MediaNama has covered all important aspects of the Data Protection Bill 2021:
Powers of the Government | Data Protection Authority | Data Localization | Data Breaches | Data Fiduciaries | Data Protection Officers | Children’s Data |
With regards to the obligations and penalties of data fiduciaries, the Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill has recommended the inclusion of social media platforms as significant data fiduciaries, restricting the adjudicating officer’s discretion to impose fines for violation or insubordination, and more.
Definition of data fiduciaries
The committee has recommended amending the definition of data fiduciaries to include ‘non-government organisations’.
- Earlier draft: The older definition did not mention non-government organisations and instead was only restricted to state, company, a juristic entity, or an individual. It said that a data fiduciary means “any person, including the State, a company, juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.”
- Reason for change: The committee noted that NGOs should be recognised as data fiduciaries, and brought under the act, as they play a significant role in collecting data for various purposes in rural areas.
Classification of significant data fiduciaries
The committee recommended classifying social media platforms as significant data fiduciaries, instead of intermediaries and fiduciaries processing children’s data or providing services to them. It also laid down that significant data fiduciaries be regulated by their relevant sectoral regulators.
The committee’s new definition for social media platforms read: “A platform which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services.”
- Earlier draft: With relation to social media intermediaries, it had said that those with user numbers above a threshold (which will be notified by the government later) and having a likely impact on electoral democracy, security of the State, public order, or the sovereignty and integrity of India will be significant data fiduciaries. These fiduciaries would then have to register themselves with the authority.
- Reason for change:
- Social media platforms: The committee challenged the definition of intermediaries noting that in its view “most of the social media intermediaries are actually working as internet-based intermediaries as well as platforms where people communicate through various socializing applications and websites.” Thus it replaced intermediaries with platforms as, the committee notes, the bill describes intermediaries as ‘intermediaries that facilitates online interaction between two or more users and allows users to disseminate media while e-commerce internet service providers, search engines and email services are excluded from the definition’.
- Children’s data processing: In order to curb misuse or mishandling of children’s data it added the clause on children’s data processing.
Processing of personal data
“The processing of personal data by any person shall be subject to the provisions of this Act and the rules and regulations made thereunder,” the JPC report said.
- Earlier draft: It said that no personal data shall be processed unless for any specific, clear, and lawful purposes.
- Reason for change: The committee wanted to reflect that the clause was referring specifically to provisions under the Data Protection Act. It noted that it received recommendations that the clause was not specific and thus, should be removed or made more specific.
Limitation on the purpose of processing data
The report has added “purpose for processing of personal data under Section 12” under the purposes for which a fiduciary can process data. Section 12 contains provisions for the processing of data without consent from the government, court requirements, etc.
Other conditions under the provision, which lays down how a fiduciary can process personal data, are:
- processing in a fair and reasonable, protecting the principal’s privacy
- for the purposes, or in relation to them, for which the data principal had consented to the collection
- Earlier draft: The older bill did not mention processing under Section 12.
- Reason for change: “In committee’s view, it is very essential to mention the purpose of the processing of data under Clause 12 as only such provision can enable the State agencies to function smoothly,” the report notes. It also says that it is important to view the limitation of purpose, in the context of purpose.
Limitation on the collection of personal data
The limitation that personal data shall be collected only as much as it is relevant to the purposes of its processing, has been retained from the 2019 bill.
Notifying users before processing data
Fiduciaries have to notify data principals before processing or collecting any data or in some cases ‘as soon as is reasonably practicable’, the same as was laid down in the 2019 bill. It also retains the exemption for cases where notification may prejudice the purpose for collection under Section 12, or processing of data without consent for government, court requirements, etc. Further, the notice will have to be ‘clear’, ‘concise’, and ‘easily accessible’ and in multiple languages if necessary.
It will have the following details:
- Purpose, nature, and categories of data being collected
- Period for data retention, or criteria for determining the same
- The principal’s rights to withdraw consent, file complaints, and other rights mentioned in the bill and the procedure for them.
- The procedure to use the grievance redressal mechanism
- The basis for the processing of the data and possible consequences if data is not given, in case the processing is under Sections 12 to 14.
- Identity and contact details of the fiduciary
- Other fiduciaries, processors, including cross-border transfers, that the data could be shared with
- Any data trust score assigned to the fiduciary
Periods of retention of data
Fiduciaries, as per the new report, have to delete data at the end of the period necessary for processing such data.
- Earlier version: The 2019 bill had laid down that fiduciaries have to delete data at the end of the processing.
- Reason for change: The earlier provision was found to be ‘too restrictive’, the report notes.
Obligation of disclosing sharing beyond the mandate
The fiduciary has to notify a data principal in case their data is disclosed to any other entity, which is not in compliance with requirements set down for such data earlier. However, the report lays down an exception for cases related to section 12.
- Earlier draft: The bill had previously asked the fiduciary to ‘take necessary steps to notify’ principal in case it was shared with others, in a matter that was not considered to be required. This is in reference to the bill’s clause that a fiduciary has to ensure that the principal’s data was complete, accurate, not misleading and updated, having regard to the purpose for which it was collected (emphasis supplied)
- Reason for change: The committee amended the provision to mandate notification on the consideration that the clause was a protective one, defining the mandate of the processing of personal data.
Obligation on any sharing
The committee has added a clause to say that fiduciaries can share, transfer, transmit any data as prescribed. However, it adds an exception for purposes of processing that fall under Section 12.
- Earlier version: The Bill did not have such a clause earlier and it only asked that data be disclosed keeping in mind the purpose for its processing.
- Reason for change: The committee notes that it added the clause to curb the ‘seamless’ transfer and sharing of data ‘under the garb of services’.
The committee recommended adding a provision requiring data fiduciaries to disclose how the algorithm processes personal data of users.
Clause 23(1)(h) will now read as: “(h) where applicable, fairness of algorithm or method used for processing of personal data; and
(i) any other information as may be specified by regulations.”
- Earlier draft: There was no mention of algorithm transparency.
- Reason for change: The recommendation was made in order to ensure transparency of algorithms used by various entities for processing of personal data and to prevent its misuse, as per the report.
Requirements related to consent
Consent for data processing or collection has to explicitly specify context and fiduciaries can no longer deny services to principals based on their right to exercise their choice. It is not clear if the report means the data principal’s exercise of choice or the fiduciaries’. Further, a principal will have to bear the consequences—not just legal consequences— for withdrawing consent for data processing without any reason. These are the three changes made by the JPC in the bill’s provisions relating to consent, its validity, and conditions.
These provisions are:
- The consent needs to be free, informed, specific, clear and capable of being withdrawn by the principal.
- Consent for processing sensitive personal data shall be obtained after informing the principal of the purpose and explicitly mentioning conduct and context. It should also allow the principal to consent separately to different purposes of processing sensitive personal data.
- Services, quality of service, performance or enjoyment of any right cannot be made conditional to a principal consenting to processing or collection of data not necessary for the same. It can now also not be denied based on the exercise of choice.
- The burden of proving that consent was taken will lie on the fiduciary.
- Consequences for withdrawing consent without any reason will have to be borne by the principal.
- Earlier draft: Earlier, the bill had asked the consent be obtained from the principal ‘in clear terms’, without requiring recourse to inferring from the conduct. On fiduciaries denying service, the earlier bill only had a provision prohibiting them from doing so if a principal refused unnecessary data collection or processing. Lastly, on consequences for withdrawing consent, the bill had said that the principal will bear the legal consequences.
- Reason for change: On conduct and context, the committee felt that the previous provisions were not clear enough about obtaining consent without circumvention of the law and without any kind of implicit inferences. On amending the clause related to denial of services, the committee wanted to extend it to cover the right to exercise choice. Lastly, on withdrawal of consent, the committee simply wanted to remove unnecessary and ‘superfluous’ terms.
Penalties on fiduciaries
Right to file a complaint
The committee has added clause 62 to the bill. This requires complaints filed to the Data Protection Authority, as laid down in Section 32 (relating to grievance redressal by a data fiduciary), to be forwarded to the Adjudicating officer to adjudge the complaint or application for compensation.
- Earlier draft: Earlier the bill simply laid down that a principal can approach the Data Protection Authority 30 days after a complaint that the data fiduciary does not address/satisfy. In another provision (section 65, which deals with compensation to principals) it laid down that principals can approach an adjudicating officer to apply for compensation.
- Reasons for change: The committee noted that the bill needed to lay down a single procedure for both complaints and applications filed and thus added clause 62.
Procedure for disposal of the complaint
The report adds that the adjudicating officer will be considering guidelines issued by the Data Protection Authority while deciding on cases of penalties.
According to the provision, an adjudicating officer will decide on such cases keeping in mind the following factors:
- Nature, gravity, and duration of the violation. They will also have to keep in mind violations of the DPA for which penalties have been specified.
- Number of principals impacted and their level of harm
- The character of the violation— or intentional
- Nature of personal data impacted
- The repetitiveness of the violation
- Action taken to mitigate the impact
- Transparency and accountability measures implemented
- Any other factors like undue advantage gained.
- Earlier draft: The earlier draft laid down that the adjudicating officer will decide on cases, based on the above mentioned 8 factors.
- Reasons for change: The committee felt that the older provision gave the adjudicating officer too much freedom.
Appointment of adjudicating officers
The retained provision for appointment of adjudicating officers to handle claims for compensation lays down the following:
- The central government shall appoint them keeping in mind the requirement for them to be independent. The centre will also decide their number, manner and terms of appointment, jurisdiction, and any other requirements.
- These officers shall have specialised knowledge and experience in areas of law, cyber and internet laws, information technology law, and policy, data protection.
Provisions for redressal in case of harm
On redressal actions that can be taken by data principals in case of harm, the report says that a ‘Representative action’ could be filed in case one or more data principals suffer from harm due to a violation, and the procedure for hearing such a complaint will be as is prescribed.
It lays down the following conditions about violation of the bill’s provisions and actions to be taken on them:
- A data processor will only be held liable if it has not followed the instructions of the fiduciary, not incorporated security safeguards in accordance with the Act, or violated the act.
- An adjudicating officer has to scope out the following while deciding on compensation:
- Nature, gravity, and duration of violation of the Act.
- The character of the violation
- Previous history of such violation
- Steps taken to mitigate the harm and transparency and accountability measures implemented by the fiduciary or processor of data. This includes measures taken, in cases of arrangement between a fiduciary and processor, to safeguard the data.
- Any other factors, like advantage gained due to the violation, etc.
- In case of a number of different guilty fiduciaries or processors, or a processor-fiduciary duo, each may be liable to pay the full compensation.
- These decisions can be appealed before the appellate tribunal.
- Earlier draft: Earlier the clause said ‘one single complaint’ could be filed for all those who suffered harm, and the central government was to prescribe the procedure for hearings therein.
- Reason for change: The committee found that the term ‘representative action’ was more appropriate and mentioning ‘as is prescribed’ in the procedure would be more clear, according to the report
What constitutes harm? The Bill states harm includes:
- bodily or mental injury
- loss, distortion or theft of identity
- financial loss or loss of property
- loss of reputation or humiliation
- loss of employment
- any discriminatory treatment
- any subjection to blackmail or extortion
- any denial or withdrawal of a service, benefit or goods resulting from an evaluative decision about the data principal
- any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled
- any observation or surveillance that is not reasonably expected by the data principal
- psychological manipulation which impairs the autonomy of the individual
- such other harm as may be prescribed
- Earlier draft: Earlier the draft did not include the last two classifications under harm: psychological manipulation and any such other harm as may be prescribed.
- Reason for change: The committee found felt that the term “harm” needed to be widened considering its wide impact and “unrestricted horizon of interpretation.” Therefore, psychological manipulation has been included and an enabling sub-clause as well.
Amount of penalties
The clause related to penalties for violation of orders of the Data Protection Authority has been largely kept the same, with a slight change to demarcate penalties for fiduciaries and processors separately.
- Earlier draft: The bill had laid down that in case of failure to comply with directions and orders of the Data Protection Authority the data fiduciary could get a fine of up to Rs 20,000 for each day of the default up to Rs 2 Cr. Meanwhile, a processor may have to pay a fine of up to Rs 5,000 for each day, up to a total of Rs 50 Lakh.
- Reasons for change: The committee thought that segregating the clauses could bring better clarity.
Penalties for contravening certain provisions of the act
The report says that fiduciaries could be liable to pay fine ‘as may be prescribed’ up to a maximum penalty, upon violation of the Data Protection Act.
Specifically, its provisions lay down
A prescribed fine, upto Rs 5 Crore or 2% of the total global turnover for the preeceding year, whichever is higher. These will apply in case of violaitons against the following provisions:
- Prompt action against a data breach
- Registering with the Data Protection Authority
- Undertaking data protection impact assessment and data audit
- Appointing a data protection officer
A prescribed fine upto Rs 15 Crore of 4% of the global turnover of the last year, whichever is higher. This is in cases of violation of:
- Provisions related to obligations of data fiduciaries and processing of data without consent
- Provisions related to processing of children’s data
- Provisions on data transfer and localisation
- Implementing safeguards, in accordance with the bill
The committee retains provisions of fines for
- All violations that are done by Government entities at under Rs 5 crore for violations in cases of data breaches, registration, audit, etc. and under Rs 15 Crore for violation of data processing and safeguard related provisions.
- Failure to comply with requests of a data principal at Rs 5,000 per day of the default subject to a maximum of ten lakh rupees in case of significant data fiduciaries and five lakh rupees in other cases.
- Failure to furnish information to the DPA at Rs 10,000 each day during which such default continues, subject to a maximum of twenty lakh rupees in case of significant data fiduciaries and five lakh rupees in other cases.
- Penalties for contraventions not specified at a maximum of Rs 1 Crore in case of significant data fiduciaries, and a maximum of twenty-five lakh rupees in other cases.
- Earlier version: The 2019 bill had laid simply laid down that fiduciaries will be liable to a fine of a percentage of the company’s global turnover, varying by their violation, or a given amount that may ‘extend’ to Rs 5 or Rs 15 Crore
- Reason for change: The quantification of the fine could become infeasible in the absence of a mechanism to quantify a company’s global turnover, including its group entities, the report notes. Further, it says that enabling the government to set out fines could be prudent keeping in mind the rapidly changing landscape.
What were the recommendations from stakeholders?
During a MediaNama event in June 2019 on the impact of the Personal Data Protection Bill, 2019, on cloud and telecom services panelists voiced concerns about the bill’s classifications of fiduciaries, clauses governing them including penalties, and more.
- Only data fiduciaries should pay damages to data principal: Data fiduciary alone should be responsible for any compensation that may need to be given to the data principal, and if any compensation needs to be paid by the processor, it should be decided via the contract itself, recommended Venkatesh Krishnamoorthy, the country manager for India for BSA (The Software Alliance). Currently, the adjudicating officer can decide if and how much the data processor may need to pay in compensation.
- No retrospective application of the Act: The Act should not be used to make entities fix their past data, Anjali Hans, senior vice president of regulatory and corporate affairs at Vodafone Idea had said.
- Allow processors to engage sub-processors: Krishnamoorthy had suggested that there could be a mechanism by which processors can get advanced clearance and notify the fiduciary when are hiring a sub-processor.
Update, December 16, 8:00 pm: An earlier version of this report incorrectly substituted the government as the Adjudicating Officer in the first paragraph. The error is regretted.
Update, December 17, 2:30 pm: The report has been updated following editorial inputs.
Update, January 17, 2022, 1:50 pm: Added definition of “harm” under sub-heading “Provisions for redressal in case of harm.”
Subscribe to MediaNama to get access to our ongoing coverage of the bill. Here is everything we have planned around the report: