As a natural corollary to the growing infusion of technology into regular economic transactions, it becomes imperative to safeguard every individual personal data from potential insecurity in the process of collection, storage, processing and utilisation or disclosure. While the prospects of data protection became relevant with Information Technology Act, 2000 and recognition of Right to Privacy, a specialised statutory regime has only been sought to be established with the introduction of the Personal Data Protection Bill, 2019 to establish data protection in India.
Scope of the Personal Data Protection Bill
Essentially, the Bill identifies informational privacy manifesting as personal data as an “essential facet” of the fundamental Right to Privacy. It sets out provisions to regulate the processing of personal data within Indian Territory or by the Indian Government, entities incorporated under Indian law and Indian citizens or outside Indian Territory but with some tangible connection in India. Under the Bill, a data principal is an individual whose personal data is being processed. The entity or individual who decides the means and purposes of data processing is known as data fiduciary. This bill has a wide application and includes within its ambit everything from e- commerce, social media, IT companies, to brick-and-mortar shops, real estate companies, hospitals, and pharmaceutical companies.
Rights of Data Principal
The purpose of PDPB is also to lay down the rights of the data principal, the person whose data is being collected and processed by data collector to allow for stricter compliance from the initial stages to the last. All information conveyed to the data principals should be in a clear and unambiguous manner.
Right of Confirmation and Access
The right to confirm and access the information regarding their data being processed.
Right to be Correction and Erasure
The right to call for correction and erasure of their data shared by them.
Right to be Forgotten
The right to call for erasure of their data shared by them.
Right to data portability
The data principal has the right to transfer his data to any other data fiduciary.
- To ensure accountability, the bill provides a comprehensive outline of obligations of the entities responsible for deciding the means and purpose of data processing, with corresponding penalties for violations.
- Processing of personal data is prohibited except for any specific, clear and lawful purpose. Under these provisions, processing of data is mandated to be subject to certain purpose, collection and storage limitations.
- Grievance redressal mechanisms must also be implemented to address complaints of individuals.
- There is a separate categorization of certain entities as significant data fiduciaries which is based on certain criteria such as volume of data processed and turnover of fiduciary.
- There are additional obligations on these fiduciaries that include accountability measures such as conducting a data protection impact assessment before conducting any processing of large scale sensitive personal data (includes financial data, biometric data, caste, religious or political beliefs).
- The Bill also talks of transparency and accountability measures such as the Privacy by Design Policy which has to be in place for all data fiduciaries.
Privacy By Design
Every organisation should prepare a Privacy By Design Policy, containing:
- the managerial, organisational, business practices and technical systems to avoid harm to data principal
- the obligations of data fiduciaries
- the technology used in the processing of personal data is in accordance with commercially accepted or certified standards
- the legitimate interests of businesses including any innovation is achieved without compromising privacy interests
- the protection of privacy throughout processing from the point of collection to deletion of personal data
- the processing of personal data in a transparent manner
- the interest of the data principal is accounted for at every stage of processing of personal data
Reporting Data Breaches
The Data protection authority shall be informed about a breach of any personal data by the data fiduciary, where such data breach may cause harm to the data principal
The notices should contain the following information:
- nature of personal data which is the subject-matter of the breach;
- number of data principals affected by the breach;
- possible consequences of the breach; and
- action being taken by the data fiduciary to remedy the breach.
The Bill focuses on financial penalties to regulate compliance with the obligations. Processing or transferring personal data in violation of the Bill is punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher. Secondly, the failure to conduct a data audit is punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. Punishment of imprisonment of up to three years, or fine, or both has been provided for the re-identification and processing of de-identified personal data without consent.
Lastly, the Personal data Protection Bill provides for establishing the Data Protection Authority and sets an adjudication mechanism in place with Adjudicating Officers. This Authority will have members with expertise in fields such as data protection and information technology. Any individual not satisfied with the grievance redressal by the data fiduciary can file a complaint to said Authority. There is a mechanism for appeal of such Orders of the Authority to an Appellate Tribunal and from there the Appeals will go to the Supreme Court.
Benefits of the PDPB Implementation Program
- Comply with Indian Privacy Laws efficiently and effectively.
- Recognize, Access and Strategize Personal Data within your organization
- Adapt, Improvise and leverage your existing privacy compliance in order to comply with the PDPB.
- Policy and Notice Management and maintain data privacy structures within the organizations.
If you are a company situated in India, and provide services globally, in regions such as US, Middle East or EU, please check our privacy programs provided as provided here.