On 22 November 2019, the Future of Finance Initiative, Dvara Research organised the Roundtable on Implementing India’s Personal Data Protection Bill building upon the policy brief released in October. This blog sets out some insights from the proceedings.
The introduction and passage of the draft the Personal Data Protection Bill (the Bill) in the Indian Parliament appear imminent. If passed, the Act will represent the culmination of over two years of debate and discussion in the country. We closely engaged through extensive comments to two rounds of Government consultation (including a companion mock draft legislation) to represent our model for better user data protection, recognised in the Final Report of the Committee on a Data Protection Framework for India and in some aspects of the draft Bill.
Although the Bill sets the framework for the future of data regulation in India, the establishment of a truly user protecting regime will depend on the rules & regulations issued once it is passed. The Bill tasks the Central Government and the DPA to release rules, regulations, notifications and codes of practice (subordinate legislation) to fill gaps in the framework and bring it into full effect. In the absence of subordinate legislation, the Bill could have limited impact and effect. These rules and regulations, or “subordinate legislation” will need to be passed by the Central Government authorities and a future Data Protection Authority (DPA) very swiftly after the Bill is passed. In this context, we were keen to begin a broader conversation through this roundtable on the regulatory aspects that will unfold after the law comes into effect. We believe this will help ensure that the elements of our data protection law pass into implementation without compromising user protection and inducing business uncertainty.
A. Objectives of the Roundtable
In October 2019, we released a policy brief titled Implementing the Personal Data Protection Bill, 2018: Mapping Action Points for the Central Government and the future Data Protection Authority in India. In the policy brief, we presented a blueprint which could guide the Central Government and the DPA to systematically implement the Bill. The policy brief set out all the subordinate legislation required to be released under the Bill, together with a first attempt to prioritise the order in which they should be released by the Central Government and future DPA. To test this understanding and build out a more robust framework of the practical aspects that need to be considered when implementing this far-reaching regime, we sought to bring together practitioners and experts to reflect on this thinking together. The Roundtable was attended by a diverse group of financial sector participants, BigTechs and technology service providers, researchers and public policy experts. By beginning conversations like this one, we hope to build wider dialogue on a systematic approach to future data protection regulation that could avoid ad-hoc passage of rules that could create gaps in consumer protection or disruptions in the data economy.
Our broad objectives of the Roundtable were to (i) get feedback on the priority areas for future regulation-making; (ii) understand the impact of proposed areas of rule-making on current data practices; (iii) begin to consider the sectoral changes required in the financial sector, to arrive at coherent data protection regulations and practices in the financial sector.
B. Key insights from the Roundtable
The Bill will impose new conditions on all data fiduciaries across sectors about when they can collect personal data and how they can process it. This can have a massive impact on how data fiduciaries currently process personal data. The discussions through the day reflected on six key areas in the Bill: (i) Scope & Limitations (ii) Grounds of Processing (iii) Data Fiduciary Obligations (iv) Transparency & Accountability Measures (v) Rights of Data Principals, and (vi) Cross Border Transfers. The discussions crystallised across all stakeholders the specific areas of high priority for future regulation-making.
1. Anonymisation: There was a consensus that it would be critical to get clarity on standards for anonymising personal data under the Bill. Anonymised data does not fall within the purview of the Bill (as per section 2(3)). Therefore, it is key to consumer protection to ensure that these standards are adequately specified to ensure that companies are incentivised to adequately invest in anonymizing the personal information that they hold. A future DPA will need to release anonymisation standards as a matter of priority, and consult with technical experts while drafting anonymisation methods so that regulatory requirements are aligned with technical reality.
2. Consent: The Bill requires data fiduciaries to obtain “valid” consent from a data principal before they can process their personal data (unless they can use other grounds for processing under chapter III & IV of the Bill). There remains uncertainty about how consent must be taken and what factors can be used to understand when consent is valid. It is important to consider how (and whether) future regulation should address this issue as a matter of priority, given consent is the main ground for processing personal data under the Bill.
3. Age verification: The Bill requires data fiduciaries that process children’s personal data to verify whether a person is under the age of 18. If a person is less than 18 years old, several safeguards are mandated under the Bill. The unfortunate consequence of this is that data fiduciaries will need to verify the age of all data principals to identify if any of them are below the age of 18. This would be onerous and potentially impossible, given the current structure of the internet.
4. Purpose limitation: Under the new law, data fiduciaries will need to state the purpose for which they seek to process personal data before doing so. The Bill requires such purposes to be stated in a manner that is “clear, specific and lawful”. Additionally, once collected, personal data can be processed for purposes that are “incidental” to the original purpose. Guidance will be required on how the term “incidental” should be applied in practice. Any lack of clarity will also directly impact several related provisions in the Bill. For instance, data fiduciaries must delete personal data once the purpose for which it was collected is fulfilled. If there is no clarity on the scope of lawful and incidental purpose, there will be no clarity on when such purpose is fulfilled and accordingly when the relevant personal data must be deleted. Similarly, the Bill requires a new notice to be served on users if personal data is used for a new purpose. Once again, there may be no clarity on when a new notice must be served unless there is clarity on the bounds of the lawful and incidental purpose.
5. Critical personal data: Critical personal data under section 40 of the Bill is a niche category of personal data which cannot be transferred out of the country. It is important to define critical personal data as currently the Bill in order for this provision to be meaningful.
6. Data portability: Data fiduciaries must port personal data to other data fiduciaries in a commonly understood and machine-readable format under the Bill. Currently, data fiduciaries in different sectors adopt different standards for sharing data. Therefore, DPA will need to prescribe common standards to be followed to enable data the sharing of personal data across entities. In addition, it is unclear whether the right to port personal data includes data observed of inferred about a person by a data fiduciary (thereby identifying them personally) or merely personal information submitted by them to the data fiduciary. For, e.g. would a ride-sharing service’s analysis that a person generally takes a consistent route every day to work constitute data that should be ported?
7. Liability: Data processing activities can involve multiple entities in the same transaction. There were several discussions around the need to clarify the liability structures in chains with multiple data fiduciaries and data processors. Although the Bill does attempt to do so, in provisions relating to how compensation should be paid out to aggrieved data principals, subordinate legislation could clarify the overarching liability framework for civil and criminal actions under this law.
8. Codes of Practice versus Regulations: A key point of discussion was the need to distinguish the role that codes of practice would play in the regulatory scheme of the Bill. In some areas, it could be more relevant for codes to be developed and adopted by industry rather than static regulation imposed by the DPA. For, e.g. each industry could have different codes to determine the categorization of data as “personal data” or “sensitive personal data” as these are highly contextual and use-based determinations.
9. Inter-sectoral coordination: Participants indicated that regulation to implement the Bill may need to be drafted at the sectoral level. For instance, regulations on collection limitation could be very different for social media entities compared to financial sector entities. In addition, the DPA will have to interact with several sectoral regulators (e.g. the RBI, SEBI, TRAI) to align their existing regulations with the new law and to implement the Bill effectively.
The immense investment of attention and time needed by all stakeholders in India to meaningfully translate the Bill to practice in the future was amply clear, as we closed discussions at the Roundtable. Organisations and regulatory authorities are spread across a wide spectrum in terms of preparedness for the new law. Technologists, industry groups, civil society & consumer groups need to self-organise in order to inform the interpretation and development of several critical provisions of the Bill. Through the Roundtable, our attempt was to convene a diverse group of people who will be thinking deeply about how to tackle the implementation of a data protection law in the future to have a joint conversation. This was an important first step in a much longer conversation, and we hope many more like this one take place in the months and years ahead.
 According to section 97 of the Bill, this period can be a maximum 24 months from when the Bill will receive Presidential assent.