The Personal Data Protection Bill needs to define a minimum compliance period of 24 months from the date of notification of any obligation, standard, code of practice or rule, industry bodies NASSCOM and the Data Security Council of India (DSCI) said in their submission to the Joint Parliamentary Committee on the Bill. It must also define timelines for the formation of the Data Protection Authority (DPA).
The Bill must also give data processors that deal with foreign nationals’ data additional time so that they can re-negotiate their international contracts. It must clarify the scope of its extra-territorial applicability using examples. NASSCOM is one of the key industry bodies in the Indian regulatory landscape. It set up DSCI to focus on data protection in India.
They have also recommended that any exemption granted to a government agency must be subject to a detailed assessment of potential harms to users’ rights and freedoms, in consultation with the DPA.
Non-Personal Data shouldn’t be in the Bill
1. Scrap non-personal data so that it can be dealt with through a separate legislation, If it must be included, the business interests of the companies must be protected and the government needs to be held accountable for asking for such data through safeguards such as:
- Establish clear intellectual property rights of the companies over such data
- Government can ask for only reasonable and proportionate volume of data with a clearly specified purpose,
- Government must prevent onward disclosure of data beyond specified purpose
- Government must assess the impact on competition of each direction issued under this Section and report on the potential risks of re-identification.
Also, the DPA would need to ensure that such data sharing happens only when there is a minimal risk of re-identification.
Remove data mirroring requirement for cross-border flow of data
- Remove “continue to be stored in India” as it is not clear if it means live mirroring of all sensitive personal data, or only a storage of a copy of sensitive personal data in India.
- Definition of critical personal data should be linked to national security requirements. Until that is done, approve critical personal data transfers on the basis of standard contractual clauses, with additional safeguards.
- Don’t ask for additional consent for cross-border data transfers as it is onerous for companies to execute.
- Consider standard contractual clauses and BCRs based on frameworks such as APEC Privacy framework and the CBPR as alternate grounds to processing sensitive personal data.
Exempt data processors dealing with foreign nationals’ data
- Exempt organisations processing foreign nationals’ data in India from select provisions (Sections 9, 91 and 92, and Chapter VII). This will help India get adequacy status from the EU and other regions, and remove discretionary powers and process uncertainty.
- Include provision for the Central Government to exempt data processing of foreign nationals outside India from the Bill.
- Include the following phrase in the definition of “data processors”: “but does not include an employee of the data fiduciary”.
Scrap criminal liability, expand grounds for processing data without consent
- Remove criminal liability and limit circumstances for individual liability.
- Expand grounds for processing personal data without consent to include contractual necessity (both both personal and sensitive personal data). No additional consent should be required to fulfill a contractual obligation. Allow non-consensual processing of sensitive personal data for employment purposes. Compliance with law, or order of court/tribunal should be an alternate ground to explicit consent for processing of sensitive personal data.
- Extend “reasonable purposes” as grounds for processing to both personal and sensitive personal data. DPA should come out with a code of practice for that.
- Include provision of service/benefit from the State as a “function of the State” and thus be processed without consent. But for sensitive personal data, state should require explicit consent.
Make DPA independent again
- Staff and fund the DPA independently to maintain its independence as a regulator. Review the composition of its selection committee, its composition, and provide for an independent funding mechanism.
- Define the process for holding consultations in the law itself. Use the Financial Sector Legislative Reform Commission (FSLRC) on regulatory governance, encoded in the draft Indian Financial Code, as a reference.
Classification of significant data fiduciaries needs clarity
- Clarify the grounds and purposes for classification of “significant data fiduciaries” as just one of factor cannot be “a standalone indicator of the likelihood of ‘significant harm'”.
- Allow data fiduciaries to appeal such classification by the DPA before the Appellate Tribunal. For classification, DPA should give due notice to the data fiduciary and consider its subsequent submissions.
- Data Protection Officer must be an independently functioning office, separate from the CISO. An external DPO should also suffice.
- Clarify the grounds on which a data audit can be ordered. Allow the data fiduciary to appeal such directions. The process of issuance of audit directions by the DPA needs to made clear.
- Distinguish between the functions of a consent manager and a data fiduciary because in some circumstances, a consent manager might actually be a data processor.
- Specify what constitutes personal data through examples such as identifiers, location data. Replace “inferences drawn from personal data” with “de-identified data used for the purpose of profiling” so that insights from anonymised data are not included in the Bill. Also clarify if personal data also includes data of dead people.
- Limit the definition of sensitive personal data to only such personal data that could lead to to profiling, discrimination and infliction of harm that are identity driven, and should be exhaustive, not subject to regular updation.
- Remove financial data, official identifiers from the category of sensitive personal data. If financial data must be included, identify a sub-set of financial data that is considered sensitive personal data. Similarly, give an exhaustive definition of financial institution.
- Limit the definition of health data to data concerning the health of a person.
- Data Protection Authority should classify other categories as sensitive personal data, and such changes should require a statutory mandate with a public consultation before notification.
- Limit “loss of employment” as a harm to “loss of employment, based on processing that is ex-facie discriminatory and contrary to laws for the time being in force”.
- Limit scope of “Right to Portability” to only personal data actively and knowingly provided by the user, and data that is generated only through the user’s use of the service/product. Data inferred or derived by the data fiduciary should not be included.
- Replace “Right to Erasure” with “Right to Deletion” and define deletion. Allow data fiduciary to reject such requests it they are in contravention of any law that mandates data storage for a certain period of time.
- Clarify if and which biometric data can be processed
Read all the other submissions made to the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019, here.