Right to Privacy and Personal Data Protection Bill, 2018
Since the Personal Data Protection Bill, 2018 came into light, it has created significant discussions amid the arbitration community and its implications to arbitration have been previously discussed on SEAL. In this regard, it becomes important to analyze the interplay of Right to privacy with the government’s prerogative to protect personal data, which further extends to arbitral proceedings as well.
The jurisprudence around the Right to privacy has been received with open arms. Some states where the right did not find expression in their constitutions have endorsed, through legal ratiocinations, the right to privacy in specific provisions, while other states with more recent constitutions spelled out the right with mathematical exactitude in their constitutions. States have been increasingly adopting privacy laws, which also deals comprehensively with the zeitgeist of the Information Technology age. India’s tryst with the right to privacy has found an appreciable epilogue: the misjudgements in M.P. Sharma v. Satish Chandra (“M.P. Sharma”) and Kharak Singh v. State of U.P. (“Kharak Singh”) have been corrected in Justice K.S. Puttaswamy (Retd.) v. Union of India. (“Puttaswamy”). The constitutional benches in M.P. Sharma and Kharak Singh opined that the importation of the right to privacy under the Indian constitutional scheme is impermissible. Interestingly, the dissenting opinions of Subba Rao and Shah, JJ. in Kharak Singh case found resonance with the judicial ratiocination in Puttaswamy. In spite of the constitutional recognition of the right to privacy, India’s privacy statute, the obsolete Information Technology Act, 2000, does not cut the mustard: it is riddled with insufficiencies and inadequacies. Against the backdrop of the legal issues around AADHAR and WhatsApp and Facebook’s privacy policies, the Government of India, with a view to revamp the privacy law, set up a Committee of Experts (“CoE”) under the auspices of Justice (Retd.) B.N. Srikrishna. The CoE was tasked with putting on the table a novel privacy statute and, after year-long ruminations, the Personal Data Protection Bill, 2018 (‘Draft Bill’) was made public. Still and all, after more than a year, the Draft Bill has not seen the light of the day.
The Draft Bill, fractionally, speaks the language of the General Data Protection Regulation (“GDPR”), European Union’s (“EU”) latest data protection regime that overthrew the EU’s Directive on Protection of Individuals with regard to the Processing of Personal Data and on the free movement of such Data. The bill proposes broad-ranging definitions of personal data and sensitive personal data, horizontal applicability, insofar it casts legal obligations on both the government and private entities, extra-territorial application to data fiduciaries or data processors outside India and establishment of a Data Protection Authority. The Draft Bill pinpoints, with statutory diktat, the permissible grounds for processing personal data, sensitive personal data and personal and sensitive personal data of children, legal prescriptions for the processing of such data, the statutory rights and data protection obligations of data principal and accountability procedures. It also delineates the legal contours of data localisation and transfer of personal data outside India. The Draft Bill has gone through a fine-tooth comb by the stakeholders; it has been both accoladed and criticized (in specific, the exemption clause and the stringency of punishment for contravention of its provisions).
Commercial Arbitration and Personal Data Protection Bill, 2018
The Draft Bill’s EU’s counterpart, the GDPR, necessitates strict adherence to its demands by the courts and other judicial authorities (recital 20), and as a necessary corollary, arbitration falls within its ambit. In a nutshell, any processing of data during the course of dispute resolution, including commercial arbitration, ought to be conducted keeping in mind the demands of GDPR. The Draft Bill, similarly, will have seismic effect on arbitration in India for two reasons: first, the CoE’s Report in Annexure C, which catalogues statutes that will be influenced by the Draft Bill’s data protection requirements, itemises Arbitration and Conciliation Act, 1996 (the “Arbitration Act”) and second, the expansive definitions of ‘personal data’, ‘sensitive personal data’ and ‘processing’ hint at the fact that ‘data processor’ and ‘data fiduciary’ can be both corporate and juristic entities. Despite the fact that voluminous personal data in the form of disclosure of materials, evidence, pleadings, transfer of documents to third parties such as arbitrators, legal counsels, experts, witnesses and institutions are handed over in a commercial dispute, both the CoE’s Report and the White Paper, fall short of an exposition on the intercourse between the Personal Data Protection Bill, 2018 and commercial arbitration. In absence of such clarification, the arbitrators, arbitration tribunals and arbitration institutions, in addition to the parties, run a risk of exposing themselves to the penal provisions of the Draft Bill; processing of personal data by the parties and its consequent collection and storage by the arbitration tribunal need to pay attention to the statutory demands.
Personal Data Protection Bill, 2018 and Independence of Judiciary
Since the implementation of the GDPR from May 2018, legal scholarship has raised its eyebrows at the administrative scrutiny by a supervisory authority of the judicial functions: the concerns of administrative infraction of the independence of judiciary haunted the legal fraternity. The GDPR foresaw the said concern and in consequence, in Recital 20, entrusted the task of data processing supervision to specified bodies within the judicial apparatus of the member states. The Draft Bill, like its EU twin, fascinates a Data Protection Authority, which shall be administrative in nature, regardless of the mannerism of the appointment of members. Resultantly, disquiet about the administrative intrusion in the independence of the judiciary, which is an indispensable feature of the Constitution, it will rope the legal community into knocking at the doors of the writ jurisdiction of the higher judiciary.
Arbitration and Exemption Clause
Chapter IX of the Draft Bill contains a plethora of processing activities that can avail exemption, in toto or in part, from the statutory mandates. In Clause 44(1), discount under exemption clause is afforded to ‘Processing for the purpose of legal proceedings’:
Where disclosure of personal data is necessary for enforcing any legal right or claim, seeking any relief, defending any charge, opposing any claim, or obtaining any legal advice from an advocate in any impending legal proceeding such processing shall be exempted from the following provisions of this Act— (a) Chapter II, except section 4; (b) Chapter III; (c) Chapter IV; (d) Chapter V; (e) Chapter VI; and (f) Chapter VII, except section 31.
A swift reading of the clause indicates that divulgence of personal data that is not ‘necessary for enforcing any legal right or claim, seeking relief, defending any charge, opposing any claim, or obtaining any legal advice’ ought not fall within the purview of the exemption clause. The fact that arbitration shall be a consumer of clause 44(1) of the Draft Bill, it is predicated that arbitration will be contemplated as ‘legal proceedings.’ The jurisprudential dichotomy between legal proceedings and judicial proceedings as illustrated in General Officer Commanding v. CBI calls for inclusion of arbitration in ‘legal proceedings’.
Statutory Obligations Applicable to Commercial Arbitration
Arbitration, even if it profits from Clause 44(1), ought to be in adherence to Clause 4 of Chapter II, Clause 31 of Chapter VII and Chapter VIII of the Draft Bill. In the context of Clause 4 of Chapter II, the processing personal data of the data principal in the course of arbitration ought to honor the Puttaswamy case and statutory obligation of fairness and reasonableness. The participants in arbitration must come up with an unambiguous data protection policy whereby clients are acquainted with the fact of usage of their personal data, retention of their data for future use and, in the specific case of international arbitration, transfer of such data outside India. Furthermore, the arbitration tribunals ought to gingerly minister to the collection and storage of personal data of the participants and plug data leakages to concretize confidentiality. In other words, the tribunals must hold in high esteem the rights of the data principal.
Despite the fact that consent is a sine qua none for arbitrability of a dispute, consent is essential to process personal data under the GDPR throughout the arbitral proceedings. On the downside, such consent can be a puppet in the hand of the parties to render infructuous the proceedings: consent can be withheld at any stage. To remedy the situation, GDPR contemplates deemed consent in light of Article 6(1)(f), Article 6(1)(b) and Article 6(1)(c). Article 6(1)(b) provides legality to the processing of personal data insofar the processing is necessary for the performance of a contract. Article 6(1)(c) contemplates deemed consent while processing data which is indispensable to effectuate a legal obligation to which the controller is subject. Lastly, Article 6(1)(f) foresees a circumstance where it is quintessential to process data for “the purposes of the legitimate interests pursued by the controller or by a third party”. However, the Draft Bill steers clear of such complexities due to the reason that by virtue of the exemption clause i.e. Clause 44(1), the consent for data processing in legal proceedings including arbitral proceedings is not required due to the non-applicability of Chapter III.
Clause 31 of Chapter VII obligates the data processor and data fiduciary to ‘implement appropriate security safeguards including — (a) use of methods such as de-identification and encryption; (b) steps necessary to protect the integrity of personal data; and (c) steps necessary to prevent misuse, unauthorized access to, modification, disclosure or destruction of personal data’. It has been recommended that, firstly, the law firms, in lieu of client’s personal data, must put in place a robust code of conduct for employees and data security protocol, and, secondly, the arbitration tribunals ought to be careful with data received in electronic forms. In furtherance, the arbitral tribunals ought to undertake a review of its security safeguards periodically lest it shall attract penal sanctions for seepage of personal data of the data subject and dishonoring their data privacy concerns.
The statutory requirements couched in Chapter VIII, in precise Clauses 40 and 41, in respect of cross-border data transfer too apply to arbitration, especially foreign-seated arbitrations. The Draft Bill requires ‘explicit consent’ of the data principal in case of sensitive personal data and the Central Government’s nod in international transfer of data. It will add to the tedious procedural rigmarole in international arbitration.
Since the coming into force of the EU’s GDPR, a significant volume of legal erudition has sieved through the impact of GDPR on international arbitration. The exhaustive demands of the GDPR with regards the processing of data and its dovetail with arbitration have been under scholarly lens: the arbitration landscape has been influenced vastly by the data protection regime of the E.U. On the same line, India is contemplating a data protection law and it shall have legal reverberations on the arbitral proceedings, both domestic and international. Since the Personal Data Protection Bill, 2018 will soon be translated into a statute, it is imperative to scrutinise meticulously the effects of India’s proposed data security regime on arbitration. Such discourse gains pertinence due to the fact the both the CoE’s Report and the White Paper have kept mum on the Draft Bill’s dealings with arbitration.
– Manas Raghuvanshi is a law graduate from Jindal Global Law School (O.P. Jindal Global University, Sonipat) and is currently working as a Legal Associate at the Chambers of Mr. Ajit Nair (Delhi High Court)