Data Protection Services in India

As a natural corollary to the growing infusion of technology into regular economic transactions, it becomes imperative to safeguard every individual personal data from potential insecurity in the process of collection, storage, processing and utilisation or disclosure. While the prospects of data protection became relevant with Information Technology Act, 2000 and recognition of Right to Privacy, a specialised statutory regime has only been sought to be established with the introduction of the Personal Data Protection Bill, 2019 to establish data protection in India.

Scope of the Personal Data Protection Bill

Essentially, the Bill identifies informational privacy manifesting as personal data as an “essential facet” of the fundamental Right to Privacy. It sets out provisions to regulate the processing of personal data within Indian Territory or by the Indian Government, entities incorporated under Indian law and Indian citizens or outside Indian Territory but with some tangible connection in India. Under the Bill, a data principal is an individual whose personal data is being processed. The entity or individual who decides the means and purposes of data processing is known as data fiduciary. This bill has a wide application and includes within its ambit everything from e- commerce, social media, IT companies, to brick-and-mortar shops, real estate companies, hospitals, and pharmaceutical companies.

Rights of Data Principal

The purpose of PDPB is also to lay down the rights of the data principal, the person whose data is being collected and processed by data collector to allow for stricter compliance from the initial stages to the last. All information conveyed to the data principals should be in a clear and unambiguous manner.

Right of Confirmation and Access
The right to confirm and access the information regarding their data being processed.

Right to be Correction and Erasure
The right to call for correction and erasure of their data shared by them.

Right to be Forgotten
The right to call for erasure of their data shared by them.

Right to data portability
The data principal has the right to transfer his data to any other data fiduciary.

Compliance Obligations

To ensure accountability, the bill provides a comprehensive outline of obligations of the entities responsible for deciding the means and purpose of data processing, with corresponding penalties for violations.
Processing of personal data is prohibited except for any specific, clear and lawful purpose. Under these provisions, processing of data is mandated to be subject to certain purpose, collection and storage limitations.
Grievance redressal mechanisms must also be implemented to address complaints of individuals.
There is a separate categorization of certain entities as significant data fiduciaries which is based on certain criteria such as volume of data processed and turnover of fiduciary.
There are additional obligations on these fiduciaries that include accountability measures such as conducting a data protection impact assessment before conducting any processing of large scale sensitive personal data (includes financial data, biometric data, caste, religious or political beliefs).
The Bill also talks of transparency and accountability measures such as the Privacy by Design Policy which has to be in place for all data fiduciaries.

Privacy By Design

Every organisation should prepare a Privacy By Design Policy, containing:

the managerial, organisational, business practices and technical systems to avoid harm to data principal
the obligations of data fiduciaries
the technology used in the processing of personal data is in accordance with commercially accepted or certified standards
the legitimate interests of businesses including any innovation is achieved without compromising privacy interests
the protection of privacy throughout processing from the point of collection to deletion of personal data
the processing of personal data in a transparent manner
the interest of the data principal is accounted for at every stage of processing of personal data

Reporting Data Breaches

The Data protection authority shall be informed about a breach of any personal data by the data fiduciary, where such data breach may cause harm to the data principal

The notices should contain the following information:

nature of personal data which is the subject-matter of the breach;
number of data principals affected by the breach;
possible consequences of the breach; and
action being taken by the data fiduciary to remedy the breach.

Penalties

The Bill focuses on financial penalties to regulate compliance with the obligations. Processing or transferring personal data in violation of the Bill is punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher. Secondly, the failure to conduct a data audit is punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. Punishment of imprisonment of up to three years, or fine, or both has been provided for the re-identification and processing of de-identified personal data without consent.

Enforcement Mechanism

Lastly, the Personal data Protection Bill provides for establishing the Data Protection Authority and sets an adjudication mechanism in place with Adjudicating Officers. This Authority will have members with expertise in fields such as data protection and information technology. Any individual not satisfied with the grievance redressal by the data fiduciary can file a complaint to said Authority. There is a mechanism for appeal of such Orders of the Authority to an Appellate Tribunal and from there the Appeals will go to the Supreme Court.

Benefits of the PDPB Implementation Program

Comply with Indian Privacy Laws efficiently and effectively.
Recognize, Access and Strategize Personal Data within your organization
Adapt, Improvise and leverage your existing privacy compliance in order to comply with the PDPB.
Policy and Notice Management and maintain data privacy structures within the organizations.

If you are a company situated in India, and provide services globally, in regions such as US, Middle East or EU, please check our privacy programs provided as provided here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.