India’s Personal Data Protection Bill

The Indian Government introduced the Personal Data Protection Bill in the Parliament in  December 2019. The Bill seeks to set a regulation for how personal data should be processed, stored and provides for the protection of personal data of individuals. It also proposes the creation of an independent regulatory authority, the Data Protection Authority (DPA) to carry out the law. 

Read the official draft of the bill here.

In 2017, the Supreme Court of India declared that the right to privacy is a fundamental right protected under the Constitution. This landmark judgement came about as a result of privacy concerns related to Aadhaar.  After demands for a comprehensive data protection legislation, the government formed a committee in 2017 to study data protection issues and to propose legislation for it.

In 2018, a draft of a new law, the Personal Data Protection (PDP) Bill was introduced in the Parliament with the aim to monitor data privacy in India.  The bill underwent changes and was passed by the cabinet in December 2019. The EU’s General Data Protection Regulation (GDPR) has influenced the Bill in many key principles.

The current draft has been referred to a Joint Parliamentary Committee which is to present a final report. Following the controversy regarding WhatsApp privacy policy, the Bill may see many changes and new provisions.

The Bill governs the processing of all personal data that is collected, disclosed, shared or processed within the territory of India. This includes personal data processed by the Government, any Indian company, or any citizen of India. All businesses in India will come under the purview of the bill,  except small retailers who collect information manually and meet other obligations. 

The Bill also applies to personal data processed by foreign data processors, for business carried out in India, or related to goods/services offered to Indians, or involves profiling of Indian residents.

Personal data refers to any data about or relating to a person who is directly or indirectly identifiable. It pertains to characteristics, traits, attributes or features whether online or offline, which can be used to identify an individual. This is similar to the definition of personal data in GDPR.

The Bill categorises certain personal data as sensitive personal data.  This includes financial data, biometric data, caste, sexual orientation, religious or political beliefs, or any other category of data specified by the government. Another category called critical personal data is mentioned in the Bill but it is not defined. However, it comes with its own unique set of obligations such as data localisation.

Data Principal: The PDPB uses the term data principal (data subjects under the GDPR) to refer to any natural person the personal data relates to. 

Data Fiduciary: Another term introduced in the Bill is data fiduciary. It refers to any person, including the State, a company, or any entity that determines the purpose and means of processing of personal data. Data fiduciary is similar in concept to the data controller of the GDPR.

Data Processor: Any person, including the State, a company, or entity who processes personal data on behalf of a data fiduciary is a data processor. 

Data fiduciaries can process personal data only for specific, clear and lawful purposes and for the purpose consented by the data principal. Personal data is to be collected only to the extent that is necessary for the organization.  Any processing should also be done fairly and reasonably and ensure the data principal’s privacy.

Every data fiduciary is obligated to provide notice at the time of collection of the personal data. The Bill sets out a list of information that has to be included in the notice at collection. It involves the purposes for which the personal data will be processed, the nature and categories of data being collected. Further, it should include the contact details of the data fiduciary and the data protection officer, the right of the data principal to withdraw consent, and the procedure to withdraw. 

Similar to the responsibilities of data controllers under GDPR, data fiduciaries have to inform the individual of the source of data collection, in case it is not directly collected from them. Other details that need to be notified are regarding sharing of personal data with third parties, or cross-border transfer of the personal data, the retention period of the personal data collected and the criteria for determining such period. Individuals also have to be informed about their rights as well as the procedure to exercise these rights. 

Similar to the GDPR’s lawful basis of processing, the Personal Data Protection Bill states six grounds of processing personal data:

• Consent
• State functions, legal compliance
• Employment purposes
• Reasonable purposes

Consent

Personal Data Protection Bill draws heavily from the GDPR to define consent. The Bill mandates that data should be processed after obtaining consent from individuals whose data is being collected. It also sets out to define valid consent. Consent is valid if it is free, informed, specific, clear and can be withdrawn.

For consent to be specific, the individual should be able to determine the scope and purpose of data processing when they give consent. Likewise, consent should also be clear i.e. individuals should give consent through an affirmative action. Individuals should be able to withdraw consent and the method to withdraw consent should be as easily available to them as they were able to give consent.

If data fiduciaries process sensitive personal data, the consent has to be explicitly obtained. Individuals have to be informed about the purpose of collecting this data and of any likely risk of sharing this data. The said information should be given in clear terms “without recourse to inference”.

The individual consenting to the use of sensitive personal data should be able to give consent separately for different categories of data being collected. The quality of products or services should not be dependent on the acceptance or denial of consent. The proof of consent for processing sensitive personal data also lies with the data fiduciary.

The Bill also classifies a special category of data fiduciaries – consent managers. They are entities through which users can give, withdraw, review and manage their consent. Consent managers are required to register with the DPA.

The Indian Personal Data Protection Bill shares key similarities with the concept of consent underlined in the GDPR. So, businesses should adapt best practices such as effectively managing cookie consent. CookieYes is a cookie consent solution that helps make businesses and websites compliant with data privacy regulations such as GDPR (Europe) and CCPA (California).

Check out this complete CookieYes setup guide and sign up right away!

Sign up for free

Exemptions from consent 

The PDP Bill issues certain grounds for the processing of personal data without consent.

State functions, legal compliance: The Indian State can process data without obtaining consent for any function for services authorized by law that can benefit the individual, or for the issuance of any certification, license or permit for any action, or for compliance with any order or judgment of any Court or Tribunal in India. Furthermore, the State can process data to respond to any medical emergency including pandemics or for disaster management.

Employment: Data fiduciaries, especially employers can process any personal data (not sensitive personal data) of their employees and potential employees under certain circumstances. This could be for recruitment or termination, provision of services and benefits, verifying attendance, or assessing their performance.

Reasonable purposes: The Bill defines reasonable purposes as activities that may include – prevention and detection of any unlawful activity including fraud, whistleblowing, mergers and acquisitions, network and information security, credit scoring, recovery of debt, processing of publicly available personal data and the operation of search engines.

The Bill sets out certain rights of the individual (or data principal). These includes:

Right to confirmation and access. Individuals have the right to obtain confirmation on whether their personal data has been processed.  They have the right to access a brief summary of processing activities undertaken by the data fiduciary concerning the personal data of the individual. 

Right to correction and erasure. Individuals can ask data fiduciaries to correct inaccurate, or out-of-date personal data. They can also request to erase personal data that is no longer being processed.

Right to data portability. This right applies to automated data processing. Individuals can ask the data processing entity to provide the following personal data in a machine-readable format: personal data provided by the individual, data generated by the processing entity about the individual, and any other personal data of the individual collected from other sources. Individuals also have the right to transfer their personal data to any other data fiduciary.

Right to be forgotten. Individuals will have the right to restrict or prevent the continuing disclosure of their personal data by a data fiduciary if it is no longer necessary or the individual has withdrawn their consent. Only the Adjudicating Officer has the authority to enforce this right.

Individuals can make a written request to the data fiduciary, either directly or through a consent manager, to exercise their rights (except the right to be forgotten). The data fiduciary shall acknowledge the receipt of such request within such period as may be specified by regulations and can also charge fees for the same.

Data Protection Authority

The Government will establish a Data Protection Authority (DPA) of India. The DPA will protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of the Act. In addition, the Authority will also promote awareness and specify codes of practice for data protection and facilitate compliance with the obligations under the Act. The DPA will have the power to issue directions, call for information and conduct an inquiry of data fiduciaries. 

Privacy by design

Data fiduciaries have to prepare a privacy by design policy. This should include the managerial, organizational, business practices and technical systems put in place for data protection. Further, it should also detail their obligations under the law, the technology used in the processing of personal data and if it meets certified standards, among other things. 

Transparency in processing

Organizations must maintain transparency in processing personal data and make this information available to individuals. This includes the categories and purpose of personal (including data exempt from consent) data collected, information regarding cross-border transfers of personal data. Further, individuals should be informed about their rights and the methods to exercise the rights, including the right to file a complaint against the data fiduciary. 

For instance, to achieve transparency, businesses should have a clear, detailed and up-to-date privacy policy that is also easily accessible. Check out this free privacy policy generator from CookieYes. You can create a privacy policy exclusively for your business, all in a few clicks!

Free privacy policy generator

Security safeguards

Data fiduciaries should assess the risks associated with processing personal data and the likelihood, severity of the harm that the processing can cause. They are required to implement necessary security safeguards such as use of de-identification and encryption, steps necessary to protect the integrity, misuse, unauthorised access, modification, disclosure or destruction of personal data.

Data breach reporting

Organizations should inform the DPA about the breach of any personal data if the breach is likely to cause harm to individuals. The notice should include details such as the category or nature of personal data breach, number of data principals affected by the breach, possible consequences of the breach and any action being taken by the data fiduciary to rectify the situation. The DPA will determine whether the breach should be reported to individuals after assessing the severity of the incident.

Significant data fiduciary

The DPA can notify any organization as a significant data fiduciary depending on the volume, sensitivity of personal data processed, turnover of the data fiduciary, use of new technologies for processing and any possible risk of harm by processing.  Also, every significant data fiduciary has to appoint a data protection officer.

Social media intermediaries

The Government can classify social media intermediaries as significant data fiduciaries if the platforms have users above a certain threshold, and the platforms’ actions can affect electoral democracy, security of the state, public order, or sovereignty and integrity of India. A social media intermediary is “an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services”. 

Transfer outside India

The bill prohibits the processing of sensitive personal data and critical personal data outside India.  Critical personal data refers to personal data that may be notified as one by the Government. According to the Bill critical personal data has to be processed only in India. While sensitive personal data may be transferred outside India, it has to be stored in India. Sensitive personal data can only be transferred outside India for processing after obtaining explicit consent from the data principal. In addition, such transfer is pursuant to a contract approved by the DPA.

Personal data of children

Organizations should verify the age of a child and obtain parental consent before processing the personal data. The manner for verification of the age of the child will be specified by regulations depending on the volume of data processed, any likely harm from the processing and other factors. A data fiduciary can be classified as  “guardian data fiduciary” if they operate commercial websites or online services directed at children or process large volumes of personal data of children. They will also be barred from profiling, tracking or behavioural monitoring of children including targeted advertising.

Penalty and compensation

Like the GDPR, the Bill gives the DPA the power to fine organizations in case of non-compliance. The maximum amount of penalties that can be imposed is ₹15 crores ($2.1 million) or 4% of the global turnover in the preceding financial year. Moreover, individuals have the right to seek compensation from the data fiduciary or processor for any harm they suffer.

As data protection legislations are coming up around the world, adapting privacy compliance will be a competitive advantage for businesses in the long run. Businesses that are GDPR compliant will have an edge as they may only have to make a few changes to their exciting compliance frameworks.

While there is time for the Bill to become a legislation, businesses can easily implement measures like cookie consent and privacy policy.  

Don’t know where to start?  First, understand the kind of the data your site collects from users. Next, start putting in place appropriate processes to comply with new laws. Here’s a free tool that can help you.

Check cookies on my website

For a complete cookie consent solution, sign up to CookieYes. You can easily add a fully customizable cookie consent banner, automatically scan your website for cookies, record of users’ consents and much more. 

Sign up for free today!