India’s proposed data protection law has been a long time in the making. In 2018, a committee of experts constituted by the Indian government issued a first draft of a proposed law on data protection. In late 2019, a revised version of the draft, titled the Personal Data Protection Bill, 2019 (the “PDPB”), was introduced in the Indian Parliament. The PDPB was dogged by controversies, especially on exemptions that were afforded to government agencies, the treatment of anonymised data, data localisation requirements, and regulated cross-border transfers. For a deeper examination of the proposed law, the draft was referred to a Joint Parliamentary Committee that comprised of members of both Houses of the Parliament (“Committee”).
On December 16, 2021, the Committee finally presented the “Report of the Joint Committee on the Personal Data Protection Bill, 2019” (referred to as the “Report”) to the Parliament. The Report substantially consists of the Committee’s overarching recommendations on the PDPB and a revised draft of the PDPB. Now referred to as the Data Protection Bill, 2021 (hereafter, the “Bill”), the updated draft law contains the spirit of its predecessor – that is, it seeks to protect the digital privacy of citizens and create a relationship of trust between individuals and entities processing their data – but also goes several steps further.
Part 4 of this series looks closely at “Grounds for Data Processing” under the PDPB Bill.
GROUNDS FOR DATA PROCESSING
-
With Consent: Consent is the primary ground for processing personal data under the Bill.
(a) Personal data can only be processed by a data principal providing free, informed, specific, and clear consent that is capable of being withdrawn, at the commencement of processing.(b) Sensitive personal data can only be processed with the explicit consent of data principals.
(c) The burden of proving if consent of a data principal has been sought vests with data fiduciaries.
(d) Data fiduciaries can only process personal data for purposes that are consented to by the data principal or purposes which are incidental to or connected to such purpose and where the data principal would reasonably expect the processing in regard to the purpose, and in the context and circumstances in which the personal data was collected.
(e) The provision of goods or services, contractual performance, or the enjoyment of a legal right or claim cannot be (i) made conditional to the consent for the processing of any data not necessary for the purpose and (ii) denied based on the exercise of choice.
-
Without Consent:
(a) Both, personal data and sensitive personal data may be processed without the consent of data principals (“Public Interest”):-
- (i) for the performance of certain state functions;
-
- (ii) for compliance with orders or judgements of courts, quasi-judicial authorities or tribunals in India;
-
- (iii) to respond to medical emergencies involving a threat to life or the health of a data principal or any other individual;
-
- (iv) to undertake measures to provide medical treatment or health services during epidemics, outbreak of diseases or other threats to public health; or
-
- (v) to provide safety measures, assistance or services to any individual during a disaster or breakdown of public order.
(b) Personal data may be processed without consent for employment-related purposes, which include recruitment, termination, assessments, and employee attendance verification if necessary or can be reasonably expected by the data principal. However, sensitive personal data cannot be processed on this ground.
(c) Personal data may be processed without consent for reasonable purposes such as corporate restructuring or combination transactions, network or information security, debt recovery, or operating search engines, after taking into consideration:
-
- (i) the legitimate interest of the data fiduciary;
-
- (ii) whether the data fiduciary can reasonably be expected, and it is practicable to obtain consent;
-
- (iii) any public interest;
-
- (iv) degree of adverse effects on the rights of the data principal; and
-
- (v) reasonable expectations of the data principal.
The scope of “reasonable purposes” is not clearly defined: the Authority has the power to specify the scope of reasonable purposes and set out additional regulations to ensure the protection of data principals whose data is processed under this ground.
-
-