4 key facts India Inc. ought to know about the Personal Data Protection Bill

The cyber policy maven, Prashant Mali details critical areas that Indian enterprises should watch out for, and shares tips for organizations to create or upgrade their privacy policy to be ‘PDPB-ready’.

Prashant Mali Cyber Law Expert
Cyber Law Consulting / Getty Images

In an interaction with cyber and privacy policy expert, thought leader and practicing lawyer Prashant Mali, we took an inside out look at the proposed draft of the Personal Data Protection Bill 2018 to understand the impact on individual privacy.

Read: Decoding India's Personal Data Protection Bill with Prashant Mali 

Here, the cyber policy maven details critical areas that Indian enterprises should watch out for, and shares tips for organizations to create or upgrade their privacy policy to be ‘PDPB-ready’.

Edited excerpts:
What are the loopholes in the current draft of Personal Data Protection Bill 2019, which can directly or indirectly affect organizations?

Mali: Under Section 38 of PDP, the adjudicating officer has the power to notify certain data fiduciaries as “Significant” data fiduciaries, which means adjudicating officer shall apply all or any of the following obligation which are “Data protection impact Assessment”, “Record-keeping”, “Data Audit”, “Data Protection Officer”.

This introduces an element of risk as certain upcoming or niche sectors, which carry out high-risk processing activities, may pass under the radar if not known or identified by the authority. Careful research and analysis would be key for the Adjudication Officer to ensure adequate coverage and categorization.

Secondly, the draft bill also proposes that data fiduciaries save a local copy of all personal data that is stored outside the boundaries of India. Although this move could have some negative and positive consequences, it would ensure effective enforcement of the law, reduce bottlenecks in dealing with foreign jurisdictions, and protect national security and interests.

Prashant Mali Cyber Law Expert Cyber Law Consulting / Getty Images

Fiduciaries can have economic interests in downplaying the risk of data breaches, as there have been instances of breaches negatively affecting stock prices of companies.
Cyber & Privacy Policy Expert and Thought Leader Prashant Mali

Further, in a move focused on protecting national interests and containing the risk of surveillance from foreign states on critical data, the draft bill prevents data fiduciaries from sending ‘critical’ personal data outside the territory of India. However, what constitutes personal data and ‘critical’ personal data is a decision that has been left up to the authority.

I am a proponent of data localization and the intentions behind the move are good, maintaining data locally will have an impact on businesses across multiple industries that are today cloud-led. This will increase the general cost of doing business across industries.

The requirement of consent from data principals for the transfer of personal data outside India even with the presence of contract clauses or fulfillment of the adequacy criteria may lead to an additional burden of compliance on data fiduciaries. Another negative consequence of requiring consent is the provision for withdrawal of consent, which will have to be addressed by the data fiduciary at higher costs to ensure continuity of business.

The draft bill suggests exempting certain entities from various requirements based on turnover (<20 lakhs INR), volume of personal data processed (<100 data principal records per day and <100 data principals on any day in the past year), etc. Considering the Indian context, with the presence of a large number of medium and small enterprises, kirana stores, marts, etc. this move appears to be aimed at ensuring that the burden of compliance does not impede the economic growth of a fragile grass-roots Indian economy.

However, the proposed thresholds for exempting small entities may be too low and impractical. Given the presence of numerous small entities with a turnover of more than 20 lakh INR or processing more than 100 data principals, a remarkably high number of entities may fall under the purview of the law, leading to counterproductive economic consequences.

The draft bill calls out the data protection obligations, with “fair and reasonable” processing considered as the core principle. This has put an obligation on all data fiduciaries but there are no direct principles or guidelines on a “fair and reasonable” manner of personal data processing. 

The Justice Srikrishna Committee Report had suggested that courts of law and regulatory authorities should be allowed to evolve principles of fair and reasonable processing. These standards may vary with technological progress over time, and across different data fiduciaries.

As per the bill, data fiduciaries have to be regulated by the DPA which will assess their compliance with the law and if any violation is found it will take appropriate enforcement actions and penalties. In an event of a data breach, only if such a breach is likely to cause harm to the data principal then the data fiduciaries have to inform the DPA.

This has put the data fiduciary at the vantage point where it can decide which data breach is going to harm and which not. Fiduciaries can have economic interests in downplaying the risk of data breaches, as there have been instances of breaches negatively affecting stock prices of companies.

The Bill allows the DPA to impose penalties on data fiduciaries for violation of provisions of the law. Recovery Officers appointed by the DPA shall have the power to enforce penalties and compensation orders of the DPA. The officers, per the orders of the DPA, may conduct several enforcement actions against the data fiduciary, including (i) attachment or sale of movable and immovable property, and (ii) arrest and detention in prison. 

The Bill does not specify that a court order would be required for the above enforcement actions. Other Acts allow regulators such as the RBI or the IRDA to take actions such as attachment and sale of property and arrest of persons only after the approval of a court. However, following the Securities Laws (Amendment) Act, 2014, the SEBI Act permits the Recovery Officer of the SEBI to take such actions on the orders of the Board.

What will be the challenge for companies while doing their privacy assessment once the bill comes into play?  

The draft bill requires that significant data fiduciaries always submit DPIAs to the Authority for review, which is likely to create a high administrative burden. The GDPR instead takes a narrower approach in requiring submission only when a high risk is identified, focusing the Authority’s attention on processing activities that are most likely to harm data principals.

There is a need for clarification about whether processing may commence prior to the Authority’s review and suggest imposing time frames within which the Authority must respond. The GDPR sets the limit to 8 weeks, thereby limiting business disruption from pending DPIA reviews.

Furthermore, Section 33, is not technology-neutral and doesn’t focus on the risk of harm. There is a challenge with regards to Section 33 which almost labels processing that involves “new technologies” as inherently risky and therefore, requires DPIA.

I feel, new technologies or startups to carry such a broad DPIA review obligation may delay the adoption and growth of new technologies in India. DPIA review by the Authority should only be conducted if there is an assessed risk of serious harm under the general intent of Section 33, and not because of the technology that may be used for the processing.

Large organizations need to address this challenge before setting up centers of innovation in India.

Please elaborate on any other critical factors that organizations must be aware of when it comes to the impact of the Personal Data Protection Bill.

1. Organizations need to formulate or upgrade their privacy policy that complies with PDP, obviously data classification and handling of consent management in their software should be initiated today itself.

2. Organizations need to define data life cycle, which determines for how long data must be held on to, or protected, since data security comes at a cost.

3. Implement Grievance Redressal system for proper procedures and effective implementation of the PDP, I recommend an online one is better.

4. Before involving any new technologies or large scale profiling or using of any sensitive personal data like genetic or biometric data, the organization should undertake a Data Protection Impact Assessment in accordance with provision of PDP bill.

Copyright © 2019 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)