Objectives of the Personal Data Protection Bill
Many privacy professionals consider the European Union’s General Data Protection Regulation (GDPR), which took effect in May 2018, as the cornerstone of privacy regulation. GDPR is harmonizing data protection and privacy requirements across the EU. Many other countries have either implemented data protection requirements or are in the process of considering them.
India, too, is taking steps to enact a data protection framework modeled along the lines of the GDPR. The proposed law, called the Personal Data Protection Bill, incorporates many elements of the GDPR. These include requirements for notice and prior consent for the use of individual data, limitations on the purposes for which data can be processed by companies, and restrictions to ensure that only data necessary for providing a service to the individual in question is collected. In addition, it includes data localization requirements and the appointment of data protection officers within organizations.
Based on the core principle that “the right to privacy is a fundamental right,” the objectives of the Bill are to “ensure growth of the digital economy while keeping personal data of citizens secure and protected,” and “to create a collective culture that fosters a free and fair digital economy.”
The Personal Data Protection Bill is a commendable step towards data protection in general and is very much needed at this time, especially when considering the contribution to global internet traffic from Indian territory. When enacted, the Bill will provide a comprehensive, cross-sectoral privacy and data protection framework for India.
The proposed bill will have serious implications for technology and digital services companies that do business in the country because it suggests enforcing certain mandatory provisions that have both financial implications and a significant effect on business models and modus operandi of such internet-based service providers.
Data Principal means the natural person to whom the personal data relates to.
Data Fiduciary means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.
Data Processor means any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary. It does not include an employee of the data fiduciary.
Data Protection Authority of India is the authority to be established by India’s Central Government to implement the new legal regime as well as to adjudicate on breaches of the law and determine the appropriate penalties under the Bill.
What is personal information?
A draft of the Bill makes reference to three categories of data:
- personal data that refers to any data about or relating to a data principal
- sensitive personal data which includes health and genetic data, biometrics, caste or tribe data, passwords etc.
- critical personal data which remains undefined but can be specified by the central government.
The processing of data relating to children is also restricted while irreversibly anonymized data is exempt from the law.
The Bill proposes that the law apply to the processing of personal data
- within the territory of India by Indian data fiduciaries and data processors
- by foreign data fiduciaries and data processors where personal data is processed by them in connection with:
- any business carried on in India
- the systematic activity of offering goods or services to data principals within the territory of India
- any activity that involves the profiling of data principals within India.
The Bill takes into account the extraterritorial application of Indian data protection laws to companies without any establishment or physical presence in India. This is a significant legislative development that will, if implemented, have far-reaching implications for companies doing business in India.
Data principal rights
The Bill has introduced key data principal rights, such as the right to be forgotten, the right to confirmation and access, the right to data portability, and the right to correction. It is important to note that equivalent rights are also enshrined in other data protection regulations, such as the GDPR or California’s Consumer Privacy Act, therefore businesses operating beyond the Indian borders may have already set up mechanisms to respond to requests from data principals looking to exercise such rights.
Key compliance requirements
The Bill introduces several compliance requirements for data fiduciaries and, in some cases, data processors.
- The collection and processing of personal data should only be for purposes that are clear, specific and lawful.
- Clear notice is required to be provided at the time of collection of personal data specifying details such as the purpose of processing and the categories of personal data being collected. The notice must also mention the individuals or entities with whom personal data will be shared. The notice is required to be provided in a manner that is easily comprehensible and in multiple languages, where necessary and practicable.
- Reasonable steps are required to be taken to ensure that the personal data processed is complete, accurate, not misleading and kept up to date. Personal data should be retained only for as long as it may be reasonably necessary to satisfy the purpose of processing.
- Data localization is an important obligation, whereby at least one serving copy of personal data is required to be stored on a server or data center located in India. Furthermore, the central government has the power to issue a notice setting out certain critical personal data which is mandatorily required to be processed in a server or data center located in India.
- Security safeguards are required to be implemented and periodically reviewed considering the nature, scope and purpose of processing of personal data. Some of the measures prescribed include de-identification and encryption.
- Data fiduciaries may also be designated as ‘significant data fiduciaries’ by the Data Protection Authority based on certain parameters such as the volume of personal data processed, or the sensitivity of personal data processed. These entities will have additional obligations such as registration with the Data Protection Authority, appointment of a data protection officer, conducting data audits, data impact assessments, and record keeping.
Cross-border data transfers
The Bill introduces a restrictive regime for transfers of personal data out of India to third countries. Under the Bill, cross-border data transfers are only possible where:
- It is subject to standard contractual clauses or intragroup schemes in each case as approved by the Authority
- The central government, after consultation with the Data Protection Authority, determines that certain countries/ sectors are permissible locations / recipients of data transfers
- Consent of the data principal (explicit consent in the case of sensitive personal data) has been obtained
- The Data Protection Authority approves a transfer due to a situation of necessity.
Data breach notifications
The Bill includes mandatory data breach notifications for all data fiduciaries. The Data Protection Authority would have to be informed of any breaches that are likely to harm data principals. While the Bill does not specify a deadline for the notification, the Data Protection Authority can clarify this point and set a time limit within which a data breach notification must be made. It is also up to the Data Protection Authority to decide whether data principals must be notified of the breach, what remediation actions should be taken and whether details concerning the data breach would be published on its website.
Organizations failing to provide notification of data breaches or to meet their obligations as a significant data fiduciary would be fined up to approximately 52 million INR (USD 730,000) or 2% of a company’s global revenue.
Unlawful cross-border data transfers, failure to provide notices to data principals along with a legitimate basis for processing or processing the data of children in contravention of the Bill would lead to even more serious fines: up to approximately 191 million INR (USD 2.7 million) or 4% of a company’s global revenue.
The penalties are not only financial: the sale of personal data that results in the significant harm of a data principal or the re-identification of anonymized data would result in criminal penalties.
Getting ready to comply with the Personal Data Protection Bill
While it is essential to have a data regulation policy to protect the rights of the real owners of personal data, we also need to maintain an environment where such data can be used with proper consents for the benefit of industry, governments, and society as a whole. Organizations that will be impacted by this Bill will need to assess current policies and practices to identify gaps.
Until the law gets enacted, businesses should look to:
- Include privacy as a measure for risk assessment.
- Enhance data security measures.
- Establish information notice and consent mechanisms.
- Define and inventory personal and sensitive data.
- Understand data flows for collection and process of personal data.
- Develop a culture of privacy by raising awareness through training programs.
- Establish a robust framework of top privacy principles.
There are several artificial intelligence (AI) and machine learning (ML) based tools and solutions available to help organizations comply with the proposed guidelines in this Bill. Since information is collected from different sources, businesses must take a risk-based approach to data protection to best assess and mitigate risks.
For more information on how Thales can help you meet data protection regulations, please download our eBook on Addressing Data Security Compliance Requirements.