Broadening of sensitive data definition may cut off several services for Indians

A committee recently released the much-awaited draft of the Personal Data Protection Bill. Although the panel’s efforts have been exemplary in bringing about a robust data-protection framework, the draft leaves several stakeholders longing for more. This article examines the unfinished agenda. 

A chip off the old block

Given the profound influence of the European Union’s General Data Protection Regulation on the draft Bill, certain aspects not touched by GDPR remain unaddressed in the Indian counterpart as well. The prime question is that of applicability. 

There is no denying that a law having extra-territorial application is the need of the hour. However, in a bid to provide protection to data subjects from data controllers (or data fiduciaries) located offshore, the draft Bill, much like GDPR, misses the mark by not defining whom exactly does it afford this protection to. 

The expression “within the territory of India” can sound confusing. Does this refer to Indian citizens or all those living within the country? Does it depend on how much time the person has spent in India to be able to qualify for this protection? Will a foreign tourist or immigrant fall within this scope? Neither the draft Bill nor the report accompanying it clarify this aspect. Interestingly, the same questions arose in the minds of experts when they read the GDPR. The European counterpart uses the expression “in the Union”. 

Insensitive definition of sensitive personal data

The draft Bill defines various categories of personal data, out of which sensitive personal data (SPD) enjoys a higher degree of protection. SPD covers official identifiers (which include Aadhaar number), sex life, sexual orientation, genetic data, transgender status, intersex status, caste or tribe, religious belief, political affiliation, and more. 

SPD, therefore, is much larger in scope than its counterpart found in the only existing data-protection law in India, Information Technology Act, 2000. And, there is room for further expansion of SPD as the Data Protection Authority of India is empowered to state more categories going forward.

While expanding the definition of SPD affords more protection to data subjects, the draft Bill places the burden of compliance on data controllers. This has also been noted by the committee in its report. Not only this, the expansive definition leads to other complications, too, considering the restrictions on transferring SPD outside India. The draft Bill allows certain information to be exempted from the data-localisation requirement. However, such exemption can never be granted for SPD. 

Notably, the definition of SPD also includes passwords. By putting two and two together, this means passwords will always have to be stored in India. Several application owners located outside India provide services to people within India. Not all of these service providers may have the wherewithal to comply with the data-localisation requirements. Sadly, this will also impact hundreds and thousands of service recipients. 

Not defined too well

There are several unclear provisions in the draft Bill. It provides that certain categories of ‘personal will’ should be marked by the government as critical personal data, which can only be processed in India. However, there is no clear-cut definition or guidance on what could be termed as critical personal data and it remains to be seen how businesses could be impacted due to this provision. We have earlier discussed, in our article, the limited time frame provided for implementing the provisions of the draft Bill after its enactment. 

Further, the classification of data controllers as significant data fiduciaries (SDFs) is largely unclear. The draft Bill envisages that any data controller using new technology for processing ‘personal will’ be regarded as SDF and may be required to comply with additional requirements. Because firms always innovate and bring in new technologies for processing data, many companies may fall under the classification of SDF. It remains unclear whether other criteria for determining whether an entity is SDF, such as volume and type of personal data processed, turnover, and risk of harm resulting from processing, shall have any empirical basis. As such, a lot of uncertainty will loom in the minds of entities as to whether they fall within this category or not.

Ray of hope

Above are some of the issues that require reconsideration. Fortunately, the public consultation with respect to the draft Bill is under way and we are hopeful these shortcomings will be addressed somewhat before the Bill takes final shape. 

This is the fourth of a five-part series that analyses the draft Personal Data Protection Bill.  

Harsh Walia is an associate partner at law firm Khaitan & Co. based in Delhi. Views are his own.

Harsh Walia