Draft Personal Data Protection Bill

DATA PROTECTION POLICY ANALYSIS

India: Draft Personal Data Protection Bill

Date: December 2018
49
/100
Score
SPECIFIC HARMS HELPFUL PROCESSES NOT RETROACTIVE NOT HARMFUL FREE SPEECH SIMPLE CONSENTS INTERNATIONAL COMMERCE FAIR ENFORCEMENT SMALL ENTERPRISES 6/10 6/10 6/10 7/10 6/10 4/10 7/10 3/10 2/10 2/10 CLEAR TERMS EXPLICIT CONSENT 7/10

SUMMARY

India’s proposed Personal Data Protection Bill adopts European concepts of data rights (calling individuals “data principals” and organizations that hold data “data fiduciaries”) and establishes a Data Protection Authority to audit and enforce. The Bill:
  • Grants individual rights to data access, data portability and to be forgotten.
  • Softens the GDPR’s confusing and often impractical “consent” obligations.
  • Proposes strict national security provisions that would give the government extraordinary search and seizure power, and impose burdensome storage requirements and cross-border data transfer restrictions.
The Bill’s generally reasonable consent rules and data protections are overwhelmed by significantly burdensome and costly data storage and transfer provisions and apparently unfettered law enforcement powers.  The Bill also fails to sufficiently exempt small businesses – which we fear will hurt competition and innovation.

CONCERNS

India’s Draft Personal Data Protection Bill mirrors many of the core principles of Europe’s GDPR, but provides for simpler notice-based opt-out “consent”.  However, the Bill also creates significant burdens on Indian businesses (and global businesses operating in India) by imposing strict “data localization” standards that require expensive new cloud storage operations and restrict cross-border data transfers.  The core features of the Bill are:
  • Notice and opt-out framework. Most collection and use of non-sensitive personal data is permitted under a notice and opt-out framework (called “informed” consent).
  • Opt-in framework for sensitive data.  Explicit affirmative consent is generally required for collection and use of sensitive data, including passwords, financial, health, biometric, religious beliefs, sexual orientation, and caste/tribe status;
  • Access and deletion rights.  Individuals have the right to access and in limited circumstances to require deletion of data;
  • Localization.  Burdensome “data localization” requirements;
  • Cross-border transfer restrictions.  Cross-border transfers are prohibited unless government pre-approves through a mechanism that is not defined in the Bill;
  • Broad law enforcement powers.  The Bill makes it relatively easy for law enforcement to search, seize and examine materials.
  • Significant Data Fiduciaries. “Significant Data Fiduciaries” will be organizations that collect/handle a great deal of data or very sensitive data, or that conduct large-scale data profiling. SFDs will be required to (a) register with the India Data Protection Authority, (b) perform a risk-based data protection assessment designed to manage, minimize, and mitigate potential harm, (c) have privacy practices audited annually, and (d) appoint a data protection officer.

The most burdensome aspects of the bill are the localization requirement and cross-border transfer restrictions which impose substantial obligations and costs. Specifically, the Bill requires businesses to store one copy of all personal data in India, and arguably requires all sensitive data to be stored only in India. Additionally, the Bill permits cross-border data transfers only to pre-approved countries or where the transfer is specifically approved (via a mechanism that is not defined in the Bill).


The other issue of very significant concern is the broad law enforcement discretion to search, seize, and examine equipment, devices and other materials containing personal data.  Authorities can initiate searches and seizures upon a mere “reasonable belief” of a likely violation or future violation of the bill – creating substantial risk of law enforcement abuse.

Criteria

CLEAR TERMS: Terminology should be clear to avoid confusion, inconsistency and disputes. [Score: 6/10]
Most key definitions are reasonably clear, (a) the important “critical personal data” is undefined (which leaves unclear what data will be subject to the Bill’s strict requirement to store such data only on servers in India), and (b) “biometric data” includes the remarkably open-ended “any behavioral characteristics of an individual.”
SPECIFIC HARMS: Legislation should focus on specific harms and outcomes. [Score: 6/10]
Some provisions are well-targeted to address specific risks – for example, preventing deception by clearly explaining what “informed” consent requires. But some requirements or processes do not appear to have clear benefits, e.g., the restrictive data localization requirement and the government search and seizure rights.
HELPFUL PROCESSES: Required processes and notices should be clearly defined and helpful. [Score: 6/10]
The guidelines for providing notice and obtaining consent are clear. However, several required processes are vague (e.g., when sensitive data can be transferred outside of India).
NOT RETROACTIVE: Legislation should not be retroactive – new rules should not apply to previously lawfully collected data. [Score: 7/10]
The Bill is silent on retroactivity, so theoretically the government could conclude that the new requirements apply to old data and, thus, prohibit processing of data collected before the law takes effect.
NOT HARMFUL: Legislation should not inhibit beneficial data models and uses. [Score: 6/10]
The legislation seems generally to be strong on this point but some common beneficial use cases, like research using large pools of personal data, could be restricted if affirmative consent is not obtained.
FREE SPEECH: Legislation should not inhibit freedom of expression or government transparency. [Score: 4/10]
The “right to be forgotten” can override “the right to freedom of speech and expression” if the Adjudicating Officer so determines.
SIMPLE CONSENTS: Consent standards should be clear for organizations and promote clarity for consumers. [Score: 7/10]
The bill may require consent in some common use cases by third parties, such as using large amounts of data or artificial intelligence and machine learning for analytics or research. This burdens research organizations without being particularly helpful for consumers.
INTERNATIONAL COMMERCE: International commerce and cooperation should not be inhibited. [Score: 3/10]
The data localization requirements will hinder international commerce due to (a) the strict requirement of localized cloud-based services, and (b) the government control over cross-border data transfers.
FAIR ENFORCEMENT: Enforcement provisions should be responsible and trustworthy; not chilling or anti-competitive. [Score: 2/10]
The bill lacks standard procedural safeguards that should be associated with search and seizure authority. The results could be acceptably within the norm if regulators or courts impose safeguards or could be abusive if enforcement agents have too much discretion.
SMALL ENTERPRISES: Small organizations should not be prejudiced by impractical or anti-competitive burdens. [Score: 2/10]
The Bill exempts very small businesses (those under USD $27,000) if they manually process personal data. Small businesses that rely on cloud services will be excessively burdened by data localization requirements.
“9-10”
means the legislation thoughtfully accounts for the concern.
“7-8”
means that, with adjustments, it can likely account for the concern.
“5-6”
means it is neutral on the matter, or that any concerns can be readily cured or mitigated.
“3-4”
means that causes confusion or concern, but not in as widespread a manner as a “1” rating.
“1-2”
means that it is poorly drafted or considered, and likely generates more confusion or problems than it cures.
Localize