The Supreme Court of India has recognised the right to privacy as a fundamental right, which is intrinsic to life, personal liberty and is inseparable from human existence. To codify this right, to put in place a robust regime for data protection, and to safeguard against encroachments on privacy by state and non-state actors, the government has formulated a draft Personal Data Protection Bill 2019 (PDP Bill), which is largely inspired by the EU General Data Protection Regulation.
The PDP Bill introduces a unique concept of a ‘fiduciary relationship’ between data subjects (natural persons to whom the personal data relates) and data controllers (persons who determine the purpose and means of processing personal data) and classifies them as ‘data principals’ and ‘data fiduciaries’, respectively. This relationship is based on a fundamental expectation of trust, which translates to a duty of care for data fiduciaries to process the principal’s personal data in a fair and reasonable manner. This prerequisite of ‘fair and reasonable processing’ puts a high bar for compliance on data fiduciaries to process the personal data of principal for the purposes reasonably expected by the principal and in a manner that respects her privacy. The PDP Bill also confers certain privacy rights on the principal, including to obtain personal data, correct inaccurate data, erase data, update the data, port the data to other fiduciaries and the right to restrict or prevent the disclosure of personal data. We expect this will increase compliance responsibilities on organisations.
That said, the Bill creates unique challenges for stakeholders involved in providing and processing personal data. Some of the key challenges are outlined below.
While the PDP Bill allows free transferability of personal data outside India, it envisages a soft localisation requirement for fiduciaries to retain a copy of the sensitive personal data (SPD, which includes financial data, health data, data official identifier) in India. The PDP Bill also introduces a new category of critical personal data (CPD) that must be processed only in India and can be transferred abroad only in certain exceptional circumstances. This data localisation mandate will require fiduciaries to look into the nature of data collected and develop mechanisms to segregate SPD and CPD from other personal data. Given the large volumes of data handled by certain businesses and the fact that data collected is typically stored by them in aggregate form, compliance with this localisation obligation to ensure that a sub-set of the data possessed, ie SPD and CPD, is stored locally, would necessitate implementation of machine-learning algorithms and artificial intelligence technologies to identify and segregate data. We expect this exercise to be burdensome for fiduciaries who may not have adequate resources to undertake such segregation and may even find it hard to take judgment calls on what data classifies as personal data, SPD or CPD.
This issue is compounded by the fact that the government retains an enabling right under the PDP Bill to categorise new categories of personal data as SPD in the future and also does not identify the elements of CPD to provide any predictability. Segregation and localisation of new kinds of data will require continuous tweaking of systems, and hence, pose unique challenges for Indian data fiduciaries.
Given the challenges involved in segregation of SPD or CPD, fiduciaries may be compelled to store all the personal data in India despite the ability to store personal data and SPD offshore. Any lapses by them could result in imposition of mammoth penalties calculated as a percentage of their worldwide turnover.
Service providers with professional expertise
The PDP Bill creates an interesting dilemma in respect of certain service providers having professional expertise such as legal consultants or auditors that are designated to perform a specialised regulated function/role. In the course of performing their duties, these service providers may obtain and process personal data, which may not necessarily flow directly from the principals. The question that arises in respect of such service providers is whether they should be considered as data fiduciaries or processors under the PDP Bill.
The PDP Bill defines data processors as entities who process data on behalf of data fiduciaries. The words ‘on behalf of’ suggest that the underlying processing is in fact an obligation of the fiduciary but has merely been outsourced by the fiduciary to the processor – a vanilla outsourcing function.
While evaluating if the service provider is performing its obligations solely on behalf of the client, it may need to be considered if the service provider is in a position to influence or control the purpose for which data is processed. If the service providers have no influence on the purpose of processing and undertake their activities solely for the benefit of their client, the definition of data processor under the PDP Bill could be widely interpreted to cover not only instances where the service providers perform their function ‘on behalf of’ the client but also where they process data for the benefit of or under the instructions of the client/fiduciary. In such a scenario, the processor will be bound by the provisions of the PDP Bill that impose various obligations on data processors, which include processing in a fair and reasonable manner.
However, where the service providers perform professional duties which cannot be undertaken by the fiduciaries themselves, for those functions, the same service providers who are treated as processors, may now be considered as data fiduciaries. In such a scenario, the service providers’ compliance with the obligations of the data fiduciaries (such as publishing privacy policies, obtaining consents for processing and transfer of personal data etc) could create significant practical challenges.
The lack of privity between the service providers and the data principals (whose personal data has been provided by the data fiduciaries) raises fundamental question as to how meaningful consent of the data principal can be obtained in the first place.
The penalties prescribed under the PDP Bill, some of which are calculated as a percentage of the worldwide turnover of the fiduciaries, appear to be a result of extensive deliberations, and are eye catching. However, the mechanism for awarding compensation to aggrieved data principals in case of breaches by fiduciaries, has hardly received the same consideration and attention. The PDP Bill is envisioned to safeguard the privacy of the principals. Yet, the provisions proposed under the PDP Bill may not address challenges faced by principals (to claim compensation) today.
Compensation payable to individuals is intended to be calculated on the basis of ‘harm’ suffered. However, in most cases of data breach, it may be impossible to quantify the actual harm or loss suffered by the data principal in absolute monetary terms. This is not always true. For instance, if a breach involves a breach by a fiduciary which is a bank, it may still be possible to determine the financial loss that the aggrieved data principal suffers as a result of such breach. This is also evident from a handful of claims, primarily involving banks, which have been awarded under the existing data protection framework contained under the Information Technology Act 2000 and the rules framed thereunder.
While the PDP Bill stipulates factors that may help determine monetary compensation, this may not have the desired effect as some of these factors are already present under the existing privacy regime. Instances of data breaches are reported time and again, but do not result in any compensation to principals whose data is compromised. In absence of a meaningful way to calculate harm, while penalties may be collected from fiduciaries, principals may remain without an efficacious remedy. Non-inclusion of provisions, which entitle principals to receive compensation where it is difficult to demonstrate actual monetary harm, seems like a missed opportunity.