Asheeta Regidi

Editor's note: The Data Protection Bill series carefully examines the various sections of the draft Personal Data Protection Bill, 2018 as laid down by the Justice Srikrishna Commission and submitted to MEITY for approval. This is the final part of the series.

This is the concluding part of the series on the Personal Data Protection Bill,2018 and deals with three important issues—the retrospective application of the law, such as how the law is to apply to processing commenced before the law; the transitional application of the law discussing the implementation of the law in phases; and lastly on the Justice BN Srikrishna Committee’s recommendations on Aadhaar.

Retrospective application of the law

No retrospective application of the law

A law with retrospective application allows violations of the law which occurred before its enactment to be acted against. The Justice Srikrishna Committee’s Report accompanying the Bill clarifies that the Bill will not have retrospective application. As a result, any processing of the law which happens prior to the passing of the law will not be affected by its provisions.

Effect on ongoing processing

Ongoing processing, however, will be affected even if the processing was commenced prior to the passing of the law. For instance, say an e-commerce company has, prior to the passing of the law, collected your payment information for accepting payments for purchases made from it. If this data is retained after the law comes into force, regardless of whether it is actually used for a payment or not, the mere retention of the data will constitute ongoing processing. This processing will thus be required to be compliant with the law.

Need to retake consent

There are issues which need clarification in this respect. This includes, for instance, on whether in order to become compliant, data fiduciaries under the law will have to ensure that consent is taken from the data principals. When the General Data Protection Regulations (GDPR) came into force, several companies needed to retake consent to ensure that they met the GDPR standard of consent and that their processing of the data was lawful. The Bill and the Report do not clarify if this will be required under the new Bill.

In the absence of specific guidance, it can be assumed that this retaking of consent will be required for processing which requires consent in order to be lawful. This will include, for example, the processing done by the several non-State entities today. If the processing activity falls under one of the non-consensual basis of processing, such as processing for compliance with the law, or under one of the exemptions under the law, then it will not be required.

Retaking the consent will also ensure that the consent used for the processing meets the standard proposed under the Bill, i.e., it must be free, informed, specific, clear and capable of being withdrawn. Consent taken in the past, such as through the boilerplate terms and conditions and privacy policies widely in use today, is unlikely to meet this standard.

Consequences of failing to give consent

A related issue that arises is of the consequences of the data fiduciary being unable to obtain consent. This may be, for instance, because the data principal refused to give it, or could not be contacted. In such cases, the data fiduciary is likely to be required to cease processing the data, unless an exemption or non-consensual ground of processing applies. If these don’t apply either, the data fiduciary will be required to delete the data as per the storage limitation principles.

Application to data breaches discovered later

Further, when considering a data breach, a question arises as to how the law is to apply to a data breach that occurred prior to the enactment of the law but was discovered after the law was enacted. The requirements as to a data breach notification under Section 32 will apply regardless since the law simply requires the data fiduciary to notify the Data Protection Authority (DPA) whenever it becomes aware of it. In the absence of clarity, the details of the data breach may be taken into account to judge the application of the law, such as whether the data breach was ongoing, or whether compliance with the law after enactment would have made a difference.

Transitional implementation of the law

Implementation in phases

The Bill, additionally, proposes that the law be implemented in phases, given that the data protection law will create an entirely new regulatory framework for the purpose of enforcement. The Report, while making this recommendation, takes into account the significant organisational changes that will be required on the part of the data fiduciary for compliance with the law.

Similar approach to GDPR and need for transitional implementation

This is an approach similar to the GDPR, where entities were given a period of two years from the date of enactment of the law, to comply with the provisions. It is to be noted that in Europe, a robust data protection law had already been in force, in the form of the Data Protection Directive of 1995. Despite this, the significant changes proposed by the GDPR along with the increased extra-territorial application of the law necessitated the long period of compliance.

For many Indian companies, complying with the GDPR was likely the first major step taken in relation to privacy. To change from the almost non-existent privacy laws in the past to a full-fledged data protection framework will certainly require time. The extra-territorial jurisdiction of the law will also require companies around the world to become compliant with the Indian data protection law.

To be noted here is that the framework of the GDPR and the proposed Indian Bill, while similar, contain key differences. It will thus not be possible, therefore, to merely adopt existent GDPR practices for compliance with this law as well. For instance, while the GDPR recognises six lawful bases of processing such as consent and legitimate interests, the Indian Bill proposes consent only as the main basis, and several activities that can be processed without consent or are exempted.

Phases of the transitional implementation

For the transitional implementation of the law, first, the Central Government will notify a date. Thereafter:

i) First, the DPA will be constituted within three months of the notified date. All of its powers and functions will be in force.

ii) Within a year from the notified date, the DPA will enlist reasonable purposes for which data can be processed without consent under Section 17.

iii) Within a year from the notified date, the DPA will also issue codes of practice for important issues including notice, data quality, security safeguards, etc.

iv) The remaining provisions, with the exception of the data localisation requirement, will come into force within 18 months from the notified date.

v) For the data localisation requirements under Section 40 to come into force, a separate date will be notified by the Central Government.

Justice Srikrishna Committee on the Aadhaar Act

Suggested amendments do not address concerns with Aadhaar

On the Aadhaar Act, the Bill itself is silent on proposed amendments. The Report notes that the Committee was not tasked with proposing amendments to the Aadhaar Act, 2016 and that the matter is sub-judice. The Report, however, makes suggested amendments, for consideration by the Government. However, these suggestions do little to address the concerns raised with Aadhaar. The Report, in fact, cites the need for maintaining the ‘autonomy’ of the UIDAI, and the need to empower it to correct errant companies in the ecosystem.

Recommendations made

The Report’s recommendations broadly, propose granting adjudicatory power to the UIDAI, as well as restricting the use of Aadhaar authentication to entities which are required to do so under the law. For other entities wishing to use Aadhaar, a consent-based offline verification method is proposed, which will not involve authentication. While the amendments have not barred the Adjudicatory Officers under the Bill from hearing matters concerning the UIDAI, the exclusivity of the UIDAI to file complaints is proposed to be maintained.

The Report objects to the mandatory use of Aadhaar by entities not required under law to do so, such as the wide range of private companies using it. However, details have not been shared of the offline system proposed. Further, the Report and the Bill itself, support the mandatory collection of data by allowing non-consensual processing by the State. The Report directly supports the Aadhaar system, by observing that the Parliament is entitled to mandate a particular form of authentication and that people will be required to follow such a mandate. Questions like Aadhaar-based exclusion and the violation of people’s privacy are issues which have not been addressed in the Report.

Thus, the Data Protection Bill and the suggestions made for Aadhaar, do not bode well for those fighting against Aadhaar and for privacy. Further, there is a clear indication that unless the Supreme Court rules against Aadhaar, the government is inclined towards retaining the control of other entities over an individual’s data, as opposed granting it to the individual himself.

Obligations imposed on fiduciaries, but people not empowered

This, in fact, is the key issue with the framework proposed by the Data Protection Bill. It imposes a number of obligations on data fiduciaries, but it does not simultaneously empower the people with respect to their data.

People will only have a say in whether or not to give their data, and this option will only be (for the most part) with respect to non-State entities. Where a law like Aadhaar applies, or the activity falls under one of the many exemptions or non-consensual grounds of processing, even this option will be withdrawn. Further, once they part with their data, their only right will be to obtain information on how their data is being processed. The decision making powers, such as what uses are compatible to those consented to, what uses the data can be put to without consent, whether the data is to be retained or deleted, what processing is lawful, and so on, all are in the hands of the data fiduciaries within the ambit of the law, the DPA and the government.

The proposed Bill will definitely necessitate major changes in the practices of the fiduciaries and will provide greater security to the people’s data.

However, a lot more needs to be done to ensure that firstly, the individual has an actual say in what happens with his data, and secondly, that the State is held equally accountable with respect to the uses it puts the data to.

You can read the earlier parts of this series:

Part I: Quick overview of India's draft data protection law

Part II: Understanding jurisdiction within and outside the country

Part III: The importance if defining personal data

Part IV: Data protection obligations on data fiduciaries

Part V: Standard of consent and processing of data

Part VI: Non-consent based processing by state and non-state actors

Part VII: A person's right over data is compromised in the bill

Part VII: Transparency and accountability required for data fiduciary.

Part IX: Data Protection Bill series: Steps for data protection authority to run smoothly

Part X: Offences and penalties proposed under the bill.

The author is a lawyer specialising in technology, privacy and cyber laws. She is also a certified information privacy professional.