Once enacted, the Personal Data Protection Bill will change an organization's data management practice: Asim Abbas & Tony Verghese

J Sagar Associates (JSA) is a leading national law firm in India. The firm provides legal services to top Indian corporates, Fortune 500 companies, multinational banks, governmental and statutory authorities, and many more.

Voice&Data had the opportunity to interact with two Partners at JSA Law — Asim Abbas and Tony Verghese. Both Abbas and Verghese have shared a complete insight into the nuances of the laws associated with data protection in India and India’s Personal Data Protection Bill. The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Ravi Shankar Prasad, on December 11, 2019.

Few excerpts of the combined response from Asim Abbas and Tony Verghese to a short questionnaire by Voice&Data:

 V&D: To begin with, let us get an understanding from JSA as to why data should be viewed as an asset for any organization and while preparing a legal framework on a company’s data policy what are the most important factors to be considered?

JSA: In 2017, The Economist published an article stating that the world’s most valuable resource, was data, leading to the common refrain about ‘data being the new oil’. The explosion in the use of smartphones and the internet has seen an explosion of personal data over the years.

Data helps to improve products and services, increasing customer satisfaction, and maximizing profitability – in other words operating in a more effective manner.

Never in the past, any organization or institution had the ability to collect so much data as it is doing now, relating to its customers, dealers, employees, etc. The organization by using the right tools can generate valuable information about its products, services, trends, pattern, behavior, etc, from the data it has collected and stored. Such information helps in developing marketing strategies or developing new and innovative products and services.

Further, the entire eco-system like digital revolution, digital economy, e-commerce, use of Artificial Intelligence, etc facilitates the collection of huge data from diverse sources and of different types and nature. Many organizations have realized the importance of data and are using it to promote their businesses and data has become an important asset of any organization. Further, organizations can utilize all their employee data (for instance, analyzing the content of emails) to gauge employee sentiments.

Many organizations have realized the importance of data and are using it to promote their businesses and data has become an important asset of any organization.

The most important factor to be considered whilst preparing a company’s data policy is informed consent from the data subject, on the usage of the data collected. The data subject must be made aware of the protections taken by the company against potential data breaches.

This leads to the next important factor, viz., the protection of the data, and the measures that are being put in place for the protection of the data, including when such data is being transferred to a third party, during the provision of any services.

While the organization has the obligation to protect personal information, and in doing so to adopt the best practices like data minimization, purpose limitation, use limitation, disclosure and transfer with the consent of data subject, notification in case of data breach. It is also imperative that the organization should put in place technical and organizational security and safeguards to protect personal information. At the same time, the organization should be able to use or process the data or information for promoting its business in a manner as permitted by the law.

At this stage, the data protection law in India is not very comprehensive. Indian companies are by and large complying with the existing law in terms of having privacy policy in place

V&D: Are Indian organizations matured enough to handle the laws that comply with data protection? What would be the ramifications of an improper company policy on data protection and how can a counsel help when an organization prepares a legal document on data protection?

JSA: At this stage, the data protection law in India is not very comprehensive. Indian companies are by and large complying with the existing law in terms of having privacy policy in place or taking consent of the data subject for disclosure or transfer of sensitive personal data or information.

As per the information available in the public domain, there are not many instances where Indian companies are held responsible for data breaches. However, it is important to note that awareness drive is required to sensitize people about the importance of their data protection which indirectly will result organizations putting in place security measures to safeguard data of its customers, dealers, employees, etc.

The consequences of improper company policy on data protection is provided in the Information Technology Act 2000 (IT Act) as given below and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (Rules), issued under the Information Technology Act, 2000:

Section 43A of the IT Act states that body corporate which possesses, deals or handles any "sensitive personal data" or information in a computer resource is required to maintain reasonable security practices and procedures relating to such data. In case negligence in implementing such measures resulting in a wrongful loss or wrongful gain to any person, it will be liable to pay compensation to the affected person.

Section 72A of the IT Act provides for the punishment for intentionally or knowingly disclosing personal information relating to a person that was acquired for providing services under a lawful contract, without the consent of the person concerned or in breach of a lawful contract.

Under the Rules, improper company policy on data protection would result in damages, to the data subject, whose data has been compromised; although the quantifiable nature of the damages is yet to be determined.

A counsel would be able to take into consideration the business of the organization, and draw up a privacy/data protection policy, which would take into consideration all the legal requirements, and ensure that the organization is compliant with the extant laws.

The Personal Data Protection Bill, once enacted, would have significant and far-reaching impact on companies. Indian companies would need to implement a new and appropriate data management practice.

V&D: On the legal front, what is your opinion about India’s to-be-launched Data Protection Bill? Once unveiled how do you see the bill having a significant influence on data protection in India?

JSA: The Personal Data Protection Bill, once enacted, would have a significant and far-reaching impact on tech companies. Indian companies would need to implement a new and appropriate data management practice, while at the same time, capturing and making better use of such personal data to service the customer.

Additionally, for any non-compliance, the company is likely to be held responsible, with a potential fine of up to 4% of their turnover. The Bill also provides for compensation for the data subject for any harm caused to them due to contravention of the provisions of the Bill. Further, the Bill recognizes the right of a class action suit, where an identifiable class of data subjects have suffered harm. There are certain cases that have criminal liabilities prescribed under the Bill, such as obtaining, transferring or selling Personal Data knowingly or intentionally in contravention of the Bill or re-identification and processing of de-identified Personal Data.

In addition to a more comprehensive data protection practice being established, the Bill also increases the compliance requirements with each company that processes data, required to prepare a 'Privacy by Design' policy, which must be submitted to the Data Protection Authority for certification within a specified period. The policy is expected to substantiate the managerial, organizational, business practices and technical systems that a company has designed to anticipate, identify and avoid harm to the person whose data is being processed.

V&D: What can we learn from the guidelines and principles of GDPR?

JSA: The GDPR, now seen as probably the role model for all countries desiring to implement a data protection legislation, sets out 7 principles for the lawful processing (includes collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction) of personal data. Any country wishing to be guided by the GDPR must ensure that its proposed data protection legislation clearly sets out that the data should be collected for a lawful purpose, and once the purpose is completed, the data destroyed. The data collecting and storage process must be transparent and secure. There has to be accountability (even if this accountability includes State actors) for any data breach. The data protection legislation must not allow State actors to be exempt from any liability for a data breach, if the actor is responsible for such a breach.

The Bill places specific restrictions on cross-border transfers of Sensitive Personal Data (SPD) and Critical Personal Data.

V&D: India is also proposing a mandate to store data in India. What is your take on data storage in India? What would be the compliance checklist that an organization should adhere to this?

JSA: The Bill places specific restrictions on cross-border transfers of Sensitive Personal Data (SPD) and Critical Personal Data. SPD may be transferred outside India for the purpose of processing, with the explicit consent of the data subject and if such transfer is made subject to standard contractual clauses or intra-group schemes that comply with requirements prescribed by the Authority.

However, the Bill mandates storing a copy of or ‘mirroring’ all SPD within the territory of India. SPD has been defined in Section 3(36) of the bill. It includes financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation under its ambit.

The Bill further mandates the storage and processing of all Critical Personal Data exclusively within India, however, does not define Critical Personal Data and leaves it to the discretion of the Government to notify certain categories of data as Critical Personal Data.

The company should ensure that a copy of all SPD is maintained within India.

Having said that, currently, given that the Bill is not yet in force; the company would be required to comply with the extant SPDI Rules. To do so, the company could incorporate the following as part of a compliance checklist:

• Implement reasonable security practices and standards and have a comprehensive documented information security programme and information security policies. The International Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such recommended standard;
• Ensure that the security policies contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business;
• Ensure that the reasonable security practices in place are audited by an auditor at least once a year or as and when the company undertakes significant upgradation of its process and computer resource.

Asim Abbas specializes in Technology, Media and Telecommunications (TMT) and has over 25 years of diverse experience in TMT as a civil servant in the Department of Telecommunication, as Vice President (Legal) in the corporate office of Bharti Airtel Ltd and as a Partner with leading law firms of India. He has domain expertise and extensive experience in TMT related assignments relating to Policy, Regulatory, Contractual, Compliance and Approvals, Transactional and Litigation. He has been practicing law since 2000. Prior to being a partner with JSA, Asim was a partner at the law firm of Cyril Amarchand Mangaldas. Prior to 2000, he was working as Director (Tariff & Costing) in the Department of Telecommunication, Ministry of Communications.

Tony Verghese’s practice largely focuses on corporate commercial transactions in various sectors. He handles complex advisory matters, commercial contractual reviews, due diligence exercises, M&A, foreign investment-related matters, real estate, and employment matters. His experience in the telecom and Information Technology sectors involve providing regulatory advice on the licensing regime in India, setting up BPOs, Call Centres, software licensing arrangements, technology licensing arrangements, advice on SEZ, STPI, and other general advisory. Before joining JSA, he has worked in-house (with Bharti Airtel as a legal & regulatory counsel) as well as with other corporate law firms such as Kochhar & Co.