Comments on Nasscom Observations on PDPA

(This is a continuation of the previous article)

Nasscom has indicated 25 recommendations which are listed below with our brief comments.

Some preliminary observations on the Nasscom comments are provided in the table below.






The definition of SPD should be made explicit, and limited to such personal data, which could lead to profiling, discrimination and infliction of harm that are identity driven.

Financial information is important as in, its breach is likely to result in harm. The remedy against harm is available even if it is not an SPD.

This coupled with the ability of sectoral regulators to provide additional safeguards is the basis for us to recommend that ‘financial data’ should to be removed from the category of SPD. In case of ‘official identifier’ also, remedy against harm is available even if it is not an SPD.


‘financial data’ and ‘official identifiers’ should not be treated as SPD and the definition of ‘health data’ should be limited to data concerning the health of the person. The definition of SPD should ideally be exhaustive, not subject to regular updation. Should the JPC be of a contrary opinion, alternate recommendations (i.e. R 2 to R 5) may be considered.

Financial data and Health data is universally recognized as highly
valuable data. Even the Darkweb places a premium on such data.
Frauds are rampant with the breach of such data and the impact could
be devastating.

Nasscom is suggesting this only to facilitate the card processing
community to benefit.

Recommendation is not wise and should be rejected.


  Financial data: In case the JPC is of the contrary opinion, SPD could include an identified sub-set of financial data, which in the opinion of the DPA would suit the definition recommended in R 1

For instance, the subset could be aligned to Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), where financial information is said to include bank account or credit card or debit card or other payment instrument details.

Not necessary in view of the comment on 1 above


Health data: The definition of ‘health data’ should be revised to mean data concerning health of the person in line with globally accepted definitions of ‘health data’. It should not cover personal data that may be processed as part of the processing of the health data.

Recommendation does not make sense. Personal data associated with
health data is part of the health data. Hence recommendation is not


Official identifier: In line with the earlier expressed concerns ‘official identifiers’ should be dropped from the SPD classification; alternately, there should be relaxation of the requirement for seeking explicit consent for the processing of ‘official identifiers.’

Whenever the official identifier is leaked, the consequences could be
a major crime. Hence there is no merit in this recommendation.


The power of further classification of SPD should be moved back to the DPA, and there should be a statutory mandate to provide reasons for classifying any ‘personal data’ as SPD, including an account of potential harms that could arise, and a mandate to conduct a thorough public consultation exercise before any personal data is
notified as SPD.

No Comments


Contractual necessity should be included as a ground for processing of personal and sensitive personal data, and no additional consent should be required for fulfillment of a contractual obligation.

Consent can be provided as part of a contract. Hence  there is no
reason to change the consent requirement.


As an individual’s unwillingness to provide explicit consent could lead to a statutory non-compliance for an organisation; compliance with law, or Order of Court/Tribunal, should be added as an alternate ground to explicit consent for the processing of SPD.

Agreed…But is already part of the “legitimate interest” argument that
the data fiduciary can advance for such processing.


The ground for prompt action in case of individual medical emergencies or in case of public health emergency should extend to personal data, as well as SPD. Alternately, a specific carve-out should to be created for the usage of health data or genetic data under this ground, otherwise the intention of creating this ground would be defeated.

Agreed.. but appears to be available even now.


Considering the imbalance of power between the employer and the employee to execute valid explicit consent, processing for the purposes of employment, should be an alternate ground for the processing of SPD as well.

Explicit consent could be part of the employment contract.. hence does
not appear to be relevant.


‘Reasonable purposes’ as a ground for processing, should extend to both personal data and SPD. There should not be a blanket usage of this ground. The DPA should come out with a code of practice for how an organisation should carry out a self-determination exercise and document the same as evidentiary proof. Such self-determination should take into consideration the rights of the data principals and carry out a balancing test. A prescriptive list and pre-approved list of purposes would be detrimental for innovation and would not be flexible enough to stand the pace of technological development and offering personalised services to consumers.

This will be diluting the provision to the extent that it could be harmful. We already have the instance of Transunion which took over
CIBIL through back door along with sensitive information. Cannot allow repetition of such “data laundering”. Recommendation does not merit consideration.


The grounds relating to ‘functions of the State’ should cover processing of personal data by the State for providing any service or benefit to the data principal from the State; or the issuance of any certification, license or permit for any action or activity of the data principal by the State.

For processing sensitive data, the state should be required to take explicit consent of citizens due to the heightened degree of harm that may be caused to an individual if such sensitive data is misused in any manner.

No need to dilute the powers of the Government in this regard since the ID of an individual is an important aspect of benefit transfer.


The classification of Critical Data should be closely linked to the requirements of National Security. This will limit the impact of stringent localisation and offer certainty to businesses in their data processing activities. Till such time countries / destinations are not recognised as adequate, critical personal data transfers may be approved basis standard contractual clauses, with additional safeguards.

This can be left to the wisdom of the DPA


The requirement to obtain an additional consent for cross border transfer should be removed, since it would be onerous for companies particularly where there is a huge volume of cross border transfer on a regular basis. Moreover, it would irrelevant to the Bill’s overall intent of effective data processing, since the processing (even in the absence of this additional consent) can only take place based on permitted grounds of processing.

Whenever consent is obtained if there is an intention of cross border transfer and it is permitted, the permission can be part of the consent.

Hence there is no need to consider this suggestion.


Standard contractual clauses and BCRs based on frameworks such as the APEC Privacy framework and the CBPR should be considered as alternate grounds to processing SPD under the Bill.

The DPA can always re-endorse the clauses. There is no reason to give up the power of the Indian DPA to the foreign agencies.


Upfront exemptions, for organisations’ processing foreign national’s data in India, from select provisions, should be considered. This could be important for India to achieve adequacy status from the EU and other geographies. This will suitably ring fence the applicability of the law, without any discretionary powers and process uncertainty. Accordingly, exemptions in relation of processing of foreign personal data should be explicitly provided in the PDP Bill 2019 for certain provisions, especially those referred

a. Restriction on retention of personal data. (Clause 9, Chapter II)

b.  Restriction on Transfer of Sensitive Personal Data and Critical Personal Data Outside India (Chapter VII)

c. Act to promote framing of policies for digital economy, etc. (Clause 91)

d. Bar on processing certain forms of biometric data. (Clause 92)

Presently what is required is a request for notification which the DPA should approve.

This is a minimal requirement that keeps the entity under the radar of
the DPA.

There is no need to make any changes.


In addition, the PDP Bill 2019 should provide that the Central Government may, by notification, exempt the processing of personal
data of foreign Data Principals resident outside from the application of any provision of the Act, to the extent that the same is desirable to enable such processing to be in conformity with the requirements of the particular country where the:

a.   Data principals are located; or

b.  Organisation which alone, or in conjunction with others, determines the purpose of processing of personal data is located, or incorporated.

The law is for the protection of the Privacy of Individual citizens in
India and hence the Non Residents are brought under the law, If the
data is collected and processed outside India, it is anyway not
within PDPA.

PDPA cannot otherwise be subordinated to the local laws.

Occassional overlap where the interest of Indian citizens are involved
may be natural


 The provision be removed from the Bill, and issues surrounding non-personal data be left to be dealt with by way of separate legislation.

Being only an enabling provision, the recommendation is irrelevant


If  included  in  the  Bill,  the  provision  should  have  appropriate  safeguards  and governance frameworks built-in, in the form of –

a.  Enterprises that are directed to share such data, being required to establish that intellectual property rights exist, or that such data is otherwise confidential and business sensitive, and that disclosure could significantly harm the enterprises commercial interests and diminish the commercial value of such data.

b. The Government being required to ask for a reasonable and proportionate volume of data (such as a sample) and required to clearly specify the ground on which the data is being directed to be shared, including the exact policy towards which such data would be utilised;

c.  The Government being required to prevent onward disclosure of such data beyond the purposes stated.

d. Accountability provisions for the government in this regard.

What may be shared under this enabling provision is anonymized data and hence the recommendation is not relevant.


The Data Protection Authority should have a greater role in ensuring that the provision is exercised only in such instances where the risks of re-identification are minimal.

Once anonymized, the recommendation is irrelevant.


The State and all State and non-State entities with whom any data is shared must be accountable as to the use and disclosure of the data.

Once anonymized, the recommendation is irrelevant.


The  provision  must  ensure  that  data  sharing  does  not  lead  to  dilution  of  the commercial value of the data, expropriation of intellectual property rights, or breach of contractual liabilities.

Once anonymized, the recommendation is irrelevant.

IPR infringement could be protected by the company by a legitimate
interest argument and sharing only such information that is not resulting any infringement.


A thorough assessment of the costs, benefits, and impact on competition of each direction issued under the Clause, together with a reasoned statement on the intended use of the shared data, and the potential risks of reidentification must be reported clearly and transparently by the Government agency issuing a direction.

Not relevant. There is presently no prohibition of the Companies asking for and getting any cost reimbursement. This is a matter of detail which the DPA may consider and if necessary subject to adjudication, appeal etc.


In order to maintain its independence as a regulator, the DPA should be independently staffed and funded. The JPC may consider reviewing the composition of the selection committee for the DPA, the composition of the DPA, and provide for an independent funding mechanism. The DPA should be advised by domain experts on data protection, privacy, technology and law, and have a hard-coded obligation to consult with industry and other relevant stakeholders including sectoral regulators, so that it can leverage domain expertise

Advise by experts is presently facilitated. Some qualification criteria for composition has been provided. Beyond this judicial oversight is possible. Hence the recommendation is not necessary.


The Bill should provide for clear and unambiguous principles that should form the basis of the DPA’s discharge of functions, including the issuance of rules and regulations; together with the obligation for the DPA to conduct its business in a transparent and consultative manner. While the Bill provides for DPA to undertake consultations, the process of undertaking consultation should be provided in the law. The recommendations of the Financial Sector Legislative Reform Commission (FSLRC) on regulatory governance as encoded in the draft Indian Financial Code should be used as a reference and similar provisions should be drafted in the PDP Bill 2019. A model consultative process is suggested.

The bill has provided the broad guidelines and the rest will have to follow in the regulations.

There is no need to put any further constraints on the DPA


The Bill should remove criminal liability for contraventions of the provisions of the Bill and limit the circumstances for individual liability to situations in which it is proven that the relevant individual possesses an appropriate level of culpability for alleged violations. Given that some of the processing steps could involve new technology, and there may be good faith processing interventions that hinge on subjective opinions, an efficient enforcement mechanism with monetary relief would ensure that the rights of data principals and the interests of fiduciaries and processors are protected.

Presently only malicious re-identification qualifies for criminal punishment.

Removal of this sole provision can be considered but it will dilute the deterrence effect of the act.

In fact it should be considered that the section could be broadbased like “Any malicious, contravention with knowledge” would be
considered as an offence.

Safeguards such as the offence would be cognizable only when the DPA
files a complaint can remain.

Bailability can be added as a further safeguard.

More detailed discussion can follow. But at first glance the recommendations are disappointing and does not reflect the expertise that is available to NASSCOM-DSCI to suggest positive changes. Anyway more recommendations are relevant only after the Act is passed and there is no need to be too much concerned at this stage. There is power available to the DPA to make necessary regulations which meet most of the genuine concerns that NASSCOM may have and there is no need for all these to be addressed through the Bill.



This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.