The Ministry of Electronics and Information Technology (“MeitY”) has released a draft of the Personal Data Protection Bill, 2018 (“Bill”), which was prepared by a committee constituted under the Chairmanship of Justice B.N. Srikrishna
Applicability: The Bill applies to processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India, by a private or a government entity. In respect of processing by fiduciaries that are not present in India, the Bill shall apply if such processing is in connection with any business carried on in India activities such as profiling of data principals in India. The Bill extends to any personal data collected, used, shared, disclosed or otherwise processed by anybody corporate incorporated under Indian law or an Indian citizen will be covered, irrespective of whether it is actually processed in India.
Data Protection: Data protection is the process of safeguarding personal information from corruption, compromise or loss.
The Data Protection Authority of India (DPA): will be an independent regulatory body is responsible for the enforcement and implementation of the law.
Data Principal: the individual, who’s personal data is being processed, stored or collected.
Data Fiduciary: the entity who is in possession of the personal data of the data principal, for the purposes of storing, collecting and processing such principal’s data. Data fiduciaries are not limited only to persons who are processing data electronically, but even those persons who are processing, collecting or storing data physically.
Processing: The DPA will issue specific guidelines for processing of various categories of personal data and sensitive personal data in various contexts. Sensitive personal data will include passwords, financial data, health data, official identifier, sexual orientation, biometric and genetic data, and data that reveals transgender status, gender, caste, tribe, religious or political beliefs or affiliations of an individual.
Consent: Consent will be a lawful basis for processing of personal data. For consent to be valid it should be free, informed, specific, clear and capable of being withdrawn.
As a general rule, a copy of all personal data must be stored in India. The Government may issue rules specifying that certain categories of data can only be stored or processed in India.
Obligations of data fiduciaries: All processing of personal data by data fiduciaries must be fair and reasonable and for purposes which are clear, specific and lawful. A data fiduciary is obliged to provide notice to the data principal at the time of the collection of her personal data. The DPA will be notified when there is a data breach and in certain circumstances, to the data principal also.
Data principal rights: The right to confirmation, access, correction and data portability. The right to be forgotten provides a data principal the right against the disclosure of her data when the processing of her personal data has become unlawful or unwanted.
Transfer of personal data outside India: Other than critical personal data, all cross-border data may be transferred or processed on the basis model contract clauses containing key obligations. Critical personal data, as notified by the central government, will be subject to the requirement to process only in India. Personal data will however have permitted to be transferred for reasons of prompt action or emergency, such as for medical reasons.
Exemptions: Processing of personal or sensitive personal data if it is necessary in the interest of the security of the state, and for prevention, detection, investigation and prosecution of contraventions of law, are exempted. For enforcing a legal right or claim, for seeking any relief, defending any charge, opposing any claim or for obtaining legal advice from an advocate in an impending legal proceeding would be also exempted from the application of the Bill.
A mandatory approval requirement has been imposed on data processors who process data which carries a risk of significant harm to data principals. Such processors are required to implement Trust Scores, Data Audits as well as a Data Protection Impact Assessment.
The Bill introduces the concept of “privacy by design”, where privacy principles prescribed by the Bill are to be built into technology and operating systems of data fiduciaries and not be implemented as a reaction to new legal or other contractual requirements.
Appeals: An appellate tribunal will hear any appeal against an order of the DPA. Appeals against orders of the appellate tribunal will lie with the Supreme Court of India.
Penalties: Significant penalties of up to 2%-4% of global turnover in some cases and other monetary penalties in the range of USD 728,000 and USD 21,85,000, depending on the nature of harm and type of data which has been breached, may be imposed on data fiduciaries and compensation may be awarded to data principals for violations of the data protection law. In addition, the Bill also imprisonment for certain types of data violations. A person aggrieved by any action in violation of the Bill may also apply to the DPA seeking compensation for the harm caused.
Impact: The Bill is a welcome step towards the establishment of a statutory framework for privacy protection in India. However, the nature of obligations imposed on the data fiduciaries is in many instances ambiguous and onerous. The Bill contemplates the issuance of further guidelines and codes of conduct by the Government to facilitate the implementation of the Bill. This could lead to misalignment between genuine principles of data protection and commercial consequences such as costs and compliance required to satisfy future directions by the Government. MeitY will be required to have a wide range of discussions with stakeholders on the Bill so as to provide data fiduciaries with certainty as to the obligations that are required to be satisfied. MeitY, it is hoped, will also provide a sufficient window for data fiduciaries to put in place systems for complying with the provisions of the Bill.