The Personal Data Protection Bill, 2019 ("PDPB") was introduced in Lok Sabha by the Minister of Electronics and Information Technology, on December 11, 2019. The purpose of this Bill is to provide for protection of privacy of individuals relating to their Personal Data and to establish a Data Protection Authority of India for the said purposes and the matters concerning the personal data of an individual. The Bill proposes to supersede the Information Technology Act, 2000 (Section 43-A) deleting the provisions related to compensation payable by companies for failure to protect personal data. The PDPB inter alia, prescribes the manner in which personal data is to be collected, processed, used, disclosed, stored and transferred.

The PDPB proposes to protect "Personal Data" relating to the identity, characteristics trait, attribute of a natural person and "Sensitive Personal Data such as financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political beliefs.

I.  Applicability: The PDPB proposes to apply to the processing of personal data that has been collected, disclosed, shared or otherwise processed within the territory of India;

(a) By the government, any Indian Company, any citizen of India or any person or body of persons incorporated in India, and

(b) Foreign companies dealing with personal data of individuals in India.

The PDPB shall not apply to the processing of anonymised data, other than the anonymised data or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government.1

II. Obligations of Data Fiduciary2:

The processing of Personal Data will be subject to certain purpose, collection and storage limitations such as:

  • For specific clear and lawful purpose.
  • Collection of Personal Data shall be limited to such data that is necessary for the purposes of processing.
  • Notice is required to be given to the individual/data principal for collection or processing of personal data.
  • Personal data shall be retained only for the purpose for which it is processed and shall be deleted at the end of the processing.
  • Consent is required to be taken from the data principal at the commencement of the data processing.
  • Data Fiduciary must verify the age and obtain parental consent when processing sensitive personal data of children.

In addition, the data fiduciaries must undertake certain transparency and accountability measures such as: (i) prepare privacy policy, (ii) take necessary steps to maintain transparency in processing personal data (iii) implementing security safeguards (such as data encryption and preventing misuse of data), (iv) inform the Authority by notice breach of  any  personal data (v) audit its policies and conduct of policies every year,(vi) undertake data impact assessment where significant data fiduciary3 undertakes data processing that involves new technologies or sensitive personal data (vi) significant data Fiduciary shall appoint a data protection officer for the purpose of  advising and monitoring the activities of the data fiduciary, and (vii) institute grievance redressal mechanisms to address complaints of individuals.

  1. Processing of Personal Data without consent

The Bill proposes processing of data by fiduciaries only if consent is provided by the individual. There are certain exceptions provided under which Personal Data can be processed without consent such as: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency, (iv) employment related, (v) necessary for reasonable purposes such as prevention of fraud, mergers and acquisitions, recovery of debt etc.

  1. Rights of an individual/ Data Principal  4

The Bill sets out certain rights of the individual (or data principal) which includes the right to:

(i) obtain confirmation from the fiduciary on whether their personal data has been processed, (ii) seek correction of inaccurate, incomplete, or update personal data, (iii) data portability-have personal data referred to any other data fiduciary in certain circumstances, and (iv) right to be forgotten: restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.

V.  Data Protection Authority: The Bill proposes a Data Protection Authority of India which shall take steps to protect interests of individuals, prevent misuse of personal data, and ensure compliance with the Bill and promote awareness about data protection. Orders of the Authority can be appealed to an Appellate Tribunal.  Appeals against the order of the Tribunal can be filed at the Supreme Court.

  1. Restrictions on Transfer of data outside India:  Sensitive personal data may be transferred outside India for processing if explicit consent is given by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India.  Certain personal data notified as critical personal data by the government can only be processed in India. 
  1. Exemptions:  The central government has the power to exempt any agency of the Government from applicability of the Act if it is necessary for:
  1. the interest of sovereignty and integrity of India, the security of the State, and friendly relations with foreign states,
  2. for preventing incitement to commission of any cognisable offence relating to the above matters.

Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as: (i) prevention, investigation, or prosecution of any offence, or (ii) personal, domestic, or (iii) journalistic purposes, (iv) for research archiving or statistical purpose. 

  1. Risk of non-compliance with PDPB: There are two tier of penalties and compensations:
    1. Failure of the data fiduciary to fulfil its obligations for data protection may be punishable with a penalty which may extent to Rs.5 crores or 2% of its total worldwide turnover of the preceding financial year, whichever is higher.
  1. Processing data in violation of the provisions of the PDPB is punishable with a fine of Rs.15 crores or 4% of the annual turnover of the data fiduciary, whichever is higher. 

Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.

CONCLUSION

Pursuant to the PDPB being enacted into an Act, there are several compliances to be followed by organizations processing personal data in order to ensure protection of privacy of individuals relating to their Personal Data.

Consent of the individual would be required for processing of personal data. Based on the type of personal data being processed, organizations will have to review and update data protection policies, codes to ensure these are consistent with the revised principles such as update their internal breach notification procedures, implement appropriate technical and organisational measures to prevent misuse of data, Data Protection Officer to be appointed by the Significant Data Fiduciary, and instituting grievance redressal mechanisms to address complaints by individuals. 

Footnotes

1 Section 91 (2:)The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of   services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.

For the purposes of this sub-section, the expression "non-personal data" means the data other than personal data.

2 Section13 defines "Data Fiduciary" as any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.

3 A fiduciary may be notified as a "significant data fiduciary based on the factors such as: volume and sensitivity of the data processed, turnover of the fiduciary, risk of harm by processing, and use of new technology for processing, etc.

4 Section 14 defines "Data principal" as the natural person to whom the personal data referred to in subclause (28); Section 28 defines "Person" as- (i) an individual, (ii) a Hindu undivided family, (iii) a company, 5 (iv) a firm, (v) an association of persons or a body of individuals, whether incorporated or not, (vi) the State, and (vii) every artificial judicial person.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.