Address issues like data ownership, data deletion rights before finalising data privacy draft bill
The Personal Data Protection Bill, 2018, does cover some of the key tenets that form the basis of any data privacy framework but a few aspects have not been covered by it.
The Personal Data Protection Bill, 2018 (referred to as the draft bill), is the first step to establish a framework for processing personal data of individuals or data principals. The committee headed by Justice BN Srikrishna released the Draft Bill along with their committee report, which attempts to outline the reasoning behind the provisions as proposed in the draft bill. The Draft Bill provides the obligations for three entities, namely, data principals, data fiduciaries, and data processors. The data fiduciaries would include such entities who would determine the purpose and means for processing personal data, with the data processors being entities that would be processing such data on behalf of the data fiduciaries.
Considering that it is in its initial stages, the draft bill does cover some of the key tenets that form the basis of any data privacy framework. Despite its coverage, there are still few aspects that have not been covered by the draft bill.
Notably, the draft bill, as opposed to the recent recommendations on data privacy issued by the Telecom Regulatory Authority of India (TRAI), does not indicate with whom the ownership of data actually lie. This may impact the extent to which the draft bill may be effective in providing data privacy. A combined effect of other provisions of the draft bill gives an impression that the ownership does not lie with data principals, at least. For example, the provision related to 'purpose limitation' permits processing of personal data for 'any other incidental purpose', which may result in the dilution of control that the data principals possess in relation to processing of personal data.
Right to delete data
No provisions of the draft bill enable the data principals to completely delete their personal data from the repositories of the data fiduciaries. This may further limit control that may be exercisable by the data principals. This aspect may need to be further assessed in order to ensure data principals have full control and say as to how their data is to be handled.
Extra-territoriality of the draft bill
The draft bill intends to have an extra-territorial effect and seeks to cover processing of personal data if the processing is 'in connection with any business carried on in India'. The phrase appearing in this provision appears to be vague and unclear. Does it intend to include businesses or commercial activities wholly carried out in India? Businesses or transactions may be such that they may be carried out across international borders. For example, financial transactions that may be initiated through institutions in India may involve foreign payment systems, which are based outside India. In such a case, part of certain transaction may occur within India and other parts may be carried out outside India. It is unclear how such businesses would be covered under the provisions. Unfortunately, the report, too, is silent in this respect. The report only mentions these aspects in relation to social media platforms (based outside India), which routinely handle huge volumes of personal data related to individuals located in India. To that extent, it is unclear as to how the draft bill will implement the extra-territorial nature as prescribed therein.
Monitoring cross-border transfer of personal data is one of the functions of the proposed Data Protection Authority of India (DPA). Such monitoring of cross-border transfers of personal data in digital form would only be possible if communication networks are specifically monitored by the DPA. However, the draft bill does not reconcile how such functions may be implemented in light of Section 69 of the Information Technology Act, 2000. The present provision stipulates that only agencies that are authorised by the Central/State Government may monitor transmission of information over a communication network. This is further conditional on the government satisfied that such activities are necessary for the national security and in national interest. Such a provision may have to be reconciled with the provisions of the IT Act to affect regulation of cross-border transfer of personal data.
Some of the issues such as data ownership and data deletion rights are some of the critical lacunas. These aspects are considered the bedrock for an effective data privacy framework in India considering the large population, extent of digital penetration, and level of digital literacy in India. These aspects have to be addressed before the Draft Bill is finalised, as these would be necessary for ensuring that the data privacy within India is effective and comprehensive.
Prashant Phillips is a Partner at Lakshmikumaran & Sridharan Attorneys.