## Saturday, October 20, 2018

### Response to the Draft Personal Data Protection Bill, 2018

by Rishab Bailey, Vrinda Bhandari, Smriti Parsheera and Faiza Rahman.

The Ministry of Electronics and Information Technology ("Meity") recently sought public comments on the draft Personal Data Protection Bill, 2018 (the "Bill") drafted by the Justice B.N. Srikrishna Committee of Experts ("Srikrishna Committee"). The Bill contains the Committee's proposals towards the creation of a free and fair digital economy, by setting out the rights and obligations governing the use of personal data and creating a statutory agency, referred to as the Data Protection Authority of India ("DPA"), to implement the law.

We wrote a detailed submission to Meity, which is summarised here. The Bill offers a fairly comprehensive set of data protection principles and rights to data subjects, particularly in relation to data processing by private entities. However, there are several key areas where the positions adopted by the Bill need to be revisited. This includes provisions relating to the structure and design of the DPA, role of adjudication officers, cross border transfer of data and scope of exemptions under the law, particularly in relation to government agencies. In this, we build upon our response to the White Paper, released by the Srikrishna Committee early in their work process.

### Definitions and scope

While recognising that many of the terms and phrases used in the Bill will require jurisprudence to develop around them, several defined terms need modifications in order to clarify the scope of the law and ensure its appropriate application. In particular, clarity is needed on terms like "anonymised", "harm", "sensitive personal data", "personal data breach", "disclosure to the public" and "genetic data":

1. Section 3(3) - "anonymisation": The Bill indicates that anonymisation of data should be "irreversible" in nature and should meet the standards specified by the DPA. A considerable literature has established that perfect anonymisation is hard, if not impossible to achieve (particularly due to new recombination methods that are constantly developing). Therefore, the Bill potentially sets an unachievable standard for anonymisation by using the word "irreversible". The definition needs to be more narrow: data fiduciaries should be required to meet the standard of anonymisation specified by the DPA. A separate provision could be introduced detailing the factors for the DPA to consider in setting the relevant standards and codes of practice on anonymisation.
2. Section 3(20) - "genetic data": The Bill limits the scope of "genetic data", which is part of sensitive personal information, to genetic characteristics which "give unique information about the behavioural characteristics, physiology or the health of that natural person". This implies that the definition only covers coding DNA. However, a lot of the DNA in the genome do not give any information about a person's behavioural characteristics, physiology or health. Such DNA, known as "non-coding DNA", can nonetheless be used for DNA profiling and is currently not covered under the Bill. To remedy this lacuna, the definition of "genetic data" must be expanded to include DNA profiles which can be used to establish identity, genealogy or kinship.
3. Section 3(21) - "harm": The definition of "harm" in Section 3(21) is critical as it forms the trigger for various rights/ obligations under the Bill. In the harm of "discriminatory treatment" under Section 3(21)(vi), it is unclear what specifically amounts to discriminatory treatment or the standard to be applied in this regard. For instance, would this bar the use of personal data to charge differential prices for services or offer different services to different individuals? It would be useful to have some standards/ tests that would be applied by different actors responsible for assessing harms in different contexts. The Constitution of India offers the standards for assessment of discrimination by the State under provisions like Article 14 (arbitrariness) and Article 15 (protected grounds include sex, caste, etc). However, we need fresh thinking on how to interpret discrimination, undertaken both by private parties and State agencies, in the context of personal data. Requiring the DPA to offer some clarification around these issues will enable greater certainty in the application of the provisions.
4. At the same time, the law must also account for harms that may arise in the future, including through new technological innovations allowing the use of personal data in unforeseen ways. Therefore, we suggest that the Bill should also consider including loss of confidentiality of personal data, including in situations where the personal data may be provided under specific professional settings; and the possibility of psychological manipulation or restriction of autonomy of individuals, especially in non-trivial contexts such as voting in elections, as "harms".
5. Section 3(35) - "sensitive personal data": We recommend that in addition to the list given under the provision, the definition of "sensitive personal data" must also contain scope for a context specific determination (of what constitutes sensitive data) to ensure that information that reasonably reveals sensitive personal data would also be included within the ambit of the phrase. For instance, treating location data as personal data may or may not be problematic as a general rule, but in certain contexts (such as communication surveillance), this data may require higher protection. While the Srikrishna Committee Report notes that there may be a cost in permitting a contextual determination of what constitutes "sensitive personal data", this argument is unconvincing, given that the law does not hesitate to impose costs on entities in areas where the gains as far as privacy protections are concerned are not particularly clear (for instance, the provisions pertaining to localisation/ mirroring of data).

Finally, on the scope of the law, we question whether the data protection law should apply only to the data of living persons or could it also be extended, in certain circumstances, to cover the personal data of either unborn children or deceased individuals. We argue that given the increasing instances of test-tube babies, freezing of embryos, etc., it may be useful to consider extending certain protections to relevant categories of personal data at even this stage. Equally, personal data of the deceased should also be protected in certain circumstances -- for instance, where it may reveal information pertaining to a living person (say a blood relative).

The draft Bill currently does not define the scope of a "data breach". It also does not mandate notice being provided to the data principal in each and every case of a breach. We believe that this reduces the control that individuals can exercise over their personal data and their choice to discontinue transacting with specific data fiduciaries based on perceived data risks. While certain exemptions must be crafted to ensure that data fiduciaries are not overburdened in terms of their notification obligations, this must not come at the cost of individual autonomy.

### Cross border transfer of data

Sections 40 and 41 of the Bill propose a "three-pronged model" for international transfers of personal data. As per this, one live, serving copy of all personal data should be stored in India, in addition to which certain categories of "critical personal data" (to be notified by the government), will be bound by a stricter requirement of being stored and processed only in India. Finally, the government will have the power to exempt particular countries, sectors or international organisation from the restrictions on free flow of data across borders on the grounds of "necessity" or "strategic interests of the state". We disagree with the proposed model, and the absence of any cogent reasons or cost-benefit analysis to justify these decisions.

We recognise that the government may have reasons, in certain situations, to force data localisation, from a strategic, social or economic perspective. However, the present law deals with only privacy and data protection related rights, and as such, should only look to enable localisation where it is demonstrable that the privacy protections afforded by such a step are worth the trade-offs associated with localisation (in terms of restriction of expression and privacy rights, costs to businesses, environmental costs, etc.).

While localisation measures may, in certain situations, enhance privacy protections (assuming that the foreign location where the data is stored has a sub-optimum framework for data protection), they can also negatively impact rights (including those relating to free expression and privacy) and greatly increase the cost to business (Bailey and Parsheera, 2018). These costs have not been adequately justified by commensurate gains in the Srikrishna Committee's recommendations. Given the ability to utilise numerous less intrusive measures to provide Indian data with an equal measure of protection (such as binding contractual rules, need for adequacy decisions prior to transfer, etc.), we believe that the provisions requiring mandatory mirroring of personal data within India/ complete localisation of critical personal data are disproportionate and must be revisited.

This is not to say that localisation can never be a necessary or proportionate response to perceived harms from privacy. However, in order to make this case, specific harms must be identified, and the costs and benefits of imposing the proposed measures must be adequately demonstrated (Bailey and Parsheera, 2018). We suggest, therefore, that the Bill itself should contain no specific mandate pertaining to mirroring or complete localisation. To the extent that it may empower the DPA or the Government to direct the localisation of certain specific types of data or by specific entities, it should mandate a robust cost-benefit analysis and public consultation processes before arriving at such a decision.

### Exemptions

According to Sections 42 and 43 of the Bill, processing of personal data in the (a) interests of the security of the state; and (b) for prevention, detection, investigation and prosecution of any offence or any other contravention of law is exempt from most obligations in the Bill, if it is (i) in accordance with the law, (ii) follows the procedure set out by that law (this requirement does not apply to Section 43), and (iii) is necessary and proportionate. While these provisions embed the proportionality standard set out by the majority in the Supreme Court's Puttaswamy decision and confirmed more recently in the Aadhaar case, the Bill fails to address the related structural and procedural elements that are required to operationalise these principles. For instance, while the Bill states that the interception should be necessary and proportionate, it does not address the question of who should make this determination.

The Srikrishna Committee's report acknowledges that the current processes under the Information Technology Act and the Telegraph Act, which provide only executive review for interception requests, are not sufficient and recommends that District Judges should be reviewing the processing of personal information by intelligence agencies in closed door proceedings. Apart from ex-ante judicial scrutiny of interception requests, the report also talks about ensuring accountability through ex-post, periodic reporting and review by a parliamentary committee. However, these requirements do not find mention in the text of the Bill itself. While the Bill may not be the correct site for ensuring a complete overhaul of the intelligence apparatus, not least due to the organisation and structural changes that may be required within intelligence and law enforcement services, nonetheless, the Bill should have proposed these ex-ante and ex-post oversight mechanisms over intelligence activities as amendments to the Telegraph Act and Information Technology Act and the procedural rules made under them.

As highlighted by us in Bailey et al., 2018, the following reforms are needed in the law:

1. Prior judicial review: The current process of authorisation of surveillance requests by the executive needs to be amended to incorporate an element of prior judicial review. A provision for post-facto judicial scrutiny can be made for situations that require immediate action in cases of emergency. This review may be conducted through specialised courts designated for this purpose or by designated judicial members in an independent body, such as the DPA. Any amendments to the current laws should also lay down a procedure for appeal against the decision of the judicial body. Accordingly, the Bill should propose the adoption of the proposed structure by suggesting corresponding amendments to the Telegraph Act, Information Technology Act and the rules framed under those laws.
2. Procedural guarantees: It is unclear why Section 43 of the Bill, which exempts the processing of data in connection with any offence or other contravention of a law from most obligations in the Bill, does not mandate that the processing should be done in accordance with the procedure set out under the authorising law (as stated under Section 42). It is imperative that the obligation to follow the procedure set out in law should be introduced in Section 43.
3. Reporting and transparency: Appropriate ex-ante and ex-post reporting and transparency obligations need to be imposed on LEAs and intelligence agencies in respect of all surveillance activities. In addition, appropriate oversight bodies must be identified and should be required to publish periodic reports of their activities and that of LEAs/ intelligence agencies under their supervision. At the same time, service providers that receive surveillance requests must be permitted to publish aggregated statistics detailing the volume and nature of such requests.
4. Notice to data subject: There should be an obligation to provide deferred notice of interception to the concerned individual. However, the law can allow the intelligence agency or LEA to seek the approval of the judicial body to delay or avoid the requirement of notice under certain exceptional circumstances. For instance, if it can be established that such a disclosure would defeat the very purpose of surveillance. Circumstances under which this exception can be invoked should be listed clearly.
5. Right to seek redress: The requirement of notice to the data subject must be accompanied by a right to challenge and seek appropriate redress against surveillance activities. This right should extend to a person who is, or has reasonable apprehension of being, the subject of surveillance. In addition, intermediaries that are under a legal obligation to facilitate access to information by LEAs should also have the legal right to question the scope and purpose of the orders received by them.
6. Privacy Officers: Intelligence agencies and LEAs should have an obligation to appoint data protection officers. The data protection officer should be required to, inter alia, scrutinise interception requests by the agency (before they are put up to the sanctioning judicial body), and ensure adherence to the relevant laws. Further, their considered opinion pertaining to interception requests must be recorded in writing and available to relevant oversight bodies, if not the public.
7. General data protection rights: With regard to personal data processed by LEAs and intelligence agencies, we recommend that the Bill must ensure that, as far as possible, data principals are provided with access and rectification rights, and personal data maintained by relevant authorities is up to date and accurate. Further, data retention norms also need to be appropriately designed to ensure that only relevant data is stored by the authorised agencies.

The other exemptions granted under Chapter IX of the Bill also need to be revisited on several counts. This includes: (i) adding categories such as 'academic' and 'artistic' work to the list of exempted activities; (ii) making the existing exemptions more nuanced, thus ensuring a more appropriate balance of privacy with competing rights such as the freedom of expression, right to profession, etc.; (iii) revisiting the pre-conditions for availing the 'journalistic' exemption, which as currently drafted may drastically affect online expression rights; and (iv) ensuring a public purpose limitation on the exemption granted for research purposes.

### Structure and powers of the DPA

When it comes to the structure and processes of the Data Protection Authority, we find that the Bill is in need of significant improvements. In this regard, we make the following key recommendations:

1. Composition: In terms of its composition, the DPA consists of a Chairperson and only whole-time members. We think there is merit in considering the inclusion of part-time, non-executive members on the DPA who can bring in the requisite expertise into the agency while also providing checks and balances against any management issues in the agency.
2. Selection process: Section 50(3) of the Bill provides that the Government will make rules to prescribe the procedures of the selection committee constituted for recommending names of DPA members. The integrity of the selection procedure needs to be protected by requiring that all short-listing and decision making by the committee is done in a transparent manner. Therefore, we recommend that the primary law should incorporate certain details regarding the processes of the selection committee. For instance, it should require the committee to disclose all the relevant documents considered by it and prepare a report after the completion of the selection procedure. This would include the minutes of the discussion for nominating names, the criteria and process of selection and the reasons why specific persons were selected.
3. Coordination with other agencies: Section 67 of the Bill provides for coordination between the DPA and other agencies. This is a welcome provision but there is need for certain clarifications in its scope. First, the Bill restricts the coordination requirement only to other statutory agencies but there may be situations where certain regulatory actions fall directly within the domain of a Ministry or Department of the Government. Therefore, the Bill should expand the scope of this provision to include coordination between DPA and other ministries and departments of the Government. Second, it is not clear as to how it will be determined whether the other body has "concurrent jurisdiction" with the DPA. Instead of leaving this determination entirely up to the DPA it would be advisable for the Bill itself to contain a non-exhaustive list of such matters and agencies with corresponding amendments to relevant laws requiring respective agencies to undertake similar co-ordination with the DPA. In addition to this, the Government may prescribe other matters and agencies to be covered in the list. Third, the Bill makes it discretionary for the DPA to enter into memorandums of understanding ("MOUs") with other agencies. We recommend that this requirement should be made mandatory and the Bill should also set out a non-exhaustive list of the matters to be covered in the MoU.
4. Regulation making process: The Bill does not mandate the DPA to ensure transparency in the discharge of all its functions, a provision that is necessary in such a law given the wide range of powers being conferred upon the DPA. Further, except in case of the codes of practice, the Bill does not lay down provisions for effective public participation in the DPA’s regulation-making processes. We propose that the law should require the DPA to undertake an assessment of the expected costs and benefits of any proposed regulation and seek to adopt measures that minimise the compliance costs while meeting the intended objective. Equally, the law should also mandate the DPA to provide an explanation for the decision finally adopted by it and the broad reasons for acceptance or rejection of the comments raised by stakeholders and the public.
5. Power of adjudication: The Bill raises the structural issue of housing both regulatory and adjudicatory functions within the DPA, which can lead to the dilution of the Authority's core regulatory functions. It may also result in a conflict on interest by making the same agency responsible for the framing of regulations and providing redress for their breach -- a large number of complaints on an issue reflects non-compliance by data fiduciaries but also that the DPA may have failed to take appropriate regulatory or supervisory actions to curb such malpractices. Accordingly, we reiterate the submission made by us in response to the White Paper, that the redress of individual data protection complaints should be entrusted to a separate redress agency or ombudsman, that will function independently on the DPA. There should, however, be a strong feedback loop between the proposed ombudsman and the DPA using which the DPA can gain information about the type of complaints being raised, the entities to which they relate and the underlying causes.
However, in case the government proceeds with the Bill's recommendations on locating the complaints redress function within the DPA, there is still a case for making certain improvements in the proposed structure of the process. The current provisions of the Bill provide that any complaint raised by a data principle would directly proceed to determination by an adjudication officer (after the individual has first approached the data fiduciary's internal redress mechanism). We note that instead of directly sending the compliant for adjudication, there is a case for first facilitating an amicable settlement between the individual and the data fiduciary through mediation process. In cases where the parties fail to reach a settlement, the matter could then proceed for adjudication. Creating such a mechanism in the law would reduce the burden on adjudication officers, move to a less adversarial process, and expedite the settlement of grievances.
6. Committees to advise the DPA: We propose that the law should empower the DPA to appoint various committees as may be necessary to assist it in the discharge of its functions. It would also be useful for the law to put in place a multi-stakeholder committee that can advise the DPA on the framing of standards that may be applicable in different contexts and the interpretation of the data protection principles laid down in the law. In this regard, the "Article 29 Working Party" in the European Union could be a useful example for incorporating such a mechanism in the Indian data protection law.

### Offences

We argue that the criminal provisions contained in Sections 90, 91, 92, and 93 of the Bill should be revisited -- being draconian, vague and overly broad. Sections 90 and 91 of the Bill create criminal offences by penalising a person who "knowingly or intentionally or recklessly" deals with personal information with resulting harms or indulges in re-identification and processing of previously de-identified personal data, in contravention to the Bill. The Bill prescribes the stringent punishment of imprisonment for these acts and makes the offences cognisable and non-bailable.

In this regard, the Srikrishna Committee's White Paper had stated that criminal sanction in the form of imprisonment and fines may be prescribed to impose financial and reputation costs on the data controller, thereby serving a deterrent purpose. However, empirical research demonstrates that the threat of imprisonment has only a small general positive deterrent effect (Ritchie, 2011). The use of criminal sanctions in data protection laws is rare (although not unheard of), but even in such cases, the context and scope of criminal provisions is markedly different from the Indian draft law.

For instance, while the U.K's Data Protection Act does include criminal offences, the scope of these offences is narrower compared to the draft Bill. Crucially, the UK's Data Protection Act mainly provides for criminalisation of acts where access and use of personal data is achieved without the consent of the data controller. Further, the law also restricts itself to only prescribing fines and does not prescribe imprisonment as a punishment for contravention.

Finally, we note that the provision as currently drafted also criminalises ethical hacking or other forms of security related research, including into the effectiveness of anonymisation techniques. In other cases, such as the UK's Data Protection Act, the law specifically lists various defences that could be taken against the offence of unlawfully obtaining personal data (Section 170), and against re-identification of personal data (Section 171) - notably on the ground of public interest.

### Conclusion

Given the current state of Indian data protection law, virtually any improvement would represent a significant step towards protection of privacy rights of Indians. However, we find that the Bill does provide a reasonably strong framework for the protection of personal data of citizens. That said, the Bill also contains numerous lacunae, implying the need to bring out amendments with a view to inter alia:

• Revisit the design of the regulatory framework, including by ensuring greater independence and accountability of the DPA. This gains particular importance due to the need to build trust between all the actors in the digital ecosystem;
• Clarify various terms and phrases to ensure proper application of the law;
• Provide checks on the State's use of personal data and build stronger provisions pertaining to state surveillance;
• Create more nuanced exemptions for a wider variety of subject matters (for instance, academic or artistic work) while at the same time including additional checks and balances for all exempted categories; and
• Reconsider the broad scope of the criminalisation provisions under the law and the classification of offences as non-bailable and non-cognizable.

Certain other provisions, such as the broad latitude granted to employers to process data of employees, and provisions pertaining to the right to object to processing or delete personal data, also need to be reviewed in subsequent versions of the Bill. Given the growing evidence that our personal data is not particularly secure in either private or State hands -- notably both Facebook and Google have recently reported massive data breaches -- it becomes all the more important for a strong, horizontal, principles-based data protection law to be brought into effect at the earliest possible. Reports indicate that the Bill will, subsequent to certain amendments and clarifications, be tabled before Parliament in the winter session. That said, the passage of a data protection law -- in whatever form it may take -- can only be considered (a vital) first step in ensuring greater protection of privacy rights of individuals. Building capacity of the regulator and laying down appropriate sector specific guidelines and principles will be critical in translating the law into practice.

### References

Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, 2018.

Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, Personal Data Protection Bill, 2018.

Vrinda Bhandari, Amba Kak, Smriti Parsheera, Faiza Rahman and Renuka Sane, Response to the White Paper on a Data Protection Framework for India, NIPFP MacroFinance, 31 January 2018.

Rishab Bailey, Vrinda Bhandari, Smriti Parsheera and Faiza Rahman, Placing surveillance reforms in the data protection debate, The Leap Blog, 6 August, 2018.

Rishab Bailey and Smriti Parsheera, Data localisation in India: Questioning the means and ends, NIPFP MacroFinance (forthcoming).

Donald Ritchie, Sentencing matters: Does imprisonment deter? A review of the evidence, Sentencing Advisory Council, State Government of Victoria, April 2011.

Vrinda Bhandari, Data Protection Bill: Missed Opportunity for Surveillance Reform, The Quint, 28 July, 2018.

Smriti Parsheera, Data Protection Bill: Lukewarm Effort Towards Strong DPA", The Quint, 4 September, 2018.

Rishab Bailey, Smriti Parsheera, and Faiza Rahman are researchers in the technology policy team at the National Institute of Public Finance Policy. Vrinda Bhandari is a practicing advocate in Delhi. We thank Devendra Damle for inputs on the issue of genetic data.

LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.