In the race to regulate the way organisations collect, handle, store, disclose, process and transfer the personal data of citizens, residents or consumers -as the European Union introduced GDPR (General Data Protection Regulation) in 2018, followed by California’s CPRA (California Privacy Rights Act), Singapore’s PDPA (Personal Data Protection Act, 2012), Canada’s PIPEDA (Personal Information Protection & Electronic Documents Act), and many more–India, too, tagged along and introduced its data protection bill, PDPB (The Personal Data Protection Bill) in 2019.
Currently in draft form, PDPB 2019 was tabled in the Indian Parliament by the MeitY (Ministry of Electronics and Information Technology) on December 11, 2019. Before its enactment into law, it is being reviewed by the Indian Joint Parliamentary Committee (JPC) in consultation with experts and stakeholders. As of the writing of this article, the JPC, on November 22, 2021, issued its report on the proposed law, and it is set to be presented with the PDPB 2019 in the Winter Session of Parliament. The committee proposed over 200 amendments, including PDPB renamed to Data Protection Bill 2021(as data comprises both personal and non-personal).
The Bill proposes to amend the Information Technology Act, 2000 (Section 43-A) deleting the provisions related to compensation payable by companies for failure to protect personal data. The Bill proposes to protect the privacy of individuals relating to their personal data, specify the flow and use of personal data, protect the rights of data fiduciaries, establish trust between data fiduciary and data controllers, lay down norms for social media intermediaries, create a framework for processing such personal data, and establish a Data Protection Authority of India for the said purposes and the matters concerning the personal data of an individual.
The Bill seeks to protect personal data pertaining to the identity, characteristics traits, and attributes of a natural person. The scope of personal data under PDPB is much wider than the GDPR. Covering both online and offline mediums, it includes name, contact number, web browsing history, cookie ID, etc. Sensitive personal data includes health data, financial data, official identifier, sexual orientation, intersex status, biometrics, passwords, genetic data, caste, philosophical, religious or political beliefs, etc. PDPB authorises the central government to define certain personal data as “critical personal data” without restricting the government to make such designation.
Divided into fourteen chapters, PDPB 2019 is too lengthy to be grasped easily. In this blog, we explain its salient features:
Scope of Application
PDPB applies to the processing of personal data that’s collected, disclosed, shared, or otherwise processed within the territory of India;
- By any Indian company, citizen of India, or the State (as defined under Article 12 of the Indian constitution);
- By foreign companies carrying out any business in India or offering goods or services to data principals within India or profiling data principals within India.
PDPB does not apply to the processing of anonymised data as well as non-personal data that enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government. It also does not cover the processing of personal data of foreign data principals by data processors incorporated under Indian laws.
Data Protection Authority
The Bill proposes the formulation of a Data Protection Authority of India. The DPA’s primary duty is to issue regulations to implement provisions of the Bill, protect the interest of individuals, prevent the misuse of personal data, ensure compliance with the Bill and promote awareness regarding data protection. Its other duties and responsibilities include:
- Examine data audit reports;
- Receiving and addressing complaints;
- Monitoring cross-border transfer of data;
- Advising governments on data protection aspects;
- Formulate regulations to enforce provisions of the Bill;
- Initiate prompt, appropriate action in case of data breaches;
- Monitoring innovations in technology and commercial practices that may affect data protection practices.
Transfer of Personal Data outside India
PDPB allows transferring personal data outside of India for processing with a condition that it must still be stored in India and explicit consent is provided by the relevant data principal for the said processing. PDPB restrains the transfer of critical personal data as it is subject to only be processed within Indian territory. Other than that the transfer is imperative to the working of a lawful contract, transfer of personal data requires some additional standards to be adhered to, including:
- The DPA approves the necessity of transfer;
- It is in accordance with authority-approved scheme;
- It is made to a country, or sector within that country, or an international organisation approved by the GOI.
The Bill has no clarification regarding the transfer of non-personal data. However, in absence of any such law, it can be presumed that there is no restriction imposed upon the transfer and processing of non-personal data.
Fiduciary and Processor Obligations
Under the India PDPB Bill, data controllers, as stated under GDPR, have been referred to as data fiduciaries. A ‘data fiduciary’ is any person, a company, any juristic entity, including State, or any individual who alone or in conjugation with others determines the purpose and means of the processing of personal data.
“PDBP also has a mention of a special class of fiduciaries called ‘significant data fiduciaries.’ Depending upon the volume of personal data, turnover, and sensitivity of personal data made part of processing, DPA holds the right to categorise who should be placed in the special class.”
Processing of personal data by data fiduciary or data processor will be subject to certain purpose, collection, and storage limitations, including:
- For specific, clear, and lawful purpose;
- Consent needs to be obtained from the data principal for data processing;
- Collection of personal data should be limited to such data that is necessary for the processing;
- For processing sensitive personal data of children, data fiduciary must verify their age and obtain parental consent;
- Personal data shall be retained only for the purpose for which it is processed and shall be deleted at the termination of the processing;
- Explicit notice should be provided to the data principal for the collection or processing of personal data. This notice must include the organisation’s name and contact details, the purpose of processing, data being collected, parties with which data will be shared, the duration for which data will be stored, and the right to withdraw consent.
In addition to complying with the above-mentioned principles, data fiduciaries are also required to:
- Report data breaches to the DPA;
- Prepare privacy by design policies;
- Audit policies and conduct of policies every year;
- Implement security safeguards (e.g. data encryption);
- Maintain transparent records of their processing activities;
- Appointment of data protection authority for advising and monitoring purposes;
- Have effective grievance redressal mechanisms in place to address complaints of individuals;
- Conduct DPIA (Data Protection Impact Assessment) when new technology is used for processing, as well as sensitive data of significant number of data fiduciaries is involved in processing.
Rights of the data principal
Right to confirmation & access
- What personal data has been processed;
- The procedures for withdrawal of consent;
- The purpose for which personal data is processed;
- The nature and categories of personal data collected;
- Confirmation of the processing of their personal data;
- The right to access who the personal data has been shared with;
- A brief summary of the processing activities that have been undertaken.
Right to Rectification and Erasure
Data principals are entitled to have inaccurate or misleading data corrected, incomplete data completed, old data updated, and personal information which is no longer necessary for the purpose it was processed erased.
Right to be Forgotten
The Bill also provides data principals with the right to be forgotten, allowing data principals to prevent the disclosure of personal data in case:
- The disclosure is made against the applicable laws;
- The consent has been withdrawn for the disclosure;
- The disclosure has served the purpose for which it was made or is no longer required.
Right to data portability
Data principals have the right to receive a copy of data–for one’s own use or referring to any other data fiduciary–provided to the data fiduciary, data generated during the provisions of any goods or services, or where data has been processed by automated means in a structured, commonly used, and machine-readable format.
Other rights include the right to object/opt-out and the right not to be subject to automated decision-making.
Processing of Personal Information without consent
Data fiduciaries are allowed to process personal information of data principals only when provided consent to do so. However, it also provides some leeway with exceptions under which personal data can be processed without consent. Cases include:
- Legal proceedings;
- Pertinent to employment;
- To respond to a medical emergency;
- Needed by State to provide subsidies or governmental benefits;
- For the exercise of any judicial function, court or tribunal (in India) processes personal data;
- Necessary for reasonable purposes such as prevention of fraud, mergers and acquisitions, whistleblowing, network and information security, credit scoring, recovery of debt, etc.
Following factors need to be considered to determine reasonable purposes for the processing of personal data:
- Interests of data fiduciary
- Public interest for processing
- Can consent be reasonably obtained?
- Effects the processing will have on an individual
- Would the individual rationally expect the processing?
The central government holds the power to exempt any of its agencies if it is convinced that it is “necessary and expedient” as well as:
- It’s in the interest of sovereignty and integrity of India, the security of the State, and friendly relations with foreign states;
- It will prevent incitement to the commission of any cognizable offence.
Introduction of Data Trust Score
One of the key concepts that has been introduced in the India PDPB 2019 is the introduction of ‘Data Trust Score”. The DTS is a function of the level of trust that can be placed on the Data Fiduciary in terms of the compliance of data protection norms. A significant Data Fiduciary must undergo an annual audit of its policies and processing activities by an independent data auditor. Based on the audit results, the data auditor may assign a rating in the form of a Data Trust Score to the significant Data Fiduciary.
In addition to above, the India PDPB 2019 also proposes to create a mechanism by which Data Fiduciaries may be able to take advantage of a “Regulatory Sandbox” to test new technology with lower enforcement risks. To be eligible for participation, Data Fiduciaries must have their Privacy by Design policies certified by the DPA and published on both the Data Fiduciary’s and DPA’s website.
Risk of non-compliance with PDPB
PDPB has formulated two different tiers of penalties and compensations.
- For failure to fulfil its obligations, data fiduciary may be punished with a penalty extending Rs. 5 crores or 2% of its total worldwide turnover of the preceding financial year, whichever is higher;
- Data processing carried out in violation of the provisions of the PDPB may be punished with a fine of up to Rs. 15 crores or 4% of the annual turnover of the data fiduciary, whichever is higher.
Selling personal data that causes harm to an individual, processing de-identified personal data, or its re-identification without consent may put data fiduciary behind the bars for up to three years.
India’s PDPB is set to become the toughest data privacy law in the world. Its enactments will secure the privacy sphere and uplift the data protection moral of individuals countrywide. Before it finally sets sail, companies should review and update their data protection policies, have privacy notice and policy in place, review their data protection mechanisms and plan ways to meet requests of data principal rights.
We at Data Secure (DATA SECURE – Privacy Automation Solution) can help you to understand Privacy and Trust while dealing with personal data and provide Privacy Training and Awareness sessions in order to increase the privacy quotient of the organisation.
We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to India PDPB 2019. For more details, kindly visit DPO India – Your outsourced DPO service (dpo-india.com).
For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at firstname.lastname@example.org or email@example.com.
For downloading various Global Privacy Laws kindly visit the Resources page in DATA SECURE – Privacy Automation Solution