PDPA or the Personal Data Protection Act which is being introduced in the Parliament during the current session will be a landmark legislation in India. Presently PDPA is in draft Bill stage and it may become a law during this year. After the notification of ITA 2000 on 17th October 2000 which provided legal recognition to Electronic Documents in India for the first time and heralded the birth of the “Digital Society” in India, PDPA will be the most significant legislation to affect the country’s industry.
PDPA is an extension of ITA 2000, which was substantially amended in 2008. Now Section 43A of ITA 2000/8 will be replaced by the entire set of provisions in the PDPA 2018 or PDPA 2019 as it may now be called.
While many may look at PDPA as an extension of the need to protect “Privacy” which the Supreme Court declared as a fundamental right in India, it must be recognized that Privacy Protection had already been extensively recognized when ITA 2008 amendments kicked in.
While there are a couple of sections like 72A as well as Section 43 which can be invoked in respect of Personal Information being breached and misused, Section 43A was one section in ITA 2000/8 which directly defined the responsibility of organizations collecting “Sensitive Personal Information” (SPI). It defined what was SPI and declared that in the event of a company not following a “Reasonable Security Practice”, (RSP) it would be liable for paying compensation to any victim who suffers a wrongful loss as a consequence.
While the definition of RSP itself was left a little vague, it was specified that RSP is what would be defined in a contract between the data subject and the company or as defined in a law or as defined in an industry specific gazette notified framework.
Unfortunately, Indian industry (except Banking) did not appreciate or understand the flexibility provided to them in the law or was too lazy to work on a sector specific framework. Instead they simply manipulated the naive MeiTy to declare that a company with a certification of “ISO 27001” could be deemed to have complied with the “RSP Standard”.
This statutory dependence on an audit process which was commercially driven and subject to many abuses was vehemently opposed by the undersigned and the Ministry was forced to admit in a reply to the RTI query that
“Rule..does not mandate implementation of ISO 27001 standard exclusively… Body corporates are free to adopt and implement other codes of best practices agreed by the industry association”
This did not prevent the ISO 27001 industry to however claim that ISO 27001 ensures that organizations comply with ITA 2000. (Refer here).
PDPA is More Onerous
Now PDPA makes a huge difference to the compliance requirements of the industry related to Privacy Protection and Personal Data Protection.
PDPA does not restrict itself to SPI. It extends to Personal Information (PI) and “Minor’s Personal Information” which is also considered sensitive. It classifies the Data Fiduciaries into more sensitive levels of Significant Data Fiduciary and Guardian Data Fiduciary with increased responsibilities.
Most importantly, by defining the relationship between the Data Subject and Data Controller as we normally refer to as a relationship of “Fiduciary” nature and calling the Data Subject as the Data Principal and the Data Controller as the “Data Fiduciary”, PDPA has changed the narrative completely. The Data Fiduciary is now expected to act like a “Trustee” of the Data principal and his duties are not restricted to following instructions in the “Consent” Form. Though the “Consent” remains in the statute, it is more an indication of the Data Principal’s objectives for sharing his personal data. The determination of how it has to be processed in the best interest of the Data Principal lies with the Data Fiduciary and not limited to what is contained in the Consent.
PDPA defines the “Data Principal’s Rights” and “Obligations of the Data Fiduciary” which become guidelines for the Data Fiduciary to implement “Privacy By Design” and the security requirements.
Though many derogations are provided including the cover of “Legitimate Interest”, the law imposes penalties both in terms of large financial fines as well as the possibility of criminal prosecution against the Company and its executives. Such fines are of the nature of “Administrative Fines” and need not necessarily require a data breach as it was in the case of ITA 2000/8 but could be imposed even for non compliance.
As a result of these changes, the responsibility of industry for compliance regarding Privacy Protection and related Data Protection has increased several folds with the introduction of PDPA.
The biggest impact of PDPA is likely to be on the Data Analytics industry. Data gets a higher value when it is associated with the identity of individual and parameters associated with an individual. Data is considered “Personal Data” if it is identifiable with a living human. If the identity is masked, the data becomes “Pseudonymous personal data” and escapes PDPA. If it is “Anonymized” then also the processing escapes PDPA.
Pseudonymous data by definition is “Re-identifiable”. Anonymous data is not. Re-identification of a de-identified data is an offence under PDPA and could result in imprisonment of upto 3 years and/or fine of Rs 2 lakhs. The liability may extend to the Company and individually to the managers/Directors who are negligent. Such offences are cognizable and non bailable making the risk higher.
The Civil liability which could arise out of many non compliance issues could result in penalties upto 4% of the global turnover of the company and is therefore threaten to wipe out the business.
With such penalties hanging over their heads, every company needs to take such steps as are required to ensure that the possibility of non compliance is near zero.
PDPA Risk for Data Analytics and AI industries
In this context a data analytics company needs to ensure that the incoming data is largely pseudonymous or anonymous. If not it has to ensure that data is filtered at the first in-gate so that the risk is minimized at further levels of processing. While this is easier said, we realize that most of the time the identity is integral to the data processing and cannot be easily detached. Further, the granular details that a data set may contain could make the apparent pseudonymous data easily re-identifiable in the hands of a determined data thief.
Since many of the data analytics companies need to depend on sub contractors, the inability of the sub contractors to protect the personal data upto the “PDPA Standard” could impose vicarious liabilities on the data fiduciary.
In view of these risks, data analytics companies need to be extremely careful in designing their processing systems to ensure that they are “PDPA Compliant”.
Artificial Intelligence industry on the other hand supports data processing industry of every description including Data Fiduciaries, Significant Data Fiduciaries, Guardian Data fiduciaries. In many cases they will be the “Sub Contractors” of the data fiduciaries. In certain cases the AI companies dictate the business process of the data fiduciaries as if they are the main contractors and the data fiduciary is a sub contractor. Such “Reverse domination” is also present in many other data processing situations in the Digital Marketing industry. As a result the AI industry players could be “Joint Controllers” as GDPR defines or “Data Fiduciaries of the Data Fiduciary” in the Indian Context.
AI is one industry where processing often is hidden in the algorithm and it is not easy to discern compliance violations. Indian law is very clear that any violation of law by the AI agent would be the responsibility of the AI creator/manager. Hence AI companies will be liable for any non compliance issues arising out of the AI algorithm incorporated in the process.
In view of the above, both the Data Analytics and the AI industry need to implement special efforts to be PDPA compliant.
Be Compliant and Be Protected
The PDPSI (Personal Data protection Standard of India), designed by the undersigned contains the necessary basic guidance for industries to be PDPA compliant. The PDPSI standard supports the PDPA requirement that every Data Fiduciary should conduct “Data Audits” from time to time and develop a “Data Trust Score” (DTS). This again drastically changes the paradigm of Data Security in the country bringing in a sort of “Disclosure” which is “indicative” of the risks rather than the mandatory data breach notification that follows the actual breach. An audit under PDPSI framework should therefore normally end with an allocation of DTS to an organization. Such DTS will naturally affect the “Insurability” of the organization and impact the cost of data processing.
It is therefore time for the Data Analytics and AI industry to examine the impact of PDPA on their operations and to take such steps as may be essential for their survival before the law is set in stone.