accountability and cross-border data flows.
- Define “sensitive personal data” narrowly to mitigate impact on digital payments and healthcare industry. This categorisation should only be reserved for “categories of data that carry special risks in relation to discrimination and abuse of fundamental rights”.
- Define “critical personal data” narrowly keeping national security considerations in mind to create more predictability for companies that process such data. The better way would be to remove it completely from the Bill.
- Focus on accountability for cross-border data flows instead of adequacy and/or consent. This way, entities that process personal data will remain responsible for its protection irrespective of where is it processed. If adequacy is used a requirement, make it compatible with existing data protection frameworks such as APEC’s Cross-Border Privacy Rules and EU’s standard contractual clauses.
- Let explicit consent be one basis for cross-border data flows rather than a necessary requirement.
- Add “reasonable purposes” exemptions such as include cybersecurity and fraud prevention.
Give data processors more power
- Let fiduciaries engage with data processors with only a “general written authorisation” instead of a contract as under the GDPR where the processor can just inform the data controller of intended changes/replacements and enable the controller to object. This is a more flexible approach to governing data processors while letting data fiduciaries have a reasonable opportunity to object.
- Allow data processors to process personal data as instructed by law even if not instructed to do so by the data fiduciary. This would be closer to the 2018 version of the Bill.
- Only data fiduciaries should be responsible for compensating users for violations under the Bill but data fiduciaries and processors can enter an agreement to allocate liability differently amongst themselves.
- Don’t hold data processor liable for negligence, but only for going against the data fiduciary’s instructions or for failing to provide adequate safeguards.
- Primary responsibility for implementation of security safeguards should be the data fiduciary’s as the processor may not have visibility into personal data to accurately asses risks. The fiduciary should assess the nature of the processing required and contract a data processor accordingly.
Scrap criminal liability
- Remove criminal liability as it can “chill beneficial and harmless data practices” and is not a proportionate response to data protection violations. BSA also claims that imposing broad liability on employees “discourages them from working for companies subject to the Act”
- Degree of cooperation with the DPA should be used to mitigate monetary penalties as this will act as an incentive for cooperation from companies. This will also make the penalties proportionate to the harm arising from a violation.
Expand the scope of processing data without consent
- Allow non-consensual processing of sensitive personal data for employment purposes as such processing may be necessary to provide insurance or maternity benefits.
- Allow data fiduciaries to determine what “reasonable purpose” for processing personal data without consent is instead of the DPA issuing a regulation for each of them. If DPA must retain this authority, it should hold a consultation with stakeholders before it issues regulations specifying such purposes. Processing necessary for “performance of contract” to which a user is party should be a “reasonable purpose”.
- Recognise purposes listed under Clause 14(2) as “reasonable purpose” for processing personal data without consent; this currently includes mergers & acquisitions and operations of search engines
Do away with significant data fiduciaries
- Remove significant data fiduciaries. Instead impose stricter obligations on data fiduciaries “undertaking activities that carry greater risk” to users.
- Provide data protection impact assessments to the DPA only on request but keep them on record as they could otherwise overwhelm the DPA with paperwork.
- Data audits by DPA should be conducted only under specific circumstances as annual audits create a huge burden for global privacy programs that “typically do not include routine audits”. In the same vein, the “data trust score” should also be removed from the Bill as it could mislead consumers about the trustworthiness of significant data fiduciaries.
- Remove the requirement to have data protection officers within India as such a requirement “undermines global compliance efforts by designating DPOs who are not otherwise part of more centralized efforts to address global data protection and privacy issues”.
- Make submission of privacy by design policy to the DPA voluntary as there is currently confusion in the Bill about its mandatory/voluntary status.
Make Data Protection Authority independent
- Selection Committee for the DPA should consist of the chief justice of India or a judge appointed by him/her as under the 2018 Bill so that the DPA can function as an independent sectoral regulator free of the Central Government’s control.
- Notify the DPA only of those breaches that can harm users or the DPA will be over-notified, thereby making it difficult for the DPA to identify the most significant data breaches.
- DPA should be notified only “as soon as practicable” or “without undue delay”. Timelines specified by the DPA could be unrealistic and inflexible.
- Data fiduciaries should determine if users need to informed instead of the DPA.
Read all the other submissions made to the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019, here.