Is personal data protection bill a double edged sword?

Although it appears to be a welcoming development, there are certain limitations in the said bill in its present form, which can be eliminated and modified to make it acceptable to all stakeholders

The last few years have seen phenomenal development and deliberations around the globe with respect to the issue of privacy of the digital data. The GDPR has been one such mega-development in the European Union wherein a full-fledged legal framework has been structured to regulate digital economy with an aim to protect the privacy rights of the citizens.

In India, the Draft Personal Data Protection Bill, is seen as a big step towards the consolidation and strengthening of data protection regime in India. The Bill introduces certain path-breaking provisions such as ‘Right to be Forgotten’, ‘concepts of a responsible fiduciary relationship between the data owner and the data controller, data breach redressal mechanism etc. The Bill, which has been formulated by a Committee headed by Justice BN Srikrishna, is likely to be tabled before the Parliament in the upcoming winter session. 

Although the Bill appears to be a welcoming development, there are certain limitations in the said bill in its present form, which can be eliminated and modified to make the bill acceptable to all the stakeholders. Out of the key areas in the proposed bill, which has garnered mix reactions from diverse stakeholders including industries is cross-border transfer of ‘Personal Data ’. The proposed Bill restricts the free flow of data across the borders outside India. Although the degree of restriction has been categorised at different levels for different kinds of data, i.e 'personal data', 'critical personal data' and 'sensitive personal data', the said provision appears to suffer from ambiguity. It nowhere mentions about the status of the cross-border transfer of 'data' which is neither personal nor sensitive personal data. 

The question here is whether the absence of any limitation on the same should be assumed to be no limitation. It is important to note that the European Union, which recently came within the ambit of the GDPR has dealt with the similar situation by proposing to enact a law wherein cross-border flow of non-personal data would not be subjected to any restriction.

Further, the Bill leaves the foreign data fiduciaries with a compulsory burden to setup servers as well as data centres in India to store such data. 
 

Creating data centres in separate jurisdictions across the globe can have serious cost implications on these data fiduciaries. Although, it can be presumed that the big companies might be able to bear the costs required for data localisation compliances, the small- or mid-sized companies or startups will find it difficult to invest in this area as it will burden them with costs. At a time, when India is looking forward to heavy foreign investments as well as Government of India’s ambitious Make in India campaign, such a step may make the foreign companies hesitant to put in costs in such logistics. 

Instead of compulsory setting up of data centres in India, the Government can enter into agreements with data fiduciary for sharing of such data as and when necessary for the purpose of State’s necessary obligations. Not letting the free flow of data across the borders can hamper the whole idea of digital economy. 

Another ambiguity which persists in the said Bill is Section 40(2) of the Bill. The provision provides for categorisation of certain kinds of personal data into ‘critical personal data’ by the Central Government and the same have to be mandatorily stored/located in a server within India. However, in subsequent provisions of the bill, Section 40(2) has been referred to, in relation to ‘sensitive personal data’, which otherwise, has already been defined under Section 2(35) of the Bill. It is interesting to note here that under Section 2(35) of the Bill, the power to further expand the scope of ‘sensitive personal data’ has been vested only with the Data Protection Authority under Section 22 of the Bill. Now, in such a scenario, the Bill presents a very ambiguous picture with regard to the differentiation between ‘sensitive personal data’ (defined under Section 2(35)) and ‘critical personal data’ (which has to be categorised out of personal data by the Central Government).

Moreover, it is also interesting to note that Reserve Bank of India vide its circular issued in the month of April, has made it mandatory for the businesses involved in electronic payment transactions to store all payment transaction details only in India. Such a dictum from the Reserve Bank has not gone down very well, especially with the foreign players who may have failed to comply with the said dictum of the RBI within the stipulated deadline. On the other hand, according to the provision of the bill, payment transaction related details shall fall within the category of ‘sensitive personal data’, for which no compulsion of exclusive storage of such financial data in India has been provided, as long as at least a copy of the said data is stored in India. There appears to be some contradiction between the RBI and the government’s approach to the issue, and developments on this front in the future shall be interesting to look into. 

Strict storage of a copy of ‘sensitive personal data’ within India under Section 40(4), when the term ‘sensitive personal data’ has been left open-ended for further enlargement as per the wisdom of the DPA (Data Protection Authority), creates an impression of unnecessary as well as unreasonable hardship which the foreign data fiduciary can be put into by the government. Such an approach can have serious implications on foreign participation in the Indian digital economy. Recent developments wherein digital market players have expressed their grievances can create an anti-industry image of India in the international digital market and can risk the country’s aspiration to become a global digital market.

Provisions such as obtaining approval of contractual clauses every time contracts are entered into for transfer of personal data outside India appear to be burdensome. Provision for a heavy penalty for companies which are found to be in non-compliance with the provisions of the legislation, which appear to be similar in lines with the penalties as imposed under the GDPR, can make the matter worse. Given the fact that, India being a developing country, which is in need of foreign investments and business cannot put forth a strict penalty regime for data fiduciaries. The penalty, which according to Section 69 of the draft bill may be either Rs 50 million or 2 per cent of the worldwide turnover in the preceding financial year, whichever is higher, and penalty of a minimum of Rs 150 million or 4 per cent of the total worldwide turnover in case of serious contravention of provisions such as processing of personal data and sensitive personal data, cross-border transfer etc personal data of children etc can lead in negative impact on companies doing business in India. The negative impact of such heavy penalties prescribed under GDPR is there to see as many US companies have been deliberating to scale down their businesses in the European Union in the light of heavy penalties prescribed for non-compliance in the US. India may also face similar challenges.

In addition to it, non-bailable and cognizable nature of offences under the Bill may adversely affect the interests of the data fiduciaries which other than government bodies are mostly companies. Such measures might result in meek participation of entities, both foreign and domestic, in digital economy, thus hurting the growth in the field. 

The Bill puts a blanket onus on all personnel involved in the management and business of the company/firm in case of breach of any obligation imposed upon the company according to the provisions of the Bill. Such a provision appears to be excessive in nature and can have a serious impact on the conducting of business by companies. Companies/firms can be huge entities having a large number of people involved in the conduct of its business as well as management. In a scenario where there is no clarity in the said provision with regard to which all person can be held liable in case of a breach, a blanket onus on all persons involved in the management of the company is an unreasonable and unjust approach and same can be modified.

It is advisable to take a balanced approach while framing the legislation on Data Protection, keeping in mind an inclusive interest of all the stakeholders wherein the rights of the individual, interest of the industry having stakes in the digital economy and the State are accommodated in a harmonious manner.

¹ Defined under Section 3(29) of the Bill.

² Defined under Section 3(12) of the Bill.

³ http://www.consilium.europa.eu/en/press/press-releases/2018/06/29/eu-to-ban-data-localisation-restrictions-as-ambassadors-approve-deal-on-free-flow-of-data/pdf 

⁴ https://www.business-standard.com/article/companies/visa-mastercard-and-american-express-miss-rbi-s-data-localisation-deadline-118101501033_1.html 

⁵ https://www.livemint.com/Politics/CUm9ahOH93UI9vxie6hScL/Amazon-Facebook-Microsoft-Amex-others-plan-to-fight-data.html

The author us Associate- IP Litigation at K&S Partners