Currently in India, the usage of personal data of individuals is regulated by the Information Technology (IT) Act, 2000 and Rules made thereunder. These Rules specify security safeguards for data processing including collection, disclosure and transfer of information, however, have not kept pace with the development of digital economy. They lack a robust framework that protects the privacy of personal data, which is essential to the right to privacy of individuals. This led India to create its first law to govern data and the European Union’s General Data Protection Regulations (GDPR) served as a perfect template.
In a landmark judgment in the matter of Justice K.S. Puttaswami and another Vs. Union of India (August 2017), a nine Judge Constitutional Bench of the Supreme Court declared "privacy" as a fundamental right under Article 21 of the Constitution.
During the case, a "Committee of Experts on Data Protection" chaired by Justice B.N. Srikrishna was constituted by the Government, to examine the issues relating to data protection and recommend methods of addressing them. Personal Data Protection Bill that was introduced in Lok Sabha on December 11, 2019. The Bill seeks to protect the privacy of individuals’ personal data, create a regulatory framework for organizational and technical measures to securely process data and establish a Data Protection Authority (DPA) for the purpose of supervision and enforcement. It finds its basis in the following three elements:
- The right to privacy is a fundamental right
- The growth of the digital economy makes data a critical means of communication
- The necessity to create and foster a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion.
JURISDICTION AND APPLICABILITY
- The law shall apply to the processing of personal data that has been collected, disclosed, shared or otherwise processed within India or by any company or person incorporated or created under Indian law
- Where data fiduciaries or data processors are not present in India, the law shall apply to those carrying on business in India or any activity which involves profiling of data principals within India
- The law will not have a retrospective application, i.e. it will not apply to any processing activity that has been completed prior to its coming into effect. However, processing that is ongoing after the coming into force of the law would attract coverage under this law.
DATA PROTECTION AUTHORITY OF INDIA (DPA)
- The Central Government shall appoint a Data Protection Authority to protect the interests of data principals, prevent misuse of personal data and ensure effective enforcement of this law
- Composition - Chairperson and not more than six whole-time members
- Qualifications – One of the members shall have qualification and experience in law
- Term – One time appointment for 5 years or till they attain the age of 65 years, whichever is earlier
- The DPA shall specify codes of practice to promote good practices of data protection, facilitate compliance with obligations under this Act and have the power to issue directions, call for information and conduct inquiry into the affairs of a data fiduciary or processor.
IMPACT ON CORPORATES
- Companies operating in India will have to make various operational and structural changes for compliance and significant changes in the way of handling Digital business
- E-commerce entities, social media based businesses would face direct impact of the new legal ecosystem in this digital era, as people share sensitive personal data on various platforms such as mobile apps, webinar platforms, virtual meetings, net banking, e-wallets
- Intimation shall be required to users, on what type of data is being collected with a purpose to use
- Corporates may retain any personal data for a specific period only, i.e. necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of the processing
- How Companies are protecting the personal data is now a Boardroom discussion and reframing business practices will be the immediate requirement once the Bill comes into force.
- Data Fiduciary means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data
- Data Principal means the natural person to whom the personal data relates
- Data Processor means any person, including the State, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary
- Personal Data means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling
- Sensitive Personal Data currently defined under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, has a wider definition attributed to it under the proposed law that includes health, genetic and financial data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation. Further, the Central Government can notify categories of personal data as sensitive personal data basis the risk of significant harm that may be caused to the data principal by the processing of such data
- Significant Data Fiduciary means any data fiduciary, notified as such by the DPA basis defined parameters, that is capable of causing harm as a consequence of its data processing activities.
OBLIGATIONS OF DATA FIDUCIARIES
- Ensure data processing for specific and lawful purposes, with the express consent of the data principal
- Intimation to data principal stating the purpose of data processing, categories of personal data collected, details of the data fiduciary and Data Protection Officer, data retention period, etc.
- Implement and periodically review security safeguards, such as de-identification and encryption, to protect the integrity of personal data and prevent misuse, unauthorized access, modification, disclosure or destruction of personal data
- Intimation to the Data Protection Authority (DPA) about personal data breach that is likely to cause harm to any data principal
- Execute a contract prior to engaging, appointing, using or involving a data processor to process personal data on its behalf
- Establish an effective Grievance Redressal mechanism and resolve complaints within 30 days from the date of receipt of a complaint
- Prepare a privacy by design policy containing its obligations, systems designed to anticipate, identify and avoid harm to the data principal, technology used for data processing and end-to-end processing cycle.
OBLIGATIONS OF SIGNIFICANT DATA FIDUCIARIES
- Register with the Data Protection Authority of India
- Undertake data protection impact assessment
- Maintain records relating to the data life-cycle including collection, transfers and erasure of personal data, periodic review of security safeguards and data protection impact assessments
- Ensure annual audit of policies and conduct of processing personal data by an independent data auditor
- Appoint a Data Protection Officer (DPO) based in India
RIGHTS OF INDIVIDUALS (DATA PRINCIPALS)
- Right to confirmation and access: To obtain from the data fiduciary
- Personal data of data principal that has been processed or is being processed or a summary thereof
- Confirmation whether personal data of the data principal has been processed
- Identities of the data fiduciaries with whom their personal data has been shared, including categories of personal data so shared.
- Right to correction and erasure: Require the data fiduciary to correct, complete, update or erase personal data that is inaccurate, incomplete, out-of-date or no longer necessary for the purpose it was processed
- Right to data portability: Receive personal data in a structured and machine-readable format where data processing is through automated means
- Right to restrict data disclosure: Restrict continuing disclosure of personal data by a data fiduciary, where such disclosure is no longer necessary or related consent has been withdrawn by data principal.
To exercise these rights, the data principal shall submit a written request to the data fiduciary either directly or through a consent manager (a data fiduciary, registered with the Authority, which enables a data principal to gain, withdraw, review & manage his consent through an accessible, transparent and interoperable platform).
Recent times have witnessed major corporations being fined enormously due to non-compliance with regional data protection laws.
With increasing dependency on technology, rise in user generated data and organisations collecting personal data of clients, employees, job-seekers and other associated individuals, there is an urgent need to fast track the passing of the Personal Data Protection Bill.
Businesses will have to closely examine their data handling processes, observe mindful data collection, establish a comprehensive and robust data protection framework and demonstrate commitment not just at the management level, but also invest in sensitizing and creating awareness across the entire organisation.
Central government may exempt any government agency from processing personal data
- in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order; or
- for preventing incitement to the commission of any cognizable offence relating to above mentioned matters
Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as:
- prevention, investigation, or prosecution of any offence
- enforcement of legal rights
- personal or domestic purpose
- journalistic and research purposes
ACCOUNTABILITY AND BURDEN OF PROOF
- For any processing undertaken by it or on its behalf, the data fiduciary shall be responsible for complying with the provisions of Personal Data Protection Act
- The burden of proof that consent has been given by the data principal for processing of personal data shall be on the data fiduciary.
DATA HANDLING WITHOUT CONSENT
Personal data may be processed without consent in certain circumstances;
- By the State, for service or benefit to the data principal, legal proceedings, medical emergencies or during disaster or breakdown of public order
- For purposes of recruitment, termination or any activity relating to the assessment of data principal, who is an employee of the data fiduciary
- For other reasonable purposes such as whistle blowing, debt recovery, prevention and detection of any unlawful activity including fraud.
RESTRICTION ON TRANSFER OF PERSONAL DATA OUTSIDE INDIA
- Sensitive Personal Data shall be stored in India but may be transferred outside India with the explicit consent of the data principal
- Critical Personal Data (personal data as may be notified by the Central Government) shall only be processed in India, but may be transferred outside India to a person or entity involved in the provision of health or emergency services.
SANDBOX FOR ENCOURAGING INNOVATION
- To encourage innovation in artificial intelligence, machine-learning or any other emerging technology in public interest, the Authority shall create a Sandbox
- Any data fiduciary, with a certified privacy by design policy, shall be eligible to apply for inclusion in Sandbox.
- Processing or transferring personal data in violation - Fine up to Rs. 15 Crore or 4% of the worldwide annual turnover of the data fiduciary, whichever is higher
- Failure to conduct a data audit, respond to a data breach, register with the Authority or appointment of DPO - Fine up to Rs. 5 Crore or 2% of the worldwide annual turnover, whichever is higher
- Failure to comply with data principal requests - Fine of Rs. 5000/- for each day the default continues, subject to a maximum of Rs. 10 lakh in case of significant data fiduciaries and Rs. 5 lakh in other cases
- Re-identification and processing of de-identified personal data (where identifiers are removed) without consent, punishable with imprisonment up to 3 years, or fine up to Rs. 2 lakh, or both
- Penalty for other offences such as failure to furnish information or comply with order issued by DPA shall result in fines, whereas the general penalty may extend to Rs. 1 crore in case of significant data fiduciaries and Rs. 25 lakh in other cases.
GRIEVANCE REDRESSAL MECHANISM
- A data principal may raise a complaint to:
- The DPO, in case of a significant data fiduciary;
- An officer designated to resolve complaints, in case of any other data fiduciary
- Complaint shall be resolved by the data fiduciary within 30 days from the date of receipt
- Data principal may approach the DPA in case of rejection, delay in complaint Redressal or unsatisfactory complaint resolution by the data fiduciary.
THE PERSONAL DATA PROTECTION BILL, 2019
List of Allied Laws Impacted by a Draft Data Protection Law
The Srikrishna Committee Report identified a list of 50 statutes that would be impacted by a data protection law in India. Please refer the Annexure.
|AREA OF LAWS||NAME OF ACT / LAW|
|Corporate and Financial Laws||
|Information Technology Laws||
|Land and Taxation Laws||
|Criminal Justice Laws||
|Symbols, Records & Statistics Laws||
|Labour and Employment Laws||