P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.
The honourable Minister of IT, Sri Ashwini Vaishnaw in an interview yesterday has indicated that
a) a new Telecom Bill will be introduced in the next 8-10 days to replace the archaic 1885 laws
b) Drafting of the bill to replace PDPB 2019 is practically complete and will be very soon uploaded for consultation and re-introduced in the Parliament in the budget session (February 2023)
c) Protection of online users will be covered in a new draft of the Information Technology Act with greater accountability among social media platforms for content that is being published.
It appears that both the revised Telecom Bill and Revised PDPB 2019 may be presented in draft from for public comments soon. Revised ITA 2000 is a more complicated exercise and the Government may immediately focus on getting a proper revised version of the Intermediary Guidelines that covers Digital Media.
In our attempt to design a New Data Protection Act (NDPAI) for discussion during the IDPS 2022 (Indian Data Protection Summit 2022) due in November 2022 based on the earlier statements of the MeitY, we had considered the possibility of a new law which combines the Governance and Security of Personal and Non Personal Data.
We had identified eight chapters in the law where chapters on Preliminary, Data Valuation Framework and Miscellaneous issues were common to both Personal and non personal data.
Chapter II was envisaged for creating the statutory law for recognizing the Right to Privacy in non digital environment so that the rest of the law could focus on “Information Privacy”
Chapters on Governance and Protection of Non Personal Data were meant to replace the ITA 2000.
We now await the new draft for Personal Data Protection which the minister has promised to produce soon. If the Government has to collect public comments and introduce it in February 2023, the draft has to be released in October 2022.
We may continue our discussion and suggestions awaiting the draft and synch it with the draft when it is presented.
In this article we shall discuss the definition of the scope of the Act.
The scope of PDPB 2019 was defined under Section 2 and included 4 provisions. As per this section the Act would apply to
(a) the processing of personal data where such data has been collected, stored, disclosed, shared or otherwise processed within the territory of India;
(b) the processing of personal data by any person under Indian law;
(c) the processing of personal data by data fiduciaries or data processors not present within the territory of India, if such processing is—
(i) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
(ii) in connection with any activity which involves profiling of data principals within the territory of India; and
(d) the processing of non-personal data including anonymised personal data.
The act was indicated as applicable to non personal data but only the following provisions could be attributed as applicable to processing of Non personal Data
i) Reporting of data breach of non personal data to the data protection authority under this Act,
ii) Empowerment to direct any data fiduciary to share non personal anonymised data,
ITA 2000 on the other hand applied to all kinds of data and addressed issues of “Cyber Crimes” both with personal data and non personal data. Hence the scope of ITA 2000 was comprehensive and PDPB 2019 could only carve out some specific aspects of ITA 2000 (eg: Section 43A) and frame a separate law. The overlapping of ITA 2000 on PDPB 2019 and therefore the powers of the CERT IN over the DPAI became a difficult legal problem to sort out.
We may presume that the Government realized this conflict between ITA 2000 and PDPB 2019 and took the bold decision to withdraw the PDPB 2019 despite the embarrassment that the withdrawal caused to the country in the international circles.
Now it remains to be seen if the Government vindicates its objective of withdrawal by framing a law which segregates the “Governance of Personal Data and Non personal Data” effectively between the new personal data protection act and new information technology act or under a combined act.
The “Protection of Data” from unauthorized access, modification or access (CIA principle) applies both to personal data and non personal data and hence can be considered as a common requirement for both personal data protection and non personal data protection. Additionally the data principals (owners of personal data) were recognized to have some “Rights” such as Right to Access, Right to Correction, Right to Portability, Right to Forget, Right not to be subjected to personal data processing without a legal basis, Right to withdraw consent, Right to Grievance redressal, Right to minimal collection, Right to minimal retention, Right to information about processing before collection, (Notice).
Personal Data Protection recognized these “Rights” as an interpretation of the “Right to Privacy” extended in the form of “Information Privacy” where the “Ability to chose how the personal data of an individual could be collected and used is regulated. But ITA 2000 did not mention the “Right to Security of a Citizen” except through definition of “Cyber Crimes and Contraventions” and prescribing penalties. Each of the punishable offences or contraventions could be considered as a “Right of a Citizen against misuse of Non personal data” though the clarity was absent. Prevention of Cyber Crimes were looked at more as an obligation of the law enforcement duty of the Government rather than “Protection of the Right of Security of a Citizen of the Country”.
I feel that we now have an opportunity to define the “Duty of the Government” to provide Cyber Security by guaranteeing the “Right to Security” along with “Right of Privacy” in a single legislation.
In the NDPAI-Shape of Things to Come, we are therefore suggesting that “Rights” be defined of the Citizens of the Country in such a manner that any mis-use of personal or non personal data shall be protected. This obligation is only to the citizens of the country. Rights of “Other Residents of the country” including foreigners on transit for travel or employment must be defined separately and exclusions temporary or permanent must be added to illegal migrants, terrorists, convicted criminals and accused criminals subject to checks and balances as permitted in the constitution.
The current definition of “Scope” of the PDPB 2019 revolves around “Data” whether it is personal or non personal whether it is processed by an Indian organization or foreign organization and whether it is processed in India or outside India.
Even the GDPR defines the scope in terms of a mix of Material scope, Territorial scope and subject matter scope. In this mix, people forget the subject matter scope which says that the regulation is “relating to the protection of natural persons” . Everything else including the regulation of what is called “Personal Data” is incidental to the protection of the natural person.
In view of the lack of focus, we normally consider that the basic purpose of GDPR is to “Protect Personal Data” and derive many of our compliance requirements ignoring that the core objective of GDPR is to protect “Natural Persons” and the scope is limited by international jurisdiction to “Protection of Natural Persons who are the citizens of EU”. Extra territorial jurisdiction is only in “Hot pursuit” of the protection of the rights of the citizens.
GDPR does make reference to “Residents of EU” and try to protect them under GDPR. This is more an obligation in recognition of human rights on a global scale and not necessarily as a duty under the EU Constitution.
India can chose to also protect certain rights to legal residents of the country as a part of its global obligations. But instead of mixing up these rights with the rights of citizens, it is better to define it exclusively.
Hence we need the NDPAI to recognize
a) Rights of living natural persons who are recognized citizens of India
b) Rights of living natural persons who are recognized citizens of a sovereign country recognized by India under authorized residence in the territory of India
c) Rights of deceased natural persons who were recognized citizens of India
d) Rights of deceased natural persons who were recognized citizens of a sovereign country recognized by India under authorized residence in the territory of India
We therefore suggest consideration of defining the scope of the NDPAI with reference to protection of rights of natural persons on the basis of their citizenship and define the territorial scope, material scope etc with the core objective of protecting the rights of the Citizens. This would meet the constitutional obligation which the Supreme Court also highlighted in the Puttaswamy judgement. Definition of Rights in this context will automatically fix the scope of the law.
We may recognize that the term “Data Principal” in a personal data protection context may refer to persons with a right on a personal data set which includes “Guardians” of minors or Data Fiduciaries/Consent managers with contractual right to manage and monetize.
In the context of non personal data, data is owned by an organization or an individual and any mis-use affects another individual or an organization indirectly as a victim of cyber crime. The individual victim of a cyber crime always has an involvement of his personal identity being in some way compromised. Hence Cyber Crimes against individuals can always be considered as crimes under Personal Data Protection Act.
Since “Corporate entities” are not protected with a “Right of Privacy”, their right to protection is in the form of right to carry on business without disruption etc. The Non personal data protection act needs to protect such entities who are not “Natural Persons”.
Similarly deceased persons may not have all the rights of a Citizen and hence must be covered separately. So also are “Residents who are not Citizens” whose rights are to be considered separately.
In the case of Non personal data, we can define a term “Data Guardians” who are custodians of data and are the “Data Fiduciaries” in that context. In our earlier article on the roles, we discussed the role of a data fiduciary as “Data Manager” taking into account the possibility of profiling and monetization. May be the term “Data Guardian” is a better proposition which covers the Data Controller, Data Fiduciary, the Consent Manager and Data Processors.
Within this category of Data Guardian, different classes as “Personal Data Guardian” and “Non personal data guardian” can be identified.
In this approach we can define the applicability of the Data Protection regulation in terms of the end stake holder who is either a Data Principal or a Data Guardian and what rights of these stake holders are protected.
Data Principal is given protection of his Right to Privacy and the subordinate rights such as Right to access etc. Data Guardian has the obligation to meet the compliance requirements. Right to Security is applicable both to the Data Principal and the Data Guardian if they are citizens of India or established under the Indian law or otherwise carrying on activity in India as a resident.
We may therefore re-write the Section 2 of the PDPB 2019 appropriately. The exact drafting of this “Scope Section” will be attempted in a follow up article.
Open for debate… Send your views. Those who are willing may contribute a video recording (not exceeding 5 minutes) on how do we define the scope of the New Data Protection Act of India, for being carried in IDPS 2022 (Expert View Section)
P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi. Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.