For obvious and justified reasons, the coronavirus pandemic dominates the news currently. One of the latest developments is that India’s Prime Minister, Narendra Modi, has put his entire country on lockdown. Ordering 1.35 billion people to stay indoors is a pretty dramatic move. A side-effect of that lockdown is that one of the most important pieces of privacy legislation, the Personal Data Protection Bill 2019, has been delayed in its passage through the Indian parliament.
The history of the proposed law is bound up with India’s huge Aadhaar project, which seeks to provide everyone in India with a randomly-generated, unique 12-digit number associated with their fingerprints and iris scans. The scale of this project has raised concerns about its impact on Indian citizens and their human rights. In 2017, the Supreme Court of India made a key ruling in the context of Aadhaar: “The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.” That was followed up by another Supreme Court judgment that placed strict limits on how the data gathered by Aadhaar could be used. The court cases underlined the lack of a legal framework for privacy protection in India. The new law aims to plug that gap.
Carnegie India has a good summary of the Bill’s main elements. If the law comes into force, it will apply to almost all businesses in India – from the largest industrial giant, to small digital startups. Some financial and telecoms companies are already subject to many of the requirements, but for most Indian businesses, they will be new and demanding:
businesses would have to tell users about their data collection practices and seek customers’ consent. They would have to collect and store evidence of the fact that such notice was given and consent was received. Because the bill gives consumers the right to withdraw their consent, businesses would also have to come up with systems to allow consumers to do so.
The bill gives consumers the right to access, correct, and erase their data. Businesses would have to create ways to allow consumers to do so.
Other measures include allowing consumers to transfer their data to other businesses, and for companies to adopt a privacy-by-design approach. Those aspects might be expected given the intent of the Bill. More unusual is a requirement for “sensitive personal data” to be stored in India, and that “critical personal data” should not be transferred out of the country. Such data localization requirements are increasingly being introduced by countries, but the size of the Indian market means this will have a big impact on how companies operate in the country. Also intriguing is the following proposal:
Under the bill, the government can require any business to share valuable nonpersonal data (such as aggregate mobility data collected by apps like Google maps or Uber) with the government. The bill is silent on whether businesses will be compensated for their loss. This could have negative long-term consequences on innovation and economic growth.
The penalties for non-compliance can be steep: the maximum amount that can be imposed is 150 million Indian rupees (about $2 million), or 4% of the global turnover of the company in the preceding financial year. That last figure is the same as the EU’s GDPR, which is fast becoming the global yardstick against which other privacy laws are measured. However, as the Carnegie India article notes, there are some differences between the Personal Data Protection Bill 2019 and the GDPR:
the bill gives India’s central government the power to exempt any government agency from the bill’s requirements. This exemption can be given on grounds related to national security, national sovereignty, and public order.
While the GDPR offers EU member states similar escape clauses, they are tightly regulated by other EU directives. Without these safeguards, India’s bill potentially gives India’s central government the power to access individual data over and above existing Indian laws such as the Information Technology Act of 2000, which dealt with cyber crime and e-commerce.
Also missing from the GDPR is the power to demand non-personal data from companies. That is an extremely broad power, and it could have major implications on how companies operate in India.
As the coronavirus pandemic continues, it seems unlikely that much, if anything, will happen for the moment with this Bill, which was being scrutinized by a Joint Committee of the Houses, in consultation with a range of stakeholders, including citizens, small and large companies, and law enforcement agencies. According to an article in the Indian title Business Today, the Joint Committee was expected to look at definitions of what constitutes personal, sensitive and critical data, and what data must be kept in India. When the article was written in December, it was suggested that the scrutiny would take three or four months to complete. That timetable has been disrupted by Covid-19 and the lockdown imposed on the Indian population. Medianama reports that it is now expected that the Joint Parliamentary Committee will submit its report on the Personal Data Protection Bill in the early part of the Monsoon Session, which Wikipedia says runs from July to September. That is presumably assuming that the lockdown is not extended or repeated; it’s not clear whether that will be the case. However, a later delivery of the report is not really a problem: with legislation like this that deals with fundamental rights, it is far more important to get it right than to get it done quickly.
Feature image by Ken Wieland.