The Wall

12 Dec 2019

Personal Data Protection Bill (‘PDP bill’): A committee of experts was set up under the chairmanship of Justice B. N. Srikrishna in July 2017 to examine the various issues related to data protection in India and suggest a draft PDP bill. The draft PDP bill 2019 which has stirred much debate in the industry and other stakeholders in the country, was tabled before the Parliament in the ongoing winter session this week. Amidst protests by opposition parties that a snooping industry had grown under the present government and that it breached privacy, the bill was on December 11, 2019 referred to a Joint Select Committee of the Parliament which is expected to give its report in early 2020.

The normative framework for the PDP bill was provided in a recent nine-judge Constitutional Bench judgment of the Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) which recognized the right to privacy as a fundamental right emerging from the right to life and liberty enshrined in Article 21 of the Constitution. The right to privacy included the right to informational privacy i.e., all information about a person is fundamentally her own, and she is free to communicate or retain it for herself. Subsequently, on September 26, 2018, a five judge Constitutional Bench of the Supreme Court while delivering its final judgment in the above case, impressed upon the government to bring out a robust data protection regime.

Thus, the Act if and when passed, for the first time, will put in place a comprehensive regulatory framework dealing with the collection, storage and processing of personal data of individuals (data principals) by the government and private entities incorporated in India and abroad. Currently, the law does little to protect individuals against such harms in India. The transfer of personal data is governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘SPD Rules’). The SPD Rules were issued under Section 43A of the Information Technology Act, 2000 (‘IT Act’) which holds a body corporate liable for compensation for any negligence in implementing and maintaining reasonable security practices and procedures while dealing with sensitive personal data or information. The SPD Rules expand on the scope of these reasonable practices and procedures. While the SPD Rules were a novel attempt at data protection at the time they were introduced, the pace of development of the digital economy made its shortcomings evident over time. For instance, the definition of sensitive personal data is unduly narrow, leaving out several categories of personal data from its protective Chambers of Anuradha Lall December 12, 2019 White Collar Crime and Dispute Resolution Client Update remit. Further, its obligations do not apply to the government and may, on a strict reading of Section 43A of the IT Act be overridden by contract. The Act, if and when passed, will replace Section 43A of the IT Act and the SPD Rules.

Briefly stated, the key elements of the PDP bill are as follows:

  • Prohibits processing of personal data (i.e., basically data which helps to identify an individual) except for specific, clear and lawful purposes;

  • Imposes obligations on the data fiduciary (i.e., the person who determines the purpose and means of data processing) with regard to collection and processing of personal data;

  • Consent of data principal is necessary to process personal data. Consent for processing ‘sensitive personal data’ (defined to include financial, biometric, genetic, health, official identifier, caste or tribe, religious and political beliefs) requires explicit consent;

  • ‘Sensitive personal data’ can be transferred outside India subject to certain conditions, but must be stored within India. ‘Critical personal data’ (as notified by the central government) must be processed only within India;

  • Non-consensual basis for processing personal data includes: (i) performance of functions by the State such as provision of services or benefits to data principals (ii) if authorized by any law (iii) compliance with any order or judgment of court of law or tribunal (iv) medical emergency (v) public health or epidemic (vi) disaster or breakdown of public order (vii) certain employment purposes including recruitment and termination (viii) for other reasonable purposes as prescribed. Such reasonable purposes could include prevention and detection of any unlawful activity/ fraud, whistleblowing, mergers and acquisitions, recovery of debt and credit scoring;

  • Rights granted to data principals to seek confirmation and access, correction and erasure, portability of data and to be forgotten;

  • Provides for the setting up of a Data Protection Authority (‘DPA’) to inter alia monitor and enforce compliance with the Act;

  • ‘Significant data fiduciaries’ created as a separate class based upon factors such as volume of personal data processed, its sensitivity or risk of ‘harm’ (as defined). Provides for additional obligations upon them;

  • Data fiduciary must notify DPA of any data breach that is likely to cause ‘harm’ to the data principal;

  • Data fiduciary must prepare a privacy by design policy as prescribed, which must be placed on the web-site of data fiduciary and DPA;

  • Importantly, it exempts the applicability of the Act or parts thereof, where processing of personal data is necessary (a) by agencies of the government in the interest of integrity, sovereignty and security of the State, for friendly relations with other States or public order (b) investigation and prosecution of any offence and contravention of any law (c) in enforcing or defending any claim and seeking legal advice in impending legal proceedings (d) by a court or tribunal in exercise of judicial function (e) personal and domestic purposes (f) journalistic purposes;

  • The central government may also exempt (a) data processing of data principals outside India by a data processor in India pursuant to a contract and (b) subject to certain conditions, for purposes of archiving, research or statistics;

  • The Act provides for civil and criminal liability for its violation resulting in monetary penalties and/or imprisonment. Monetary penalties can go upto INR 15 crores (USD 2.1 million) or 4% of the total worldwide turnover of data fiduciary whichever is higher.

Thus, as and when the Act is passed, data fiduciaries will require organizational, technological, managerial and policy changes to ensure compliance with the Act. Significantly, the Act will also impact the collection and processing of personal data and its transfer outside India during corporate investigations.

Supreme Court holds that previous government sanction not required for prosecuting retired public servant: In a recent judgment by a three judge bench of the Supreme Court in Station House Officer, CBI/ ACB/ Bangalore vs. B.A. Srinivasan and ors. (decided on December 5, 2019), the Supreme Court has held that prior sanction from the government is not required for prosecution of a public servant who has retired.

In this case, the Respondent retired on October 31, 2012 as Assistant General Manager of Vijaya Bank, a public sector bank. A First Information Report was registered on October 28, 2013 by the bank alleging that, the Respondent had entered into a criminal conspiracy with some others to cheat and defraud the bank, by giving loans and credit facility to a company, on the basis of fake and fabricated documents, without proper due diligence and in gross violation of all the rules and regulations of the bank. The Respondent was charged in respect of the said offences committed under the Indian Penal Code, 1860 read with the PCA, 1988.

The Respondent moved an application seeking discharge from the case on the ground that prior permission of the government had not been obtained, which the trial court dismissed, but which was allowed in revision by the Karnataka High Court. The High Court held that previous sanction of the government was required under Section 19(1) of PCA, 1988 so as to insulate public servants from getting entangled in frivolous and false cases and that such protection available to a public servant while in service, should also be available after his retirement.

Setting aside the order of the Karnataka High Court, the Supreme Court held as follows: First, that the law on the point had been clearly established by it in S.A. Venkataraman vs. the State (1957) (which dealt with interpretation of Section 6(1) of the PCA 1947, which was pari materia with Section 19(1) of PCA, 1988) that prior sanction was not required for retired officials and that this ruling had been consistently followed by the Supreme Court in subsequent cases. Second, that Section 197 of the Criminal Procedure Code, 1973 which mandated that prior sanction of the government should be obtained in case of a public servant if he had committed an offence ‘while acting or purporting to act in discharge of his official duty’, did not come to aid of the Respondent, because while colluding to cheat and defraud the bank, the Respondent was not discharging any official duty, rather he was acting for his own benefit. The Supreme Court held that, for invoking the protection of Section 197, the acts of the accused must be inseparable from the official duty. However, if there is no such connection, then the official status merely furnishes an opportunity or a cloak for the offence and in that case, no prior sanction was required.

It may be mentioned that, Section 19(1) of PCA, 1988 is not pari materia with Section 6(1) of PCA, 1947, because while Section 6(1) refers only to a “person who is employed” with the government, Section 19(1) deals with both a “person who is employed or as the case maybe, was at the time of commission of the alleged offence employed”, and the Supreme Court did not reason why the latter part of Section 19(1) could not include retired officials. Regardless, the above ruling remains the law in India and gives an impetus to speedier prosecution in cases of corruption involving public servants.

India Corruption Survey, 2019: LocalCircles in collaboration with Transparency International India has concluded its survey to ascertain the level of domestic corruption in the country and gather citizen pulse on corruption. This survey has been conducted third year in a row, across 20 states and has been compiled in a comprehensive report titled the ‘India Corruption Survey 2019’. The survey notes that the PCA, 1988 which was amended significantly in July 2018 with a view to strengthening the fight against corruption has started to show some effects as is evident from the numbers in the survey.

The key highlights of the survey are:

  • Bribery reduced by 10% in the year 2019 as compared to the year 2018;

  • 51% of the respondents paid a bribe in the last 12 months as compared to 56% in the year 2018;

  • The departments where maximum bribes were demanded were property registration and land issues, police, municipal corporation and transport;

  • Awareness about existing state hotlines/helplines to report corruption is still a big issue as 61% of the respondents said they were unaware of any such hotline in their state;

  • Although CCTVs are a slight deterrent, bribery still continues in government offices despite major computerisation;

  • Cash is still the preferred way to pay bribes, though bribes were also paid by way of gifts and other favours or, indirectly through agents who continue to thrive;

  • Bribes were paid largely due to coercion or inefficiencies prevailing in government offices;

  • Only 6% of the respondents said that effective steps had been taken by their state government or local administration to reduce corruption in the last 12 months.

National data-base of Economic Offenders (‘NEOR’): As per news reports, the central government is preparing a comprehensive database of economic offenders called the National Economic Offence Records (‘NEOR’), which is a web-portal that will disseminate information to grassroots level officers of enforcement and investigating agencies. The NEOR which is likely to be ready in a year, is being prepared by the Central Economic Intelligence Bureau (‘CEIB’), an arm of the Ministry of Finance. All other central agencies, including CBI, Customs, Enforcement Directorate, Income Tax, Directorate of Revenue Intelligence and Directorate General of Goods and Services have been asked to regularly update the portal from their nationwide offices. In addition to the central agencies, the economic offences wing of the state police and other agencies will have to now mandatorily participate in the NEOR in terms of sharing of intelligence and investigation reports of cases registered by them. NEOR will help in coordinated action by multiple agencies against corrupt officials and corporate houses indulging in financial frauds and money laundering.

Disclaimer:

This memorandum is provided for educational and informational purposes only and is not intended and should not be construed as legal advice.

Bar Council of India Rules prohibit any advertising by registered advocates and no part of this memorandum should be construed in any way as an advertisement or a solicitation for business.