Evolution of the Bill
27 July, 2018 MeitY released Justice BN Srikrishna Committee Experts’ report on Data Protection as well as the first draft of the Personal Data Protection Bill, 2018
Constructing the Bill
Bill in a Nutshell
a. What is the Personal Data Protection Bill?
The Personal Data Protection Bill, 2018, is legislation passed to protect the personal data of individuals and to regulate the collection, usage, transfer, and disclosure of the data.
The bill has recognized the right to privacy as a fundamental right and it makes individual’s (Data Principal) consent central to data sharing. Without an individual’s explicit consent, his personal data can neither be shared nor processed.
b. Why is it important?
Data breaches in 2018 compromised the personal information of millions of people around the world with T-Mobile, Quora, Google, and Orbitz as some of the biggest victims. Facebook dealt with a slew of major incidents that impacted more than 100 million users.
With a billion population, India is the second largest market of internet users. Large amount of data is being collected and processed every day by public and private players. The data also crosses our national borders with no statutes to control collection, processing and supervision of the data.
The Personal Data Protection Bill 2018 in India follows the implementation of the GDPR and has also taken cues from the legal frameworks in other countries.
c. Objectives of the Bill
d. Who will be impacted by the bill?
- private and government sectors.
- any business carried in India
- Goods and services offered to data principals in India
- Any activity involving profiling of Indians
The law will not have a retrospective application and it will come into force in a structured and phased manner.
- Phase 1: Sections on establishing the DPA and the power to make rules and regulation are proposed to come into immediate effect
- Phase 2: DPA is proposed to be set up in 3 months
- Phase 3: Grounds for Processing Personal Data notified, and codes of practice issued in 12 months.
- Phase 4: The operative provisions of the Bill are only to come into effect 18 months from the date of enactment
f. Roles provided under the Personal Data Protection Bill, 2018
- Data Principal: natural person to whom the personal data relates to.
- Data Fiduciary: Any State, company or individual who alone or in conjunction with others determines the purpose and means of the processing of personal data.
- Data Processor: Any State, company, or individual who processes personal data on behalf of a data fiduciary.
g. Rights of Data Principal
- Right to confirmation, access and rectification: (Section 24 ), a data principal can approach a data fiduciary and confirm if his data is being processed by him, receive a copy of the personal data held by him, and information on the processing being done with it.
- Right to rectification: (Section 25), the data principal can have the data corrected, completed or updated as necessary. All of these except for the receipt of information on processing activities must be provided free of charge
- Right to data portability: (Section 26) the Bill allows a data principal to have his data transferred in a commonly used, machine-readable format. This includes transfer to another data fiduciary and may be exercised for a charge. Further, this right applies only when the processing is automated. It also does not apply to processing by the State under Section 13 or in compliance with the law under Section 14.
- Right to be forgotten: (Section 27). This is a right to prevent the disclosure of certain data, as opposed to the right to erasure as provided under the General Data Protection Regulations (GDPR). It refers to individual’s ability to limit, delink, delete or correct the personal data that is misleading, embarrassing, irrelevant, or anachronistic
- Right to transparency: The right to transparency has been provided via the requirement for a notice and as well as through transparency obligations under section 30
Penalties and remedies
Penalties range from INR 50 million or 2 percent of total worldwide turnover to INR 150 million or 4 percent of the total turnover
Personal Data : Data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information
Sensitive Personal Data : means personal data revealing, related to, or constituting, as may be applicable— (i) passwords; (ii) financial data; (iii) health data; (iv) official identifier; (v) sex life; (vi) sexual orientation; (vii) biometric data; (viii) genetic data; (ix) transgender status; (x) intersex status; (xi) caste or tribe;
Data Fiduciary : means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data;
Data Principal : The natural person to whom the personal data relates
Processing : in relation to personal data, means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction
Grounds for Processing
- Personal Data :
- Sensitive personal data :
- Explicit consent
- Compliance with any law or any order of the court
- Prompt action
- Functions of the state
Steps that organizations should take to make their business compliant
- Make privacy part of your organization’s DNA
- Define personal and sensitive personal data
- Revisit and redefine the process of collecting personal data
- Limit storage of personal data
- Perform age verification to ensure data subjects are older than 18
- Audit data security safeguards
- Take data breach incidents seriously
- Establish and/or update informational notices and consent mechanisms
- Obtain parental consent before processing children’s personal data
- Localize your organization’s personal data