Data Protection Bill – boon or bane for digital economy?

General data protection laws

India is not a party to any convention on protection of personal data which is equivalent to the GDPR or the Data Protection Directive. However, India has adopted or is a party to other international declarations and conventions such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, which recognize the right to privacy.

India has also not yet enacted specific legislation on data protection. However, the Indian legislature did amend the Information Technology Act (2000) ("IT Act") to include Section 43A and Section 72A, which give a right to compensation for improper disclosure of personal information. The Indian central government subsequently issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the "Rules") under Section 43A of the IT Act. A clarification to the above Rules was issued on 24 August 2011 (the "Clarification"). The Rules have imposed additional requirements on commercial and business entities in India relating to the collection and disclosure of sensitive personal data or information which have some similarities with the GDPR and the Data Protection Directive. Although these Rules were issued in 2011, there is no example of any enforcement action having been taken under them.

Also relevant to the protection of personal data are indirect safeguards developed by the courts under common law, principles of equity and the law of breach of confidence. In a landmark judgment delivered in August 2017 (Justice K.S Puttaswami & another Vs. Union of India) , the Supreme Court of India has recognized the right to privacy as a fundamental right under Article 21 of the Constitution as a part of the right to "life" and "personal liberty". "Informational privacy" has been recognized as being a facet of the right to privacy and the court held that information about a person and the right to access that information also needs to be given the protection of privacy ("Privacy Judgment"). The court stated that every person should have the right to control commercial use of his or her identity and that the "right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes alone" emanates from this right. This is the first time that the Supreme Court has expressly recognized the right of individuals on their personal data.

Fundamental rights are enforceable only against the state and instrumentalities of the state and the Supreme Court recognized that enforcing the right to privacy against private entities may require legislative intervention. The government of India has constituted a committee to consider issues relating to data protection in India and propose a draft statute on data protection. The above judgment is an important milestone in the discourse on privacy and data protection in India. Its ramifications will only be known over time and as it is applied to different fact situations. There are two other cases pending before the Supreme Court, one challenging sharing of user data by WhatsApp with Facebook and the other regarding collection of personal data (including bio metric data) as part of implementing Aadhar, a government project to provide unique identification to all citizens. These cases will now be decided applying the principles enunciated in the Privacy Judgment and will shape the law relating to protection of personal data including enforcing it against private entities.

Entities in regulated sectors such as financial services and telecom sector are subject to obligations of confidentiality under sectoral laws which require them to keep customer personal information confidential and use them for prescribed purposes or only in the manner agreed with the customer.

India – Full analysis of the proposed new privacy law

India is one of the most populous countries in the world, with a fast-growing base of internet users and a national identity number based on biometric data, but it does not have a comprehensive privacy law. This was the backdrop to the Supreme Court of India's decision in Puttaswamy to recognize privacy as a fundamental right and to task the Government with framing a law on the issue.

Proposals for a new privacy law

The Government responded by constituting a committee headed by Justice B N Srikrishna. The Personal Data Protection Bill, 2018 is the product of a year's work by that committee, based on discussions and consultations with stakeholders, including the public. It provides a blueprint which can be built upon and refined, bearing in mind the lessons learnt from other countries and the unique features and challenges of a country like India.

The Government hopes to present the Bill for parliamentary approval in the winter session of the Parliament this year. However, in September 2018, the Supreme Court of India pronounced its judgment on the constitutional validity of Aadhar, the Indian national identity number based on biometric data (MANU/SC/1054/2018). While the Supreme Court held Aadhar to be constitutionally valid, it struck down provisions of the law allowing private sector entities to use Aadhar. The Bill will have to be revisited in the context of this judgment.

The Bill and the GDPR

The Bill borrows heavily from the EU General Data Protection Regulation. While businesses should be able to replicate many processes that have already been implemented to comply with the GDPR, the Bill is not identical and contains a number of innovations.

Genesis and Timeline of Implementation

Genesis of the Draft Bill After the Supreme Court's mandate in the Privacy Judgement, the Government entrusted the Srikrishna Committee with the responsibility of examining issues related to data protection, recommending methods to address them, and proposing a draft law on protection of personal data. The Srikrishna Committee published a white paper in December 2017 on the proposed data protection framework and invited comments from the public. Based on the comments, public consultations and internal deliberations, the committee submitted its final report ("Report") and the Draft Bill to Ministry of Electronics and Information Technology, Government of India ("MeitY") on 27 July 2018.

What next? The Government has asked for comments from the public on the Draft Bill. As in the case of the white paper, there may be a consultation process and the Draft Bill may be further amended based on those consultations. The Draft Bill will become law after it is passed by both the houses of Parliament, receives the assent of the President of India and is published in the official gazette of India. Once enacted, the law will be implemented in a phased manner as described hereinafter.

Framework of the Draft Bill

Patchwork of laws - India does not currently have one law on the protection of personal data. The protection available to individuals in respect of their personal data stems from a patchwork of many different laws including the Information Technology Act, 2000 ("IT Act"), contract law, sectoral laws (particularly banking, telecom and securities laws) and even provisions of the Indian Penal Code, 1860. The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("SPDI Rules") issued under the IT Act is the closest that India has to a data protection law. The SPDI Rules are woefully insufficient to address the complex issues arising due to emerging technologies and the increasing use by individuals of technologies on a day to day basis which require sharing of personal data (e.g.online shopping, use of aggregator services (taxi, food delivery)). There is also no instance of the SPDI Rules having been enforced.