India: Comparing the 2018 and 2019 data protection bills
In July 2018, the Committee of Experts on Data Protection ('the Committee') submitted a draft Personal Data Protection Bill, 2018 ('the 2018 Bill') to the Government of India. On the basis of recommendations made by the Committee, and suggestions from various stakeholders, on 11 December 2019, the revised Personal Data Protection Bill, 2019 ('the 2019 Bill') was introduced to the lower house of the Indian Parliament, Lok Sabha. This article compares the two bills and identifies the key changes.
Definition of personal data
Section 3(28) of the 2019 Bill expands the definition of 'personal data' to include a reference to online or offline characteristics, traits, attributes or any other feature of the identity of a natural person, as well as 'any inference drawn from such data for the purpose of profiling'.
Definition of sensitive data
The 2019 Bill excludes passwords from the definition of sensitive data.
Right to erasure
Whilst both the 2018 Bill and the 2019 Bill afford data subjects the right to be forgotten i.e. data subjects can restrict or prevent the continuing disclosure of their personal data (Section 27 and Section 20 respectively), Section 18 of the 2019 Bill also includes a right to erasure for data subjects for personal data which is no longer necessary for the purpose for which it was processed.
Reasonable purposes for processing
Section 14(2)(h) of the 2019 Bill includes the 'operation of search engines' as a possible reasonable purpose to process personal data without obtaining consent from the data subject.
The 2018 Bill does not include this provision.
Data localisation and transfer requirements
Whilst Section 40 of the 2018 Bill required data fiduciaries (data controllers) to store a copy of all personal data on a server or data centre located in India, Section 33(1) of the 2019 Bill limits this requirement to sensitive personal data. Moreover, Section 34 of the 2019 Bill introduces a mandatory requirement to obtain consent from the data subject for cross-border transfer of sensitive personal data, which was not present in the 2018 Bill.
Social media intermediaries
The 2019 Bill lays down norms for social media intermediaries ('SMIs')i.e. 'an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services (Section 30 of the 2019 Bill). In particular, the 2019 Bill notes that SMIs who have users above a certain threshold and whose actions have, or are likely to have a significant impact on electoral democracy, security of the State, public order, or the sovereignty and integrity of India would be classified as 'significant data fiduciaries', and would be subject to the obligations relating to Data Protection Impact Assessments, record keeping, data protection officer appointment, and annual audits under Sections 27-30 of the 2019 Bill.
Moreover, Section 93(1)(d) of the 2019 Bill outlines that the Central Government may make rules for the methods of voluntary identification to identify users of social media.
The 2018 Bill does not contain any reference to SMIs.
Section 91(2) of the 2019 Bill introduces powers for the Central Government, in consultation with the Data Protection Authority ('DPA'), to direct any data fiduciary or data processor to provide any anonymised personal data, or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government.
The 2018 Bill does not contain any similar provision.
Data Protection Authority selection committee
Both the 2018 Bill and the 2019 Bill state that the chairperson and members of the DPA shall be appointed by the Central Government on the recommendation of a selection committee (Sections 50(2) and 42(2) respectively). However, whilst the 2018 Bill's selection committee consisted of the Chief Justice of India or a Supreme Court judge as the chairperson of the committee, the Cabinet Secretary, and an expert nominated by the Chief Justice or Supreme Court judge, the 2019 Bill's selection committee is composed of the Cabinet Secretary as the chairperson, and the Secretaries to the Government in the Ministry/Departments dealing with legal affairs, and electronics and IT.
Exemption of government agencies
Section 35 of the 2019 Bill introduces a power for the Central Government to exempt any government agency from the application of all or any provisions of the Bill with respect to processing personal data, in the interest of, and for preventing incitement to the commission of any cognisable offence relating to the sovereignty and integrity of India.
The 2018 Bill does not contain this provision.
Whilst the 2018 Bill included imprisonment penalties for three instances: for data fiduciaries who violate the provisions on obtaining, transferring, or selling personal data; sensitive personal data; and for re-identification and processing of de-identified personal data (Sections 90-92 of the 2018 Bill), the 2019 Bill only imposes a penalty of imprisonment for the offence of re-identifying and processing de-identified personal data (Section 82 of the 2019 Bill).
In summary, there are several notable changes between the two bills. The 2019 Bill strengthens the powers of the Central Government by including powers to exempt agencies from the legislation, introduces specific provisions for SMIs, and relaxes the norms on data localisation and cross-border data transfers. Moreover, the 2019 Bill emphasises the growth of the Indian digital economy and ensures the availability of anonymised personal data for use by the Central Government. As the Indian Parliament continues to debate the 2019 Bill, it remains to be seen what form the final version of the legislation will take.
Tooba Kazmi Privacy Analyst