Tag Archives: data protection

Draft E-commerce Policy: The dawn of a new beginning

Data is the basic building block of everything we are trying to do in this age of Industry 4.0. Data is a valuable resource for any individual, corporation or the Government. Data can be used for analytical, statistical, business, security purposes among various other things. Keeping ‘data’ central to the idea of governing the e-Commerce industry in India the Department for Promotion of Industry and Internal Trade on February 23, 2019, published the ‘Draft e-Commerce Policy’ (“Draft Policy”).

The overall objective of the Draft Policy is to prepare and enable stakeholders to fully benefit from the opportunities that would arise from progressive digitalization of the domestic digital economy. The Draft Policy focuses on data protection, the State’s paternalistic attitude towards the use of the citizen’s data and cross border transactions. The Draft Policy intends to regulate some things beyond e-commerce i.e. it proposes to regulate technologies like AI, IoT, Cloud computing and Cloud-as-a-Service etc. On a holistic level, it is understood that these technologies empower e-commerce industry currently and are integral to its growth and therefore the Government intends to bring these technologies under the purview of the Draft Policy. The Draft Policy is a mix of visionary thought process, advanced technological solutions, putting in place digital infrastructure to support India’s digital economy etc.

DATA

The Draft Policy resonates the idea and intent of the legislature that is formulated under the Data Protection Bill, 2018 as far as the rights over data of an individual is concerned. The collective idea of the Draft Policy is to streamline the protection of personal data and empowerment of the users/consumers with respect to the data they generate and own. Though the question to be assessed here is whether this is the real intent of the Draft Policy?

The Draft Policy recognises the rights of an individual over its data by stating that “An Individual owns the right to his data” and therefore the use of an individual’s personal data shall be made only upon seeking his/her express consent. It further states that the data of a group is a collective data and therefore a collective property of that particular group; it extends this rationale to state that “Thus, the data that is generated in India belongs to Indians, as do the derivatives there from”. But the Draft Policy ends up categorising data of Indians as a collective resource and therefore a “national resource”.

The abovementioned intent of the Draft Policy is fair and strives to achieve the greater good of the country, but at what stake? If personal data belongs to an individual then this objective appears that the State wants to interfere with the personal rights of a person. The Draft Policy clearly states that “All such data stored abroad shall not be made available to other business entities outside India, for any purpose, even with the customer’s consent”, what follows this point in the Draft Policy, restricts sharing of data with any third party in a foreign country even if the individual has consented to such sharing of the data.

The intent behind such restriction is that currently, India lacks stringent laws regarding cross-border flow of data. If there are no strict restrictions on cross-border flow of data Indian stakeholders will merely be engaged in back end processing of data for the EU / US based e-commerce entities without having the ability to create any high-value digital products. While the Government considers data as a national resource and compares it with coal, telecom spectrums etc. it ignores the fact that the inherent nature of personal data is that it belongs to an individual and not to the State, unlike coal.

The obvious reason as to why the State is taking such a stance is to eliminate issues related to consent asymmetry. But is this paternalistic attitude warranted?

If the Government is worried about foreign countries using our national resource i.e. data to their advantage it should put in place stringent data privacy and protection laws in India taking inferences from other countries.

DATA INFRASTRUCTURE

The Draft Policy takes forward the digital India initiative and intends put in place secure and digital infrastructure and encourage the development of data –storage facilities/ infrastructure including data centres, server farms, towers, tower stations, equipment, optical wires, signal transceivers, antenna etc.

The Government will add the above-mentioned infrastructure facilities in the  ‘Harmonized Master List’. This will enable regulation of the listed infrastructure in a more streamlined manner. Whereas the infrastructure will be put in place by various implementing agencies, while financing agencies may identify these as infrastructure that they may intend to support. This will facilitate achieving last mile connectivity across urban and rural India.

The Government by developing such data/digital infrastructure wishes to support India’s fast-growing digital economy and create employment.

EASE OF REGULATION

Given the interdisciplinary nature of e-commerce, it is important for the Government to tackle various regulatory challenges. The Draft Policy suggests formulating a Standing Group of Secretaries on e-Commerce (SGoS), which shall be an important body for tackling various legal issues emerging from various statutes such and Information Technology Act, 2000 and rules thereunder, the Competition Act, 2002 and the Consumer Protection Act, 1986.

Additionally, the Draft Policy states that “All e-Commerce websites and application available for downloading in India must have a registered business entity in India as the importer on record or the entity through which all sales in India are transacted”.

SIGNIFICANT HIGHLIGHTS OF THE DRAFT POLICY

  • The Government intends to continue charging custom tariffs on any digital goods being traded electronically (imposing custom duties on electronic transmissions). Whereas the Government is strict on its stance of not accepting the permanent moratorium on custom tariffs for goods (including digital goods) traded electronically as proposed by the WTO.
  • The Draft Policy states that there should technological standards put in place for emerging technologies like IoT, AI etc.
  • The Draft Policy introduces a term, namely ‘Infant Industry’ under which small scale entities facing entry barriers to enter the market will be integrated with market keeping data as a central to this integration. This will also help strengthen platforms like ‘e-lala’ and ‘Tribes India’.
  • The Government intends to establish technology wings in each Government department.
  • The Government intends to streamline the process of importing goods in India and harmonise the functions of various administrative bodies involved in the process of import of goods in India.
  • A body of industry stakeholders will be created that shall identify ‘rogue websites’. These rogue websites will be added to ‘Infringing Website List’ (IWL). IWL will enable the ISPs to remove or disable these websites. It will also enable payment gateways to curtail the flow of payments to or from such rogue websites. Search engines will be able to efficiently remove such rogue websites identified in the IWL.
  • There shall be no trade mark infringement and customers at large shall not be deceived by using deceptively similar trademarks. In case an e-Commerce entity receives a complaint about a counterfeit/fake product which is manufactured with intent to deceive the customers. The e-Commerce entity shall convey such misuse of the trademark within 12 hours from receiving the complaint to the trade mark owner. Whereas in case any prohibited goods/products have been sold on any e-commerce platform the entity operating such e-Commerce platform shall delist such products within 24 hours from receiving such complaint.
  • Any non-compliant e-Commerce entity will be not be given access to operate in India.
  • All e-Commerce sites/apps available to Indian consumers shall display prices in INR and must have MRPs on all packaged products, physical products and invoices generated.
  • In the view of misuse of ‘gifting’ route, as an interim measure, all such parcels shall be banned, with exception of life-saving drugs.
  • Details of sellers shall be available for all the products sold online.
  • Sellers shall provide undertaking regarding genuineness of any product sold online.
  • In case of a counterfeit product is sold to a consumer, the primary onus to resolve such an issue will be of the seller but the intermediaries shall return the money paid to them by the customer and the marketplace shall seize to host such products on their platforms.
  • The intermediaries shall curtail piracy on their platforms.
  • An integrated system that connects Customs, RBI and India Post to be developed to better track imports.
  • The Draft Policy also intends to simplify the processes involved in export of goods by doing away with redundant requirements such as the need to procure Bank Realisation Certification

Once the final e-Commerce policy is enacted what will be interesting to see is whether Government opts for ease of governance or ease of doing business.

Overall this Draft Policy is a positive step towards making India one of the most prominent digital economies in the world, especially considering the strict stance the Government has taken during the WTO negotiations by not accepting the permanent moratorium on waiving custom duties on digital goods sold through electronic transmission. The Government intends to boost the local and home grown e-Commerce business entities and to provide a level playing field for MSMEs by retaining the rights to impose tariffs on electronic transmission through e-Commerce. Certain issues regarding data/personal data of an individual still needs a deep intellectual thinking, integrated with a practical approach from the Government before implementing a sector-wide policy, especially keeping in mind that at the end of the day personal data belongs to an individual and the use of such personal data shall be the decision of the respective individuals and not of the State.

Author: Manas Ingle, Associate, NovoJuris Legal

Advertisements

Data Protection and the many facets of it: Inter-collegiate Essay Competition

NovoJuris Legal is proud to announce the Inter-collegiate Essay Competition on Data Protection and its various facets. 

Data Protection has taken very high importance not only in India but across the World. The Personal Data Protection Bill, 2018 (“Bill”) and the Data Protection Committee’s (“Committee”) Report (released on 27 July 2018) provides for the framework and the policymakers’ insight on protection of individual’s privacy and personal data in India. The Bill has set high expectations particularly after the European Union’s General Data Protection Regulation (“GDPR”) came into force on 25 May 2018. It is also essential to note the important judgments including the now famous “Aadhar case” of Justice Puttaswamy (Retd.) V. Union of India.

Reserve Bank of India (RBI) in April this year has mandated that all data generated by the payment systems in India, is to be stored in India. The Ministry of Health and Welfare has also published the draft legislation called Digital Information Security in Healthcare Act, to safeguard e-health records and patients’ privacy.

Thus, all these new rules/policies/regulations (collectively referred as “the Data Protection Framework”) indicate a very strong direction that the Government wishes to undertake on protection of data including but not limited to data localisation, which helps in enforcing data protection, nation’s security and protect its citizen’s data, better control on transmission of data outside the country and more.

Topics for the Essay Competition:

The following sub-themes have been identified as requiring academic consideration:

  1. General Data Protection Regulation in European Union has raised the bar on legislation on data protection across the world. Would this be beneficial or would it stunt technological growth and innovation?
  2. Is our Privacy safe under the Aadhar scheme? A critical analysis of change in the privacy law regime post Aadhar case in India.
  3. Implication and critical analysis of the Data (Privacy and Protection) Bill, 2017.
  4. Do we need a stronger consumer centric data protection law in India like the Customer Online Notification for Stopping Edge – Provider Network Transgressions (CONSENT Act), USA in the aftermath of the Facebook data breach incident?
  5. With all the industry specific regulator (RBI, TRAI, MHoW and etc.) providing various regulations, guidelines and draft policy notes with regards to Data Protection Framework in India, what do you think the outcome will be? Is India formalizing a uniform law for data protection?

Important Dates

▪ Submission Date – The essays must be submitted on or before 11:59 PM on 30 January 2019.

▪ Declaration of the Result on 31 March 2019.  – The winners of the competition shall be notified by email and by declaration of results of the competition on this website.

Details about the prizes, guidelines for submission and other details can be found here.  Intercollegiate-Data Privacy Essay-Competition-NovoJuris

 

Data Localisation: India’s policy framework

The Personal Data Protection Bill, 2018 (“Bill”) and the Data Protection Committee’s (“Committee”) Report (released on 27 July 2018) contains the framework and the policymakers’ insight on protection of personal data in India. The recent Draft e-commerce policy indicates Government’s thought process on storing data in India. The Reserve Bank of India (RBI) in April this year mandates that all data generated by the payment systems in India, is to be stored in India. The Ministry of Health and Welfare has published the draft legislation called Digital Information Security in Healthcare Act, to safeguard e-health records and patients’ privacy.  Thus, all these new rules/policies/regulations (collectively referred as “the Data Protection Framework”) indicate a very strong direction that the Government wishes to undertake on data localisation, which helps in enforcing data protection, secure nation’s security and protect its citizen’s data, better control on transmission of data outside the country and more.

We believe initial steps were taken when under the Companies Act, 2013, the maintenance of books of account in electronic form, required copies to be kept in servers physically located in India.

Many questions abound that the Government take fast paced measures in enabling the infrastructure to build data-centres, which in-turn requires land clearance, electricity etc., ability to keep the operational costs for SMEs low, jump-starting initiatives on artificial intelligence, delicate balance to be maintained on surveillance and protection.  On a positive note, this provides entrepreneurial opportunities in building data centres, alternative energy/ solar grids etc.

Data Localisation under the Data Protection Committee’s Report and the Bill

Chapter 6 of Committee’s Report provides compelling arguments on ‘Transfer of Personal Data Outside India’, where the Committee notes Laissez Faire economy of data, i.e. where free flow of data is the norm and to restrict as an exception. It also recognizes that an embargo on data crossing borders as curbing personal liberty of people. The Committee recommended that even if the intended destination is across borders, all data to which Indian laws would apply would need to be stored locally as well. The Central Government may decide that certain data may not be permitted to be taken out of the country and requiring its processing to be done locally. To highlight sections 40 and 41:

  • The Central Government shall determine categories of sensitive personal data which are ‘critical’ in nature having regard to strategic interests and enforcement, this personal data can only be processed in India.
  • Transfer of other non-critical personal data will be allowed subject to one serving copy of it being stored in India.
  • Cross border transfers of personal data, other than critical personal data will be through model contract clauses with the data transferor being directly liable to the data principal.

Mandatory Data Localisation being prescribed under different aspects

Localisation of Payment Systems Data mandated by RBI: Even before the release of the Committee’s Report and the Bill, data localisation was touched upon by RBI in its Notification of 9 April 2018, where it directed all payment system providers to ensure that all data relating to the payment systems are to be stored in systems situated only in India. Under the said notification, the RBI includes ‘full end-to-end transaction details’, ‘payment instructions’ and other information collected, processed, carried, etc. to be within the ambit of data which is required to be stored. The maintained are to be annually audited and reported to RBI.

Localisation of Data under the National E-Commerce PolicyThe Draft National Policy Framework (the “National e-commerce Policy”) concerning the ‘Digital Economy’ seeking to regulate the ‘e-commerce’ sector in India, proposes localisation of several categories of data involved in e-commerce. The intent stated is to create a ‘facilitative eco-system’ to promote India’s digital economy through measures such as, data generated by users in India from sources such as e-commerce platforms, social media, search engines, etc., and all community data collected by Internet of Things (IoT) devices in public spaces are to be stored exclusively in India and sharing of such data within the country is proposed to be regulated.

The localisation of data is not absolute and cross-border flow is allowed for a handful of cases, such as for software and cloud-computing services involving technology related data-flow (which are free of any personal or community implications) and other standard exceptions consistent with the views expressed in the Committee’s report.

Localisation under the draft amendment to Drugs and Cosmetics Rules, 1945

The recent draft amendment proposed to the Drugs and Cosmetics Rules, 1945, for regulating e-pharmacies, makes it clear that e-pharmacies web-portals have to be established in India for conducting its business in India and data generated to be stored locally. The draft rules states that under no means the data generated or mirrored through e-pharmacy portal shall be sent or stored by any means outside India.  

Data Centres in India

For the data to be stored locally, data centres need to be established, regulated and function under the law. The demand for companies to host their data in India stemmed from  security perspective. The major issues with data localisation is not only of cyber security but also jurisdiction. Cloud computing softwares have taken advantage of the economies of scale and an infrastructural architecture across the world. Thus when there is a threat presumed in one part of the world, the algorithm would move the data to another location or even in multiple locations. In addition to this the Cyber Security Report, 2017 released by Telstra have reported that businesses in India were most at risk to cyber security attacks. Further the organisation in India have experienced the highest number of weekly security incidents of all Asian countries surveyed.

The Privacy Bill provides that the Central Government to notify categories of personal data for which the data centres have to be established in India and the Authority to be established under the legislation to be responsible for the compliances.  Further for achieving its goal of facilitating India’s ‘Digital Economy’, the National e-Commerce Policy purports to grant “infrastructure status” to data centres and server farms in India. An infrastructure status by getting listed under the Harmonized Master List of Infrastructure Sub-sectors by the Department of Industrial Policy and Promotion (DIPP) entails that it’ll be easier to get credit to enter into these operations. This would be accompanied by tax-benefits, custom duties rebates and also 2-year sunset period before localisation becomes mandatory. However, these incentives are only being considered and not promised as of yet.

Cost-Benefit Analysis on Data Localisation

In Chapter 6 of its report, the Committee takes up a detailed analysis of the benefits and repercussions of adopting mandatory data localisation in India. Benefits as stated in the report include:

  • Reduction in the costs of enforcement of India’s own laws because of easier availability of data within its jurisdiction, the cost and time spent on co-ordinating with foreign agencies for access to requisite data being reduced.
  • Overseas transactions of data involve reliance on fibre optic cable networks spread around the world, which are vulnerable to attacks and perhaps localisation of data may reduce this security risk.
  • Having copies of all data collected in India will be a huge boost to the digital infrastructure as the domestic industry will now be able to harness a lot of data. For instance, the report points out that developments in Artificial Intelligence will see a great boost from this.
  • As a matter of national security, the complete localisation of critical data prevents any foreign surveillance of India’s internal affairs.

The report also states that the localisation of data can have its costs too, however it severely downplays them. The report recognizes that to make storing of data mandatory in India, will result in a burden on the domestic enterprises which use foreign infrastructure like cloud computing for running their businesses. The implications include the increased costs of doing business for small and medium businesses, also there may be the danger of monopolization in the digital infrastructure because only a few firms would have the expertise and capital to invest in creating huge data centres in India. However, the Committee states that they are not persuaded by this argument and are confident that the potential of the Indian market will adequately trump the additional cost of setting up the infrastructure.

 Our observations

Digital India and building a thriving Digital Economy in India, building strong competencies in artificial intelligence, protecting nation’s security and data of its citizens are very critical and is now becoming mandatory for India. Establishing a strong domestic infrastructure is a big commitment for the Government, which includes making available vast tracts of land, uninterrupted power supply to the data centres and such other pre-requisites. It is to be seen how India can harvest the long term benefits.

Important reading material:

https://economictimes.indiatimes.com/news/economy/policy/draft-ecommerce-policy-champions-india-first/articleshow/65206404.cms

https://economictimes.indiatimes.com/news/economy/policy/as-ministries-argue-draft-ecommerce-policy-lands-with-pmo/articleshow/65495585.cms

https://inc42.com/features/draft-indian-ecommerce-bill-favouring-domestic-players-at-the-cost-of-the-ecosystem/

Personal Data Protection Bill, 2018 – An overview with brief analysis

Justice BN Srikrishna Committee (“Committee”) which was formed with an intent to have a highly effective data protection law in India has finally submitted the draft bill to the Ministry of Electronic and Information Technology (“Ministry”) on 27 July 2018. The draft bill namely Personal Data Protection Bill, 2018 (“Draft Bill”) is a great expectation particularly after the European Union’s General Data Protection Regulation (“GDPR”) came into force on 25 May 2018. The Draft Bill is introduced at very important juncture, especially after recent judicial orders and judgments in the Aadhar case and in Justice Puttaswamy (Retd.) V. Union of India and Others.

Trust: The Draft Bill introduces concepts of ‘Data Fiduciary’, ‘Data Principal’ and ‘Data Processors’ are akin to concepts of ‘data controller’ and ‘data subjects’ in GDPR. The underpinnings as per Chapter 1, Part C, of the Committee report is of “trust” between a Data Fiduciary and a Data Principal.

data protection

Extra- territorial: Like GDPR, the Draft Bill provides for protection extending beyond India. Section 2(2) states that the legislation shall apply to the processing of personal data by data fiduciaries or data processors not present with in the territory of India, if they process data in connection with business in India, goods or services offered in India, profiling of data principals in India. This may not be applicable for processing anonymised data.

It is interesting to note that State as well as the private and public private sector, come within the ambit of the legislation.

Data: Data under the Draft Bill has been defined broadly to include information, facts, concepts, opinion or instructions whether processed by humans or automated means. It is not just personally identifiable information. The Draft Bill covers issues and matters relating to data protection, collection of data, storage, purpose of collection. Section 8 of the Draft Bill lays out procedure for collection of data, notice / intimation to be provided to the Data Principal (ie., the natural person’s data) while collecting any and all kinds of data.

Disclosures: Under Section 8, there are mandatory disclosures that the Data Fiduciary (ie, any person such as State, juristic entity, individual who determine the purpose and means of processing personal data), has to provide to the Data Principal for collecting the Data. Some of them are (i) the purpose for which the Data is being collected, (ii) categories, (iii) identity and contact information of Data Fiduciary, (iv) the Data Fiduciary will have to compulsorily inform the Data Controller about the right to withdraw consent, (v) Period for which the Personal Data will be retained. It is in this regard that the Data Fiduciary while collecting such Data, shall provide the information in a clear and concise manner, and this would include giving such information to the Data Principals in “multiple languages” where necessary and practicable. The use of multiple languages to provide information would aid such Data Principals who are only familiar with their vernacular language.

Storage: Section 10 has laid down that the Data Fiduciary shall retain the Personal Data only as may be reasonably necessary to satisfy the purpose for which it is processed.  Some of the fintech companies have raised a concern that they use the data collected on regular intervals to keep a track of their customers, even after the purpose is fulfilled, as part of their business offerings itself. Data storage should be read in conjunction with various legislations which provide for data retention, for example, records supporting financial statements of a company has to be retained for 8 years.

Kinds of data:

  • Personal Data;
  • Sensitive Personal Data (“SPD”);
  • Biometric Data;
  • Financial Data;
  • Genetic Data; and
  • Health data.

Section 3 (35) defines religious and political beliefs, caste or tribe, intersex status, transgender status as SPD. Even passwords, financial data and health data fall under SPD. Certain sections of the society have opined that passwords should not be part of SPD and that it is a stretch. What perhaps should be included is a higher level of protection to the Data Principal from instances of profiling, discrimination, and infliction of harm that is identity driven.

Consent: Consent forms the basis for processing Personal Data or SPD. Section 12 details the way to obtain consent from the Data Principal, no later than prior to processing. Shouldn’t it be prior to collection? Collection and processing of SPD has a higher rigour, including explicit consent to be obtained by Data Fiduciary for processing

The consent should be free, informed, specific, clear, and capable of being withdrawn.  It is crucial to note that when the Data Principal withdraws her consent, which was necessary for the performance of the contract to which the Data Principal is a party, then all the legal consequences for the effects of such withdrawal shall be borne by the Data Principal. Wouldn’t this be a burden on the Data Principal? Opinions are also raised that such consent should not be unilaterally withdrawn by the Data Principal and such withdrawal should only be permitted in the context of the Personal Data.

Further, additional grounds have been laid down for the processing of Personal Data which includes: (i) processing for the functions of the State;(ii) processing in compliance with law or any order of the tribunal; (iii) processing which is necessary for prompt action; (iv) processing for the purpose related to employment; and (v) processing for reasonable purpose. Processing of Personal Data for the purpose for reasonable purpose, as mentioned in Section 17, is a bit wide and allows the data privacy authorities to specify the purposes on which such processing can take place. This includes a broad range of activities such as whistle blowing, mergers and acquisitions, recovery of debt, credit scoring, fraud, publicly available personal data, etc. This would need a balance of a very effective right for data erasure, which is not provided in the Draft Bill.

Data Principal Rights: Chapter VI contains the rights to the Data Principal such as (i) Right to confirmation and access; (ii) Right to correction; (iii) Right to Data Portability; and (iv) Right to be forgotten. These are similar to the rights under GDPR. However, the Right to be forgotten which is provided under Section 27 of the Draft Bill only entitles the Data Principal(s) to have the right to restrict or prevent continuous disclosure of Personal Data.  The Right to be forgotten does not include within its ambit the right of data erasure, which allows the Data Principal to erase his personal data as mentioned in GDPR. On one hand, we can interpret that a Data Principal does not have a right to erasure but on the other hand, a Data Fiduciary is mandated to retain the Personal Data only as may be reasonably necessary to satisfy the purpose for which it is processed.

Transparency and accountability measures:  Ample safeguards have been provided to ensure that the Data provided by the Data Principals should be processed in a transparent manner and the Data Fiduciary be held accountable for its action. Chapter VII of the Draft Bill provides for mechanisms to ensure transparency, security safeguards, Data protection impact assessment, Data audits, record keeping, Data protection officer, etc.

Section 32 makes it clear that the Data fiduciary shall notify the Authority of any Personal Data breach where such breach is “likely to cause harm” to any Data Principal. So, the burden of proof seems to be on the Data Fiduciary which is good, so that in a large nation like India where the Data Principal may or may not be aware of her rights, this is helpful. Should the Data Principal have this right as well, along with the Data Fiduciary included in section 32?

Significant Data Fiduciaries: Based on the factors such as volume, sensitivity, turnover, risk of harm, the Data Fiduciaries are classified as Significant Data Fiduciaries. Section 38 obligates data protection impact assessment, record-keeping, data audits and data protection officer on Significant Data Fiduciaries. Some of these obligations are necessary for other Data Fiduciaries as well.

Data localisation: Section 40 mandates that every Data Fiduciary shall store the data on a server or a data centre located in India. Some of them have opined that this may lead to State surveillance. But perhaps, this may help in better control over data breaches or emboldening the steps towards artificial intelligence.

Exceptions: One of the most talked about and discussed section of the Draft Bill is Chapter IX. It relates to many exceptions to the Data Privacy obligations for the State / Government in order to protect the national security of the State.

The argument of surveillance is not new. In the year 2007 Indian Telegraph Rules, 1951 were amended and Rule 419A was inserted in the Rules. Rule 491 A was inserted so as to provide the Government with powers under the Act and the Rules to do surveillance, intercept any message and such other powers so as to safeguard the sovereignty of our country. Then in the years 2009 and 2011 respectively, under the Information Technology Act, 2000, The Information Technology (Procedures and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009 and The Information Technology (Procedures and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2011 were added. These set of rules, deal in depth, with how the Government can intercept, monitor and decrypt computer systems, computer networks, internet messages basically any transmission made through Internet to safeguard our country. National security, is of-course one of the primary roles of the Government.

The Draft Bill also provides wide, discretionary and unfettered powers to the Government and the Data Privacy obligations is sub-servient to the Government’s obligations of security of the State and prevention, detection, investigation and prosecution for contravention of law.

Data Protection Authority of India: The independent regulatory body for data protection, has the power to issue directions, conduct inquiry, call for information, and conduct search and seizure, monitoring and enforcement; legal affairs, policy and standard setting; research and awareness; conducting inquiries, grievance handling and adjudication.

While this is “the” legislation for Data Protection, Section 67 envisages situations of concurrent jurisdiction and provides for a consultative approach in resolving such disputes. Therefore, the Authority has to take into considerations other laws and recommendations provided by other regulators, for example, Ministry of Information and Broadcasting or TRAI (for instance the recommendation published by TRAI on Privacy, Security and Ownership of the Data in the Telecom Sector- Dated 16 July, 2018).

Grievance handling and adjudication:  The proposal of having Appellate Tribunal as a special court, is helpful in a speedy disposal of disputes. The proposal perhaps might have come by, since the Courts are already over-burdened. Every Data Fiduciary should have proper procedures and effective mechanisms to address the grievance of Data Principal which should be resolved in an expeditious manner within a period of 30 (thirty) days. It is heartening to see time-bound approach for resolving disputes.

Penalties and remedies

The Draft Bill provides for penalties which are in consonance with GDPR and the quantum of penalty acts as a deterrent to engage in wrongful acts. It should be seen over time if this deterrence is helpful in mitigating occurrences of breaches or would it increase litigation.  Penalties have been imposed on the following activities:

  • Penalty for failure to comply with Data Principal’s requests under chapter VI of the Draft Bill,
  • Penalty for failure to furnish report, information, etc.
  • Penalty for failure to comply with the directions or orders issued by the Authority
  • Penalty for contravention when no separate penalty has been provided.

Further Section 69 (1), also makes the Data Fiduciary liable if it fails to fulfil the obligations relating to taking prompt action related to data breach or undertaking a data protection impact assessment, or conducting a data audit by a significant data fiduciary or failing to register with the authority. The penalty for Data Fiduciary under this sub-section extends to Rs. 5,00,00,000/- (Rupees Five Crore Only) or 2 (two) per cent of the total worldwide turnover of the preceding financial year, whichever is higher.

Section 69 (2) makes the Data Fiduciary liable for a penalty when it contravenes of any of the requirements as mentioned under this sub-section. The penalty may extend to Rs. 15,00,00,000/- (Rupees Fifteen Crore only) or 4 (four) percent of the total worldwide turnover of the preceding financial year, whichever is higher.

Criminal liability: Not only penalties but imprisonment has also been prescribed. For instance, any person who obtains, transfers or sells personal data which is contrary to the provisions of the Draft Bill would be liable for an imprisonment of not exceeding 3 (three) years or shall be liable for a fine which may extend up to Rs 2,00,000/- ( Rupees Two Lakhs Only) or both.  Further any person who obtains, transfers or sells SPD, would be liable for an imprisonment not exceeding 5 (five) years or shall be liable for a fine which may extend up to Rs 3,00,000/- ( Rupees Three Lakhs Only) or both. There is imprisonment for a term not exceeding 3 (three) years or a fine which may extend to Rs 2,00,000 (Rupees Two Lakhs Only) or both, when any person re-identifies the Personal Data which has been de-identified by the Data Fiduciary or Data Processor or re-identifies and processes such Personal Data without the consent of the Data Fiduciary or Data Processor.

The Draft Bill has made suitable provisions whereby the company and its directors, officers, as well as Central or State Governments along with its head of departments, officers could be made liable for offences committed under this Draft Bill.

Compensation: The Data Principal also has a right to claim compensation from the Data Fiduciary and Data Processor if it contravenes with any provisions of the Draft Bill. Section 76 states that any compensation awarded or penalty imposed under this Draft Bill would not prevent the award of compensation or imposition of any other penalty or punishment under any law for the time being in force.

We have added our thoughts as we discuss the Draft Bill above. The dynamics of this digital economy are changing rapidly, people are using more and more innovative technologies to disrupt the industry and in all of this, the most crucial element is Data. It is rightly said that data is the new oil of this digital economy and therefore this much anticipated Draft Bill is, though late, a step towards regulating use of Data.

Authors: Mr. Manas Ingle and Mr. Anuj Maharana

DISHA: Data Ownership, Security, Consent for health data.

Acting on its vision for a National eHealth Authority (“NeHA”), the Ministry of Health and Welfare had introduced a draft bill for Digital Information Security in Healthcare Act (“DISHA” or “Draft Bill”).

DISHA’s main purpose, as per its preamble is to (i) establish NeHA, State eHealth Authorities (“SeHA”) and Health Information Exchanges; (ii) standardise and regulate the process related to collection, storing, transmission and use of digital health data; (iii) and to ensure reliability, data privacy, confidentiality and security of digital health data”. Our previous note on the overview of DISHA can be read here https://novojuris.com/2018/08/12/disha-the-future-direction-of-digital-health-information-in-india/). In this blog, we are covering aspects of data ownership, security, consent and others that DISHA proposes.

The Draft Bill defines digital health data as electronic data of an individual containing information about the individual’s medical records and health information and such individual would be considered as the owner of the digital health data. DISHA grants rights to owners of digital health data such as:

  1. The right to privacy, confidentiality and security of their digital health data.
  2. The right to refuse or give consent for generation and collection of digital health data by Clinical Establishments (a defined term which you can read in our previous blog here…).
  3. The right to refuse, give or withdraw consent for storage and transmission of digital health data.
  4. The right to refuse consent thereby restricting access to or disclosure of digital health data. However, it is not clear if the Clinical Establishment can still transmit under “reasonable use”, despite refusal by the data owner. It may be noted that reasonable use is used as a wide term.
  5. The right to ensure that the data collected is specific, relevant and not excessive in relation to the purpose sought.
  6. The right to know about the Clinical Establishments or entities which may have access to the data, the recipients to whom data has been transmitted or disclosed.
  7. The right to access the health data including their consent details and access of their data by any Clinical Establishment or any other entity.
  8. The right to possess the right to seek rectification of data by a Clinical Establishment in the form prescribed by NeHA.
  9. The right to necessarily mandate express prior permission before transmission or use of data in an identifiable form.
  10. The right to be notified each time their data is accessed by a Clinical Establishment.
  11. The right to ensure sharing of data with family members in case of health emergency.
  12. The right to prevent transmission or disclosure of sensitive data that may cause distress to the owner.
  13. The right to not be refused health services in case of refusal to give consent for any of the activities or data generation, collection, storage, transmission or disclosure.
  14. The right to seek compensation for damages cause as a result of breach of data.

DISHA lists down the purposes for which data is to be collected, stored, used which are:

  1. Advancement of delivery of patient centred medical care.
  2. Appropriate information for guiding sound medical decisions at time and place of treatment
  3. Improvement of coordination of care and information among hospitals, laboratories, medical professionals through an effective infrastructure for secure and authorised exchange of data.
  4. Improvement of public health activities and facilitation of early identification and rapid response to public health threats, such as disease outbreaks and bioterrorism.
  5. Facilitation of health and clinical research and health care quality
  6. Promotion of early detection, prevention and management of chronic diseases.
  7. Carrying out public health research, policy formulation, review and analysis.
  8. Undertaking of academic research and related purposes.

Under the Draft Bill the usage of personally identifiable information can be undertaken only for advancement of delivery of patient centred medical care, appropriate information for guiding sound medical decisions at time and place of treatment and improvement of coordination of care and information among hospitals, laboratories, medical professionals through an effective infrastructure for secure and authorised exchange of data to extent of ownership rights and in the best interest of the owner. The usage of data for public health related purposes shall be undertaken only after anonymisation and de-identification of data.

No data collected shall be used for any purpose other than what has been prescribed, be provided access to or disclosure of personally identifiable information without express consent of the owner or a statutory or legal requirement. The data collected shall not be used for commercial purpose or disclosed to insurance companies, employers, human resource consultants and pharmaceutical companies, irrespective of such data being identifiable or anonymised. However, the insurance companies may seek consent of the data owner to access such data for the purpose of processing insurance claims.

A Clinical Establishment may, by consent of the owner, collect the health data after informing the owner about the ownership rights, purpose of data collection, identity of data recipients to whom data may be transmitted or disclosed or who may have access to data on a need-to-know basis. A copy of the consent form is to be provided to the owner. Moreover, an entity that engages in collection of health data would be regarded as the custodian of such data and would be responsible for protection of such data. In case the owner is incapacitated or incompetent to provide consent, the same shall be obtained from a nominated representative, one having legal capacity to give consent. In the event the person becomes competent to give consent, the owner would have the right to seek withdrawal of consent given by nominated representative and seek consent of owner for collection of health data as prescribed by NeHA. This option to consent through a nominated representative extends in the case of collection of health data of a minor as well with the minor having the option to seek withdrawal of consent of the nominated representative to give own consent.

DISHA prescribes that the storage of digital health data so collected would be held in trust for the owner and the holder of such data would be considered as the custodian of data thereby making such holder responsible to protect privacy, confidentiality and security of data. The holder of data could be a Clinical Establishment or a Health Information Exchange.

Storage of digital health data shall be stored only by a Clinical Establishment or a Health Information Exchange and shall be held on behalf of NeHA and shall be subjected to such usage as has been prescribed without compromising on the privacy or confidentiality of such data or owner.

The transmission of digital health data is required to be transmitted by a Clinical Establishment to a health information exchange in an encrypted form for reasonable use as per standards prescribed by NeHA keeping in mind the privacy and confidentiality of the owner. A Clinical Establishment or health information exchange would be allowed to transmit the digital health data only after obtaining the prior consent of the owner and giving information to the owner about their ownership rights and the purpose of collection of data. Moreover, a health information exchange is also under an obligation to maintain registers containing information regarding any and all transmissions of digital health data between Clinical Establishments and health information exchanges and between health exchanges.

The digital data collected, stored or transmitted by a Clinical Establishment or a health information exchange may be accessed by a Clinical Establishment on a need-to-know basis. Access to digital health data may be sought by the governmental departments by their secretaries in de-identified or anonymised form by submitting a request to NeHA in furtherance of public usage of health records. Moreover, access may be granted to digital health data for purpose of investigation into cognizable offences or for administration of justice subsequent to order of a competent court. In the case of emergencies, the Clinical Establishments may be granted access to the digital health data of the patient and the relatives of the owner may also be given access to the data for correct treatment of the owner. Moreover, all Clinical Establishments and health information exchanges are required to maintain registers to record purpose and usage of digital health data so accessed in a manner prescribed by NeHA.

Under DISHA, the Clinical Establishments, health information exchanges, SeHA, NeHA are duty bound to protect the privacy, confidentiality and security of digital health data of the owner. Such duty also extends to an entity which has generated and collected digital health data. Such duty is to be given effect to by undertaking necessary measures to ensure that data collected, stored, transmitted is secured and protected against unauthorised access, use or disclosure and against accidental or intentional destruction, loss or damage.

The Clinical Establishments or health information exchanges are required to notify the owners of data in cases of breach or serious breach of digital health data within 3 (three) working days. The Draft Bill does not clarify if the 3 days is to be calculated from the date of breach or from the date of becoming aware of a breach.

Some observations:

  1. The Draft Bill must identify a competent court that is authorised to pass an order for usage of data.
  2. The Draft Bill fails to provide for a penalty on Clinical Establishments and health information exchanges for storage of incorrect digital health data.
  3. The time of 3 working days for intimation of breach, may have to be 3 days and not necessarily “working” days.
  4. Although the entities have a duty to protect the data of the owner, the duty to notify the owners in cases of breach of information doesn’t extend to entities and has been limited only to Clinical Establishments and health information exchanges.
  5. The Draft Bill must provide for Right to be Forgotten.
  6. The Draft Bill must provide for a cohesive reading with (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, under the Information Technology Act.
  7. We hope that there will be sufficient Rules under the Draft Bill which can provide for specific consent specifically to certain acts and not a blanket consent.
  8. The Draft Bill should provide for specific time period for record maintenance.

Author : Mr. Spandan Saxena

DISHA – The future direction of digital health information in India

The Ministry of Health and Welfare in the year 2015 published a note on establishing a National eHealth Authority (“NeHA”) to regulate the emerging usage of electronic mediums in healthcare, especially for maintenance of e-Health records and digital health information across India. The goal of NeHA is “to ensure development and promotion of eHealth ecosystem in India for enabling, the organization, management and provision of effective people-centred health services to all in an efficient, cost-effective and transparent manner”.

The Ministry Health and Welfare (“Ministry”), eHealth Department has been working on developing international standards for creating, maintaining and storing of eHealth records. There were circulars in 2013 and 2016 providing guidelines and specific standards to be adopted and implemented by hospitals, medical professionals and other stakeholders in the healthcare industry, which were not mandatory, but definitely a step forward in digitising health care records.

Innovations in integrating healthcare and technology is helping a large population to access healthcare. Acting on its vision for NeHA, the Ministry had introduced a draft bill for Digital Information Security in Healthcare Act (“DISHA” or “Draft Bill”).

DISHA’S main purpose, as per the pre-amble is to (i) establish NeHA, State eHealth Authorities (“SeHA”) and Health Information Exchanges; (ii) standardise and regulate the process related to collection, storing, transmission and use of digital health data; (iii) and to ensure reliability, data privacy, confidentiality and security of digital health data”.

DISHA aims to have a national as well state level implication and aims to regulate the digital health data in a federal structure i.e. NeHA being a central and an apex authority under the Bill established by the Central Government as per the provisions of this Bill and SeHA being a state level authority established by the respective State Governments. Further the Central Government shall establish as many Health Information Exchanges as necessary. Further under the act there has to be National level and State level executive committees which will aid and assist NeHA and SeHAs in the performance of their functions under DISHA.

DISHA, is applicable to clinical establishments which includes medical institutions and individuals performing and providing any kind or form of medical and healthcare services excluding hospitals owned and operated by the army, navy and the air force. However, it includes clinical establishments which are owned and operated by government or a department of government.

Further these clinical establishments can only collect digital health information for certain particular purposes which are more or less related to providing medical and healthcare services to owners of the digital health information. DISHA makes clear that digital health in any form i.e. whether identifiable or anonymized, shall not be accessed, used or disclosed to any person for commercial purposes.

The Draft Bill enumerates the functions of NeHA and SeHA (“Authorities”) which are to:

  • formulate standards, guidelines and protocols for generation, collection, storage and transmission of the digital health data.
  • define protocols to safeguard the data from any theft or breach and to provide for data security measures at each level of processing of data, which shall at least include access controls, encryption and audit trails.
  • lay down protocols for transmission of digital health data to and receiving it from other countries.
  • provide for standards for establishing necessary norms and standards for certifying digital healthcare data systems and stakeholders.
  • conduct regular checks and investigations to ensure compliance with law.

One of the key aspects of DISHA is to establish Digital Health Exchanges; digital health information exchange (“DHIE”) allows doctors, nurses, pharmacists, other health care providers and patients to access and securely share a patient’s vital medical information electronically—improving the speed, quality, safety and cost of patient care. Any and all transmission of digital health information will happen through these exchanges. The intention under DISHA is to store and keep all the digital health data in these DHIEs located across India. This can only be possible if the digital health information is standardised i.e. it is maintained in same format by all and therefore the Ministry primarily introduced the eHealth record standards and now through DISHA wants to integrate the eHealth records and provide the whole digital healthcare system a proper structure under these DHIEs. It would be good if the Government can aggressively promote data centres across India.

Under the Draft Bill, DHIEs will be monitored and controlled by their respective Chief Health Information Executive whose duties primarily will be to take care of the DHIEs day to day affairs, to access and further transmit the digital health information appropriately as transmitted by clinical establishments, notify the data breach to a data owner and store the data appropriately.

At the outset this looks like a fairly centralised system of data storage and therefore the same may be vulnerable to cyber threats and data breaches. One of the ideas that can be considered is to store eHealth records using block-chain technology to make the DHIEs more secure.

DISHA elaborates ways to protect the data and has brought in the concept of “data ownership” i.e. digital health data under the Draft Bill is explicitly owned by the person of whose digital health data is generated and processed. Section 31 of the Draft Bill, states that individuals are the owners of the digital health data and clinical establishments and DHIEs are custodians of the digital health information and have a duty of trust to maintain confidentiality and security of such data.

The Draft Bill explicitly describes the roles and responsibilities at the time of collection of data, transmission, anonymisation and de-identification of data. The data owner has to provide explicit consent to various actions that can be taken on the data. The Bill also provides individuals with a right to rectify their digital health data which might be inaccurate and incomplete, a right to have obtain explicit consent in each and every instance of transmission of data, right to be notified, right to prevent disclosure of digital health data under certain circumstances, right to not to be refused of any health services.

A breach under DISHA is of two types, (i) breach of digital health data and (ii) Serious breach of digital health data. Serious breaches are detailed to include cases where a person or an entity or a clinical establishment breaches digital health data intentionally or if digital health data is used for commercial purposes, or breach occurs where the digital health data was not in de-identified or anonymized form.

Punishment for a breach of digital health data is that “A person shall be liable to pay damages by way of compensation to the owner of the digital healthcare data in relation to which the breach took place”. Serious breaches are punishable with imprisonment as well.

While DISHA appears to be conceived with the right intent, there are certain aspects which has to be thought through in more depth.

  • The many mobile apps which collects huge amounts of health data in order to provide tracking/monitoring for the users or apps which are aggregators of medical practitioners and providers or apps which are market-places for medical practitioners, pharmacists etc. or apps which connect medical practitioners with patients. These apps are not part of the definition of “Clinical Establishment” to whom the law applies.
  • With India proposing new legislation for data protection and privacy, it has to be seen how this Draft Bill inter-relates.
  • It is believed that block-chain technology might help in keeping the data secure. This is already being used in Estonia.
  • DISHA prohibits the use of digital health information for commercial purpose, whether in anonymized or de-identifiable form. However, operationalizing of collection and transmission should be more robust and India has seen “Aadhar” related mis-use of personal data.
  • Sharing of data on “need to know basis” seems wide and it would be essential to perhaps either through the Rules under the Draft Bill can make it more specific.
  • Compensation for data breaches, including adjudication has to have some specific and strict timelines.

DISHA is definitely a right direction but should have to maintain the fine balance in enabling innovation in health-care, government’s requirement of data, protecting the data-owners’ rights in a swift and efficient manner, making it easy for the medical practitioners and other stakeholders in the healthcare industry to make this robust.

Over the next blog, we will detail the consent, information that can/ cannot be collected etc.

Author: Manas Ingle