Since July 27, 2018, when a committee of experts appointed by the Indian government first published a draft of a comprehensive data protection law until approval of its revised version in the form of the Personal Data Protection Bill 2019 by the same government, a lot has been contributed to the literature on data privacy laws (or the lack of them) in India.

The most common conclusion emerging from such literature is the Privacy Bill being referred to as a replica of the EU General Data Protection Regulation. This conclusion may not be wrong if you limit your comparison to broad topics under both the regimes, which look strikingly identical. For instance, the concept of “data controller” under the GDPR appears to be the same as “data fiduciary” under the PDPB, who has to comply with most of the legal obligations rather than entities that process personal data on behalf of the data controller/fiduciary. Similarly, the list of privacy principles under the PDPB looks like GDPR principles, so is the definition of “personal data” containing a catch-all language covering almost every piece of information that can directly or indirectly identify an individual.

Although deviations do exist among key privacy principles, such as the PDPB's data localization requirement, a careful analysis suggests the PDPB is different from the GDPR even on those principles that otherwise look the same or similar. In this regard, for those who may not be familiar with the GDPR, you cannot process data unless you have one of the following lawful bases available:

  1. Consent.
  2. Contractual performance.
  3. Legal obligation.
  4. Vital interest.
  5. Public interest.
  6. Legitimate interest.

One of the most common grounds for processing is probably “legitimate interest,” such as fraud prevention. Any company would have a legitimate interest in preventing fraud from occurring, although the balancing test for legitimate interest must still be carried out, including not justifying doing just anything you want under the guise of fraud prevention.

Bases 3, 4 and 5 are fairly narrow and of limited general-purpose use, only available in certain circumstances. This leaves us with (1) and (2), “consent” and “contractual necessity.”

Surprisingly, the PDPB does not mention “contractual necessity” as one of the legal bases for processing. This means the only option available to companies is to seek the consent of the data subject for processing data unless one of the narrow and situation-based lawful basis is available, such as legal compliance, medical emergency, or employment.

What the PDPB does not seem to acknowledge is that the majority of businesses today (at least in an online services environment) often rely heavily on “contractual performance” as an appropriate lawful basis for processing personal data — that is, where a company transfers data to another company to fulfill a contractual obligation. For instance, travel bookings require sharing of data with airlines and hotels; shipments of products require sharing of data with carriers and customs officials.

While it is not entirely clear as to why the drafters of the PDPB chose to not consider (or maybe consider and then ignore) “contractual performance” as a ground for processing personal data, this omission or ignorance raises several key issues for the data fiduciaries, as well as individuals.

Does compliance with India's bill lead to GDPR violation?

Firstly, for data fiduciaries covered under the PDPB, which are already GDPR compliant and processing EU data, the situation will not be so straightforward. This confusion results from the PDPB's definition of "data principal," which means the natural person to whom the personal data relates. You may assume that data principals are Indian citizens, but that analysis seems to exclude the explicit language of the PDPB and practical considerations, such as tourism, travel, workers abroad and much more to consider. Because the PDPB uses inconsistent qualifiers when referring to data principals and informal descriptions of who a data principal is, it cannot be said on a definite basis that the PDPB does not cover EU citizens.

In this regard, the U.K. Information Commissioner’s Office’s Guide to Data Protection provides, “You must determine your lawful basis before starting to process personal data. It’s important to get this right first time. If you find at a later date that your chosen basis was actually inappropriate, it will be difficult to simply swap to a different one. Even if a different basis could have applied from the start, retrospectively switching lawful basis is likely to be inherently unfair to the individual and lead to breaches of accountability and transparency requirements.”

The data fiduciaries that have been processing data covered by the GDPR, as well as PDPB, only on the basis of "contractual performance" will have to obtain the consent of the individual (unless another lawful basis is available) to continue to process such data in compliance with the PDPB. However, such swapping appears to have been restricted by the GDPR in light of the guidance issued by data protection authorities, such as the ICO, which may leave Indian companies at the crossroads. That is, it will be difficult to comply with one law without violating the other.

Secondly, even if data fiduciaries are assumed to be not violating the GDPR if they change the lawful basis, it will be a challenge for larger organizations. For instance, a company with several foreign subsidiaries will face a practical necessity to redefine and recommunicate policies regarding data collection, usage, disclosure, access, protection and other processing aspects to individuals, as well as other interested parties involved in the data flow, and may probably need to reimplement the host of protocols around its data usage.

Does data fiduciaries’ loss mean individuals’ gain?

The PDPB hinges on "consent." While it’s not easy to dispute that “consent” places individuals in more control of the data that you possess about them, having “consent” as the only lawful basis (considering other lawful bases are only situation-based rather than generally applicable) appears to ignore the practical difficulties faced by the individuals and companies alike in achieving a “consent” that could be considered valid under the PDPB.

Consent is valid only if the individual grants it in an informed, voluntary, specific and probably written manner (although “written consent” is not a requirement that the PDPB expressly mentions), and it’s not always practical to meet these requirements. A business may not have any direct relationship with data subjects, hence cannot approach them for seeking consent. Also, with technology changing at an unprecedented pace, it’s always a challenge to obtain and maintain consent with sufficient specificity; companies need to update consent forms frequently. This creates a mist around the real benefits that individuals could enjoy if you do away with “contracts” with them as one of the legal bases for processing their data. Compare “contractual performance” (where the burden lies with the data fiduciary to prove that the processing is necessary for the performance of a contract) with “consent” as the only lawful basis with which an individual receives a conspicuous consent form and then expressly declares acceptance. In the case of latter, the individual may be less likely to challenge the data-processing practices described in the consent form, whereas an individual may be better off if they allow the data fiduciary to process their data, only if necessary, to perform a contract.

What about freedom of contract?

Article 6(1)(b) of the GDPR provides for “contractual performance” as a lawful basis for processing data. According to Guidelines 2/2019 issued by the European Data Protection Board, Article 6(1)(b) of the GDPR supports the freedom to conduct a business guaranteed by Article 16 of the Charter of Fundamental Rights of the European Union. These guidelines further state that this provision reflects the fact that sometimes the contractual obligations toward the data subject cannot be performed without the data subject providing certain personal data.

The Constitution of India under Article 19(1)(g) also enshrines a fundamental right to Indian citizens to do business. Therefore, the non-availability of “contractual performance” as a ground for processing data may render the PDPB to be in direct conflict with Article 19(1)(g), at least in theory. The only provision in the PDPB that could potentially resolve this conflict appears to be Section 14, in which the data protection authority specifies “contractual performance” as one of the reasonable purposes for processing data.

While the PDPB has been referred to a joint select committee, it’s unlikely that the bill's original grounds for processing data will be amended since none of the debate points directly deals with the list of lawful bases for processing. This would mean that data fiduciaries won’t be able to process personal data to perform a contract and may have to look for a different lawful base, “consent” being one of the most obvious options. Section 14 of the bill provides limited comfort if the DPA specifies “contractual performance” as one of the reasonable purposes for which personal data could be processed. But, for this to happen, a DPA first needs to be established, which, again, is a thing of the future. Until then, “consent” seems to be the only good choice.

Photo by Srikanth D on Unsplash