The expert committee set-up under the chairmanship of Justice B. N. Srikrishna for formulation of data protection regime in India, after a year of deliberation, released the Personal Data Protection Bill, 2018 (“Proposed Bill”) in public domain. Public comments were solicited on the Proposed Bill. In response to the Proposed Bill, the European Commission has submitted its comments to the Ministry of Electronics and Information Technology (MeitY).
We have discussed below in brief the key observations on the Proposed Bill provided by the European Commission and our views on such comments:
- Discretion to decide on Key Matters: The Proposed Bill at a number of places leaves discretion to the Central Government and the Data Protection Authority to decide on matters such as (a) exemption from compliance for processing of personal data of data principals not within the territory of India, pursuant to any contract entered into with any person outside the territory of India (Section 104 of the Proposed Bill), (b) the eligibility and qualification requirements to be met by data protection officers (Section 36 (3) of the Proposed Bill), (c) the details of the code of practices to facilitate compliance with the obligations under the Proposed Bill (Section 61 of the Proposed Bill) etc. In opinion of the European Commission, these important points should be clarified in the legislature itself to provide clarity.
- Independence and Impartiality of the Authority: The Central Government has been provided a right to issue directions to the Data Protection Authority which would be binding and final, therefore not subject to judicial review. This could put at risk the very independence of the Data Protection Authority. Further, the Central Government may be said to have been granted the right to decide the budgetary allocations to the Data Protection Authority, which may have an impact on its independence. The Data Protection Authority should have the financial resources necessary to accomplish its mission effectively and in full independence.
- Exemption to Specific Types of Processing: Processing in the interests of state security, criminal law enforcement, in order to pursue legal claims, for journalism etc. has been granted exemptions from large parts of safeguards and compliance requirements. The European Commission is of the view that “high data protection standards and effective law enforcement and security operations are not mutually exclusive but can – and actually should – go hand in hand”. There should be sufficient measures to limit interference with fundamental rights of individuals whose data is processed by for law enforcement and national security reasons (e.g. need for a legal basis, independent oversight, effective remedies for individuals).
- Processing for ‘Reasonable Purposes’: In addition to the processing based on consent and for employment purposes, personal data can be processed if such processing is ‘necessary’ for ‘reasonable purposes’. The European Commission has expressed concern that the requirements set forth in Section 12, which deals with the processing of personal data on the basis of consent could perhaps be circumvented by either the “employment purposes” or “necessary for reasonable purposes” standard. Clarity needs to be provided.
- Data Localisation: As per the Proposed Bill, at least one copy of the personal data which is processed needs to be stored on a server or a data centre located in India. Also, the Proposed Bill permits the Central Government to stipulate that “critical personal data” must be exclusively processed within India. These requirements, in view of the European Commission, appear both unnecessary and potentially harmful as they would create unnecessary costs, difficulties and uncertainties that could hamper business and investments. If implemented, it could create significant costs for foreign companies and also likely to complicate the facilitation of commercial exchanges; including in the context of EU-India bilateral negotiations on a possible free trade agreement.
- Rights of Data Principals: The data principals should be given the “right to object” to processing at least in situations where such processing takes place for “reasonable purposes”. Such right need not be absolute but could be subject to certain restrictions. Also, “right to be forgotten” only includes the right to restrict or prevent continued disclosure, it would be helpful if the right to erase the personal data in certain circumstances is included.
- Significant Data Fiduciaries: The Data Protection Authority has the right to prescribe the criteria to determine the “significant data fiduciaries”. Such entities need to implement additional data protection safeguards. This ex-ante approach, in the opinion of European Commission, may not be useful and instead a risk-based determination approach can be implemented.
Our View
Given that there has been substantial uproar by a number of trade bodies and industry organisations against data localisation, the resistance from the European Commission to the data localisation proposal is not a surprise. It needs to be seen as to how the Government balances its interests and that of the stakeholders.
The concerns raised in relation to the independence of Data Protection Authority are most critical. If India is to be recognised as a country which ‘ensures an adequate level of protection’ under General Data Protection Regulation (GDPR) to enable free transfer of personal data between Europe and India, lack of independence of supervisory body could come in the way. Also, on the basis of the recommendation of the European Commission if decisions on key matters are not left to the discretion of the Central Government and the Data Protection Authority but are specifically provided in the enactment itself, it would definitely help in providing clarity to the stakeholders.
In so far as the Data Principal’s right to be forgotten is concerned, it is a valid observation, given that if there is a right to prevent continued disclosure, the historical data is a corollary.
Finally, on the identification of “significant data fiduciaries” we reserve our comments till the criteria is finally issued.
Disclaimer: The information provided in this update is intended for informational purposes only and does not constitute legal opinion or advice. Readers are requested to seek formal legal advice prior to acting upon any of the information provided herein. This update is not intended to address the circumstances of any particular individual or corporate body. There can be no assurance that the judicial/ quasi-judicial authorities may not take a position contrary to the views mentioned herein.
Read more