India's Personal Data Protection (PDP) Bill

Ambiguous definitions for compliance (Clauses 14, 24)

Clause 14 states that personal data can be processed without consent. Specifically, Subclause 14(1)(c) states that any data in need of public interest shall be given this right without consent. Nowhere in the PDP Bill is there a definition of what constitutes public interest. This can lead to large-scale misinterpretation of the legislation. Further, protections are required to ensure that minority groups’¹ concerns are also included in the definitions of public interest.

On the other hand Subclause 14(1)(b) allows Data Fiduciaries (DF) to assume consent in certain cases which has legal ramifications. An example is the case of AOK Baden-Wuerttemberg² in Germany that used personal data from its customers for a raffle. Here, the company assumed that consent of the 500 participants was received. However, as per legal consent requirements, this was not the case. The company was subsequently fined 1.5 million dollars.

Clause 24 focuses on the actual process of data processing. It is important to understand that many businesses may have already started implementing their own data processing tools. But due to the arbitrary definitions of the process in the PDP Bill, their work may not be considered compliance ready. Therefore, it is necessary to provide clear articulation of what practices are deemed acceptable in each Subclause - 24(1)(a)(b)(c) - which look at the processes of de-identification and encryption, protection of integrity of personal data and steps necessary to prevent misuse of data, respectively. For example, StarMed Specialist Centre Ltd³ in Singapore reported a breach due to a Remote Desktop Protocol (RDP) Port left open, allowing for unauthorized access. Fiduciaries must know of all the possible risks and correct methods for implementation to avoid such situations. Without such clarity, many businesses may be investing in protocols that are not adequate, and can result in non-compliance, data breaches and penalization.

Definitions for governance (Clauses 26, 35, 86)

Clause 26 allows the Data Protection Authority (DPA) to have a final say in judging whether a business entity may be defined as a DF or a Significant Data Fiduciary (SDF). The DPA has the power to overwrite previous Subclauses which take into account aspects such as turnover and size of the organization. We know from penalization clauses that financial costs of non-compliance grow extensively when a DF is classified as an SDF. Without a clear code of conduct on how and why such judgements are allowed, many small business entities will not be able to financially recover from the compliance costs of PDP, especially if they are classified as SDF.

Similarly, Clause 35 allows the Central Government to have unbridled exemption powers over the governance of data that needs to be revisited. This is further accentuated by the Subclause 86(3) which allows the government to override the DPA’s authority.

Practitioners from the industry have highlighted that the DPA must focus on capacity building and upskilling for compliance and privacy roles and responsibilities. The DPA should partner with organizations that undertake such initiatives. As one of the participants at the Data Privacy Conference⁴ said:

“Technological implementations are overrated. Investment has to be done in people and setting up processes. To address something at the technical layer is easy if you have to enable say, encryption access management. The larger problem is people. Here, you need a lot of investment in the form of skill training and making them aware of what is required - the legalese and then implementation approaches and alternatives.”

Broad definition irrespective of varied stakeholders (Clauses 27, 50, 53)

Except for Clauses articulating financial penalizations, other aspects of governance remain the same despite having completely different effects on the ground. Aspects of governance remain vague and open to interpretation. Without clarity, many stakeholders will be confused, which may lead to further non-compliance. Instead, representatives from the community believe that there must be a fairer risk assessment protocol for different organizations and options for scaled down data processing practices for smaller organizations.

Since the DPA has the final authority over what can be defined as fair processing of personal data, this ambiguity does not help businesses who do not have adequate knowledge or support with regards to implementing data protection. Similarly, even the inquiry process may not be difficult for larger organizations to handle. But for smaller entities, this can lead to financial collapse. Therefore, it is important to take into account the nature of the organization and further details regarding their functioning when trying to govern businesses. Clause 27 provides a vivid example of how this can be confusing. Many entities can be defined as SDFs because they use social media technologies. Here, updating technology practices may have to be halted, stalling opportunities for innovation.

Definitions of Data that intersect (Clauses 3, 15)

Sensitive personal data under Subclause 3(36) includes financial data, health data, official identifiers, biometric data, sexual orientation, etc. In Clause 15, the Central Government once again has the final authority along with the DPA to define what may be considered sensitive personal data, defined by risks based on significant harm. It is important to address and pin down what significant harm means and the criteria for the same.
Under these Clauses, we see that there are concerns about the broad scope of personal data, and the DPA’s arbitrary use of power in defining what constitutes sensitive personal data.

We recommend that such definitions be reviewed to not cause confusion during implementation by all parties.