SlideShare une entreprise Scribd logo

Personal data protection bill

M
Mathew Chacko

A summary of the draft Indian data protection bill

Droit
1  sur  4
Télécharger pour lire hors ligne
The Personal Data Protection Bill, 2018 The Personal Data Protection Bill, 2018 (“Bill”) is a draft law submitted in July 2018 by a committee of experts on data protection constituted by the government of India (“Committee”). The bill has not yet been implemented and has drawn significant criticism and praise. Its similarities with the European Union’s General Data Protection Regulation (“GDPR”) can be seen in the language and direction of provisions such as the rights of data principals, quantum of penalties, categories of personal data, and transparency obligations. Applicability If the Bill becomes law, its provisions would apply to the processing of personal data: (a) that has been collected, disclosed, shared, or otherwise processed within India; (b) by any Indian entity, citizen, or the State (as defined under Article 12 of the Constitution of India); and (c) by data fiduciaries or data processors not present within India, if the processing is in connection with either (i) any business carried on in India or any offering of goods of services to data principals within India or (ii) profiling data principals within India. The provisions of the Bill, however, do not apply to the processing of anonymised data. The Bill applies to “personal data” and “sensitive personal data”. It treats identifiable data, with respect to any characteristic, attribute, trait, or other feature of a person’s identity, as personal data. Sensitive personal data includes some categories of personal data such as passwords, health or financial data, biometric data, and data about sex life, sexual orientation, and religious or political beliefs, which carry enhanced requirements of processing. The Bill also confers power on a data protection authority to specify other such categories. Actors A “data principal” is the natural person to whom some personal data relates to. A “data fiduciary” is any person – including the State, a company, or a juristic entity – who, either alone or with others, determines the purpose and means of processing the personal data. A “data processor” is any person who processes data on behalf of a data fiduciary; however, it does not include an employee of a data fiduciary. A data principal is conceptually similar to a data subject and a data fiduciary to a data controller under the GDPR. The Bill also seeks to establish the Data Protection Authority to oversee and regulate processing activities covered by the Bill. Obligations of data fiduciaries Data fiduciaries must comply with the following obligations and also be able to demonstrate that they have complied with them. (a) Personal data should be processed in a fair and reasonable manner that respects the privacy of the data principal;
(b) Processing should only be for the purposes specified, or other incidental purposes that the data principal would reasonably expect the personal data to be used for; (c) Collection of personal data should be limited to the data that is necessary for processing; (d) Data should be processed only on the grounds detailed in the Bill; (e) The data fiduciary should provide the data principal with adequate notice of processing of personal data; (f) The data fiduciary should ensure that the personal data being processed is complete, accurate, not misleading, and updated; and (g) Personal data should only be retained for as long as is necessary to satisfy the purpose for which it is processed. While it provides for a consent-based approach to processing data, the Bill allows some other grounds for lawfully processing personal data. Grounds for Processing These include processing (a) that is necessary for the functioning of the Parliament or state legislatures, (b) to comply with orders or judgments of courts or tribunals, (c) for purposes related to employment, (d) for “prompt” action during circumstances such as medical emergencies, disasters, and breakdowns of law and order, and (e) for “reasonable” purposes, such as whistleblowing, mergers and acquisitions, credit scoring, and debt recovery. Without more guidance, each of these grounds of processing remain subject to governmental and judicial interpretation. The grounds for lawfully processing sensitive personal data, are slightly different. One of them for example, requires explicit consent. While the Bill provides some factors that can validate explicit consent — for example, it must be informed, clear, and specific – it does not provide guidance on how explicit consent has to be sought, and how it varies substantially from regular consent. Data Localisation At least one copy of personal data should be stored on servers located in India. The government may exempt some categories of personal data from this requirement on the grounds of necessity or strategic interests of the State. While more guidance may provide clarity on this exemption, it cannot extend to sensitive personal data. The government can also prescribe categories of “critical personal data” which must necessarily only be processed on servers located in India. So far no criteria have been developed to determine this set of personal data and so its scope is not clear. Cross Border Transfer of Personal Data Subject to the localisation requirements, there are some cases where personal data may be transferred out of India. Transfer is permissible for example, if (a) it complies with contractual clauses or intra-group schemes authorised by the Data Protection Authority; (b) it is made to a country, sector within the country, or an international organisation approved by the government; (c) in addition to either of the two preceding points, the data principal has consented to such transfer; (d) the transfer is necessary, provided the Data Protection Authority has approved such necessity; or (e) the data principal has explicitly consented to such transfer. As noted previously, it is not yet clear how such explicit consent will be sought in practice.
Data Breaches The Bill has adopted a harm-based standard for responding to breaches of personal data. For example, in the event of a breach, a data fiduciary has to report it within specified timelines to the Data Protection Authority. The authority will then determine, depending on the severity of harm that may be caused, whether such breach should be reported to data principals. Harm includes injury, whether bodily or mental, identity theft, loss of employment, discrimination, and loss of reputation or humiliation, amongst others. The precise methods to gauge extent of harm are not clear. The Data Protection Authority shall also have the powers to direct the data fiduciary to take remedial action in the event of breaches. Data Protection Officer Data fiduciaries have to appoint data protection officers. A data fiduciary situated outside India must appoint one based in India. The Data Protection Authority may specify eligibility criteria for data protection officers. In addition to their other functions, these officers must monitor the data fiduciaries’ processing activities to ensure compliance with the Bill, provide advice, assist and cooperate with the Data Protection Authority, and act as points of contact between data principals and data fiduciaries. Transparency and Accountability Measures While the Bill does not prescribe any specific standards, by making “privacy by design” mandatory, it will require that the business practices and technical systems of data fiduciaries be designed to anticipate and avoid harm to data principals. Other transparency and accountability obligations it places on data fiduciaries include adequate security safeguards, accurate and up-to-date record keeping, annual data audits, and data protection impact assessments. Rights of Data Principals The Bill imagines a statutory framework to access some of the fundamental rights guaranteed by the Puttaswamy verdict. Data principals have the right to access the personal data that is collected, confirm, correct or update it, and receive it in commonly used forms. The “right to be forgotten” will allows data principals to prevent the disclosure of personal data if that disclosure is no longer necessary or has served the purpose for which it was made, or if the consent that permitted such disclosure has been withdrawn, or if the disclosure is made contrary to applicable laws. The balance it has tried to strike between these rights and the freedom of speech and expression, will need to be tested in practice. Penalties Contravention of its provisions by a data fiduciary of a category of obligations may attract a penalty of up to INR 50,000,000 or 2% of the data fiduciary’s total worldwide turnover of the preceding financial year, whichever is higher. Even higher penalties have been prescribed for contravention of obligations in respect of processing of personal data or sensitive personal data, cross-border transfer of personal data, and the security safeguards detailed in the Bill. Conclusion
Data protection law in India is in a period of transition. The impact of the Puttaswamy decision on the Data Protection Rules and the IT Act cannot be overstated. Several Indian high courts dealing with data protection issues such as the export of data, transfer of data among group companies, and the adequacy of consent, now have to consider the Supreme Court’s view that the privacy of personal information is part of the fundamental right to life and personal liberty. While no judicial trend can be discerned yet, it is clear that data collection and processing efforts in India must evaluate and anticipate the impact of this historic judgment. The decision has also provided the impetus and the founding principles for a new data protection law. While we do not yet know the extent to which the draft bill that is now in circulation will be part of that law, the principles laid down in Puttaswamy and the experience of Europe’s GDPR will indeed be influential. Data fiduciaries and processors may have to comply with a new set of obligations enforced by a new regulator through severe penalties. Do reach out to us if you have any comments or question. Mathew Chacko Ankita Hariramani mathew@spiceroutelegal.com ankita.hariramani@spiceroutelegal.com Aadya Misra Aishwarya Todalbagi aadya.misra@spiceroutelegal.com aishwarya.todalbagi@spiceroutelegal.c om

Recommandé

Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
WB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection BillWB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection BillTrustArc
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill Komal Gadia
 
Digital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptxDigital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptxDineshPrasad64
 
Privacy & Data Protection in the Digital World
Privacy & Data Protection in the Digital WorldPrivacy & Data Protection in the Digital World
Privacy & Data Protection in the Digital WorldArab Federation for Digital Economy
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Andrew Sharpe
 

Recommandé

Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
WB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection BillWB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection BillTrustArc
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill Komal Gadia
 
Digital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptxDigital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptxDineshPrasad64
 
Privacy & Data Protection in the Digital World
Privacy & Data Protection in the Digital WorldPrivacy & Data Protection in the Digital World
Privacy & Data Protection in the Digital WorldArab Federation for Digital Economy
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Andrew Sharpe
 
Privacy and Data Protection
Privacy and Data ProtectionPrivacy and Data Protection
Privacy and Data ProtectionDirectorate of Information Security | Ditjen Aptika
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)Hairul Hafiz Hasbullah
 
Right to privacy in India
Right to privacy in IndiaRight to privacy in India
Right to privacy in IndiaCol Mukteshwar Prasad
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection ActSaimaRafiq
 
Data Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfData Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfDarylBallesteros3
 
It Amendments Act
It Amendments ActIt Amendments Act
It Amendments Actanthony4web
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacyhimanshu jain
 
EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)Kimberly Simon MBA
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdfPriyanka Aash
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure ComplianceAIIM International
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR The Pathway Group
 
It act 2000 & cyber crime 111111
It act 2000 & cyber crime 111111It act 2000 & cyber crime 111111
It act 2000 & cyber crime 111111Yogendra Wagh
 
Amber Sinha and Pooja Saxena - The Fundamental Right to Privacy - A Visual Guide
Amber Sinha and Pooja Saxena - The Fundamental Right to Privacy - A Visual GuideAmber Sinha and Pooja Saxena - The Fundamental Right to Privacy - A Visual Guide
Amber Sinha and Pooja Saxena - The Fundamental Right to Privacy - A Visual GuideThe Centre for Internet and Society
 
Information technology Act with Cyber offences .pptx
Information technology Act with Cyber offences .pptxInformation technology Act with Cyber offences .pptx
Information technology Act with Cyber offences .pptxRahul Bharati
 
Cyber fraud in banks
Cyber fraud in banksCyber fraud in banks
Cyber fraud in banksNetwork Intelligence India
 
Information Technology Amendment Act 2008
Information Technology Amendment Act 2008Information Technology Amendment Act 2008
Information Technology Amendment Act 2008Nanda Mohan Shenoy
 
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDaviesParker
 
India's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road AheadIndia's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road AheadEquiCorp Associates
 

Contenu connexe

Tendances

Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection ActSaimaRafiq
 
Data Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfData Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfDarylBallesteros3
 
It Amendments Act
It Amendments ActIt Amendments Act
It Amendments Actanthony4web
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacyhimanshu jain
 
EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)Kimberly Simon MBA
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure ComplianceAIIM International
 
It act 2000 & cyber crime 111111
It act 2000 & cyber crime 111111It act 2000 & cyber crime 111111
It act 2000 & cyber crime 111111Yogendra Wagh
 
Amber Sinha and Pooja Saxena - The Fundamental Right to Privacy - A Visual Guide
Amber Sinha and Pooja Saxena - The Fundamental Right to Privacy - A Visual GuideAmber Sinha and Pooja Saxena - The Fundamental Right to Privacy - A Visual Guide
Amber Sinha and Pooja Saxena - The Fundamental Right to Privacy - A Visual GuideThe Centre for Internet and Society
 
Information technology Act with Cyber offences .pptx
Information technology Act with Cyber offences .pptxInformation technology Act with Cyber offences .pptx
Information technology Act with Cyber offences .pptxRahul Bharati
 
Information Technology Amendment Act 2008
Information Technology Amendment Act 2008Information Technology Amendment Act 2008
Information Technology Amendment Act 2008Nanda Mohan Shenoy
 

Tendances (20)

Privacy and Data Protection
Privacy and Data ProtectionPrivacy and Data Protection
Privacy and Data Protection
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)
 
Right to privacy in India
Right to privacy in IndiaRight to privacy in India
Right to privacy in India
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection Act
 
Data Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfData Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdf
 
It Amendments Act
It Amendments ActIt Amendments Act
It Amendments Act
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issues
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacy
 
EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
It act 2000 & cyber crime 111111
It act 2000 & cyber crime 111111It act 2000 & cyber crime 111111
It act 2000 & cyber crime 111111
 
Amber Sinha and Pooja Saxena - The Fundamental Right to Privacy - A Visual Guide
Amber Sinha and Pooja Saxena - The Fundamental Right to Privacy - A Visual GuideAmber Sinha and Pooja Saxena - The Fundamental Right to Privacy - A Visual Guide
Amber Sinha and Pooja Saxena - The Fundamental Right to Privacy - A Visual Guide
 
Information technology Act with Cyber offences .pptx
Information technology Act with Cyber offences .pptxInformation technology Act with Cyber offences .pptx
Information technology Act with Cyber offences .pptx
 
Cyber fraud in banks
Cyber fraud in banksCyber fraud in banks
Cyber fraud in banks
 
Information Technology Amendment Act 2008
Information Technology Amendment Act 2008Information Technology Amendment Act 2008
Information Technology Amendment Act 2008
 

Similaire à Personal data protection bill

DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDaviesParker
 
India's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road AheadIndia's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road AheadEquiCorp Associates
 
Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfDaviesParker
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxssuser36d167
 
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfOverview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfEconomic Laws Practice
 
Digital personal data protection BILL.docx
Digital personal data protection BILL.docxDigital personal data protection BILL.docx
Digital personal data protection BILL.docxgabbarsk3
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfDaviesParker
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityEmerson Bryan
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
 
Startups - data protection
Startups - data protectionStartups - data protection
Startups - data protectionMathew Chacko
 
Digital Personal Data Protection Act, 2023: A Guide to the Applicability of t...
Digital Personal Data Protection Act, 2023: A Guide to the Applicability of t...Digital Personal Data Protection Act, 2023: A Guide to the Applicability of t...
Digital Personal Data Protection Act, 2023: A Guide to the Applicability of t...Spice Route Legal
 
Digital Personal Data Protection Bill 2023 PPT.pptx
Digital Personal Data Protection Bill 2023 PPT.pptxDigital Personal Data Protection Bill 2023 PPT.pptx
Digital Personal Data Protection Bill 2023 PPT.pptxRohanTyagi57
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfIndonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfAHRP Law Firm
 
Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018amirhannan
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing MindsetNetworkIQ
 
An Indian Outline on Database Protection
An Indian Outline on Database ProtectionAn Indian Outline on Database Protection
An Indian Outline on Database ProtectionSinghania2015
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...Dr. Oliver Massmann
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)BenjaminShalevSalovi
 

Similaire à Personal data protection bill (20)

DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
 
India's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road AheadIndia's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road Ahead
 
Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdf
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
 
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfOverview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
 
Digital personal data protection BILL.docx
Digital personal data protection BILL.docxDigital personal data protection BILL.docx
Digital personal data protection BILL.docx
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdf
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business community
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
Startups - data protection
Startups - data protectionStartups - data protection
Startups - data protection
 
Digital Personal Data Protection Act, 2023: A Guide to the Applicability of t...
Digital Personal Data Protection Act, 2023: A Guide to the Applicability of t...Digital Personal Data Protection Act, 2023: A Guide to the Applicability of t...
Digital Personal Data Protection Act, 2023: A Guide to the Applicability of t...
 
Digital Personal Data Protection Bill 2023 PPT.pptx
Digital Personal Data Protection Bill 2023 PPT.pptxDigital Personal Data Protection Bill 2023 PPT.pptx
Digital Personal Data Protection Bill 2023 PPT.pptx
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020
 
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfIndonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
 
Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing Mindset
 
An Indian Outline on Database Protection
An Indian Outline on Database ProtectionAn Indian Outline on Database Protection
An Indian Outline on Database Protection
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 

Plus de Mathew Chacko

Overview of digital payments in india
Overview of digital payments in india Overview of digital payments in india
Overview of digital payments in india Mathew Chacko
 
Competition law and Joint Ventures
Competition law and Joint Ventures Competition law and Joint Ventures
Competition law and Joint VenturesMathew Chacko
 
Video on Demand: Indian Law
Video on Demand: Indian LawVideo on Demand: Indian Law
Video on Demand: Indian LawMathew Chacko
 
The defence india start up challenge
The defence india start up challengeThe defence india start up challenge
The defence india start up challengeMathew Chacko
 
Anatomy of a simple India - Delaware flip
Anatomy of a simple India - Delaware flip Anatomy of a simple India - Delaware flip
Anatomy of a simple India - Delaware flip Mathew Chacko
 
Online wallets: part 2 (compliance)
Online wallets: part 2 (compliance) Online wallets: part 2 (compliance)
Online wallets: part 2 (compliance) Mathew Chacko
 
The long arm of the gdpr
The long arm of the gdprThe long arm of the gdpr
The long arm of the gdprMathew Chacko
 
Spice Route Legal Data Protection & Privacy Update
Spice Route Legal Data Protection & Privacy UpdateSpice Route Legal Data Protection & Privacy Update
Spice Route Legal Data Protection & Privacy UpdateMathew Chacko
 
The Law on Token sales
The Law on Token salesThe Law on Token sales
The Law on Token salesMathew Chacko
 
Blockchain & the law 101
Blockchain & the law 101Blockchain & the law 101
Blockchain & the law 101Mathew Chacko
 

Plus de Mathew Chacko (17)

Overview of digital payments in india
Overview of digital payments in india Overview of digital payments in india
Overview of digital payments in india
 
Abuse of dominance
Abuse of dominanceAbuse of dominance
Abuse of dominance
 
Competition law and Joint Ventures
Competition law and Joint Ventures Competition law and Joint Ventures
Competition law and Joint Ventures
 
Blockchain (2019)
Blockchain (2019)Blockchain (2019)
Blockchain (2019)
 
Video on Demand: Indian Law
Video on Demand: Indian LawVideo on Demand: Indian Law
Video on Demand: Indian Law
 
An eye in the sky?
An eye in the sky? An eye in the sky?
An eye in the sky?
 
The defence india start up challenge
The defence india start up challengeThe defence india start up challenge
The defence india start up challenge
 
Anatomy of a simple India - Delaware flip
Anatomy of a simple India - Delaware flip Anatomy of a simple India - Delaware flip
Anatomy of a simple India - Delaware flip
 
Online wallets: part 2 (compliance)
Online wallets: part 2 (compliance) Online wallets: part 2 (compliance)
Online wallets: part 2 (compliance)
 
Wallets an overview
Wallets an overviewWallets an overview
Wallets an overview
 
The long arm of the gdpr
The long arm of the gdprThe long arm of the gdpr
The long arm of the gdpr
 
ICOs: A Primer
ICOs: A Primer ICOs: A Primer
ICOs: A Primer
 
Transparency gdpr
Transparency gdprTransparency gdpr
Transparency gdpr
 
Spice Route Legal Data Protection & Privacy Update
Spice Route Legal Data Protection & Privacy UpdateSpice Route Legal Data Protection & Privacy Update
Spice Route Legal Data Protection & Privacy Update
 
consent:gdpr
consent:gdprconsent:gdpr
consent:gdpr
 
The Law on Token sales
The Law on Token salesThe Law on Token sales
The Law on Token sales
 
Blockchain & the law 101
Blockchain & the law 101Blockchain & the law 101
Blockchain & the law 101
 

Dernier

如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书FS LS
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书E LSS
 
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书 如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书Sir Lt
 
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书Fs Las
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...James Watkins, III JD CFP®
 
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.pptFINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.pptjudeplata
 
如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书Fir L
 
Ricky French: Championing Truth and Change in Midlothian
Ricky French: Championing Truth and Change in MidlothianRicky French: Championing Truth and Change in Midlothian
Ricky French: Championing Truth and Change in MidlothianRicky French
 
THE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourTHE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourBhavikaGholap1
 
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top BoutiqueAndrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top BoutiqueSkyLaw Professional Corporation
 
CALL ON ➥8923113531 🔝Call Girls Singar Nagar Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Singar Nagar Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Singar Nagar Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Singar Nagar Lucknow best sexual serviceanilsa9823
 
PPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxPPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxRRR Chambers
 
Essentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmmEssentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmm2020000445musaib
 
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxCOPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxRRR Chambers
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书SS A
 
一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书 一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书SS A
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsAurora Consulting
 
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdfBPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdflaysamaeguardiano
 

Dernier (20)

如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
 
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书
 
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书 如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
 
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...
 
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.pptFINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
 
如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书
 
Ricky French: Championing Truth and Change in Midlothian
Ricky French: Championing Truth and Change in MidlothianRicky French: Championing Truth and Change in Midlothian
Ricky French: Championing Truth and Change in Midlothian
 
Vip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
THE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourTHE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labour
 
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top BoutiqueAndrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
 
CALL ON ➥8923113531 🔝Call Girls Singar Nagar Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Singar Nagar Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Singar Nagar Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Singar Nagar Lucknow best sexual service
 
PPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxPPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptx
 
Essentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmmEssentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmm
 
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxCOPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书
 
一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书 一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction Fails
 
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdfBPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
 

Personal data protection bill

  • 1. The Personal Data Protection Bill, 2018 The Personal Data Protection Bill, 2018 (“Bill”) is a draft law submitted in July 2018 by a committee of experts on data protection constituted by the government of India (“Committee”). The bill has not yet been implemented and has drawn significant criticism and praise. Its similarities with the European Union’s General Data Protection Regulation (“GDPR”) can be seen in the language and direction of provisions such as the rights of data principals, quantum of penalties, categories of personal data, and transparency obligations. Applicability If the Bill becomes law, its provisions would apply to the processing of personal data: (a) that has been collected, disclosed, shared, or otherwise processed within India; (b) by any Indian entity, citizen, or the State (as defined under Article 12 of the Constitution of India); and (c) by data fiduciaries or data processors not present within India, if the processing is in connection with either (i) any business carried on in India or any offering of goods of services to data principals within India or (ii) profiling data principals within India. The provisions of the Bill, however, do not apply to the processing of anonymised data. The Bill applies to “personal data” and “sensitive personal data”. It treats identifiable data, with respect to any characteristic, attribute, trait, or other feature of a person’s identity, as personal data. Sensitive personal data includes some categories of personal data such as passwords, health or financial data, biometric data, and data about sex life, sexual orientation, and religious or political beliefs, which carry enhanced requirements of processing. The Bill also confers power on a data protection authority to specify other such categories. Actors A “data principal” is the natural person to whom some personal data relates to. A “data fiduciary” is any person – including the State, a company, or a juristic entity – who, either alone or with others, determines the purpose and means of processing the personal data. A “data processor” is any person who processes data on behalf of a data fiduciary; however, it does not include an employee of a data fiduciary. A data principal is conceptually similar to a data subject and a data fiduciary to a data controller under the GDPR. The Bill also seeks to establish the Data Protection Authority to oversee and regulate processing activities covered by the Bill. Obligations of data fiduciaries Data fiduciaries must comply with the following obligations and also be able to demonstrate that they have complied with them. (a) Personal data should be processed in a fair and reasonable manner that respects the privacy of the data principal;
  • 2. (b) Processing should only be for the purposes specified, or other incidental purposes that the data principal would reasonably expect the personal data to be used for; (c) Collection of personal data should be limited to the data that is necessary for processing; (d) Data should be processed only on the grounds detailed in the Bill; (e) The data fiduciary should provide the data principal with adequate notice of processing of personal data; (f) The data fiduciary should ensure that the personal data being processed is complete, accurate, not misleading, and updated; and (g) Personal data should only be retained for as long as is necessary to satisfy the purpose for which it is processed. While it provides for a consent-based approach to processing data, the Bill allows some other grounds for lawfully processing personal data. Grounds for Processing These include processing (a) that is necessary for the functioning of the Parliament or state legislatures, (b) to comply with orders or judgments of courts or tribunals, (c) for purposes related to employment, (d) for “prompt” action during circumstances such as medical emergencies, disasters, and breakdowns of law and order, and (e) for “reasonable” purposes, such as whistleblowing, mergers and acquisitions, credit scoring, and debt recovery. Without more guidance, each of these grounds of processing remain subject to governmental and judicial interpretation. The grounds for lawfully processing sensitive personal data, are slightly different. One of them for example, requires explicit consent. While the Bill provides some factors that can validate explicit consent — for example, it must be informed, clear, and specific – it does not provide guidance on how explicit consent has to be sought, and how it varies substantially from regular consent. Data Localisation At least one copy of personal data should be stored on servers located in India. The government may exempt some categories of personal data from this requirement on the grounds of necessity or strategic interests of the State. While more guidance may provide clarity on this exemption, it cannot extend to sensitive personal data. The government can also prescribe categories of “critical personal data” which must necessarily only be processed on servers located in India. So far no criteria have been developed to determine this set of personal data and so its scope is not clear. Cross Border Transfer of Personal Data Subject to the localisation requirements, there are some cases where personal data may be transferred out of India. Transfer is permissible for example, if (a) it complies with contractual clauses or intra-group schemes authorised by the Data Protection Authority; (b) it is made to a country, sector within the country, or an international organisation approved by the government; (c) in addition to either of the two preceding points, the data principal has consented to such transfer; (d) the transfer is necessary, provided the Data Protection Authority has approved such necessity; or (e) the data principal has explicitly consented to such transfer. As noted previously, it is not yet clear how such explicit consent will be sought in practice.
  • 3. Data Breaches The Bill has adopted a harm-based standard for responding to breaches of personal data. For example, in the event of a breach, a data fiduciary has to report it within specified timelines to the Data Protection Authority. The authority will then determine, depending on the severity of harm that may be caused, whether such breach should be reported to data principals. Harm includes injury, whether bodily or mental, identity theft, loss of employment, discrimination, and loss of reputation or humiliation, amongst others. The precise methods to gauge extent of harm are not clear. The Data Protection Authority shall also have the powers to direct the data fiduciary to take remedial action in the event of breaches. Data Protection Officer Data fiduciaries have to appoint data protection officers. A data fiduciary situated outside India must appoint one based in India. The Data Protection Authority may specify eligibility criteria for data protection officers. In addition to their other functions, these officers must monitor the data fiduciaries’ processing activities to ensure compliance with the Bill, provide advice, assist and cooperate with the Data Protection Authority, and act as points of contact between data principals and data fiduciaries. Transparency and Accountability Measures While the Bill does not prescribe any specific standards, by making “privacy by design” mandatory, it will require that the business practices and technical systems of data fiduciaries be designed to anticipate and avoid harm to data principals. Other transparency and accountability obligations it places on data fiduciaries include adequate security safeguards, accurate and up-to-date record keeping, annual data audits, and data protection impact assessments. Rights of Data Principals The Bill imagines a statutory framework to access some of the fundamental rights guaranteed by the Puttaswamy verdict. Data principals have the right to access the personal data that is collected, confirm, correct or update it, and receive it in commonly used forms. The “right to be forgotten” will allows data principals to prevent the disclosure of personal data if that disclosure is no longer necessary or has served the purpose for which it was made, or if the consent that permitted such disclosure has been withdrawn, or if the disclosure is made contrary to applicable laws. The balance it has tried to strike between these rights and the freedom of speech and expression, will need to be tested in practice. Penalties Contravention of its provisions by a data fiduciary of a category of obligations may attract a penalty of up to INR 50,000,000 or 2% of the data fiduciary’s total worldwide turnover of the preceding financial year, whichever is higher. Even higher penalties have been prescribed for contravention of obligations in respect of processing of personal data or sensitive personal data, cross-border transfer of personal data, and the security safeguards detailed in the Bill. Conclusion
  • 4. Data protection law in India is in a period of transition. The impact of the Puttaswamy decision on the Data Protection Rules and the IT Act cannot be overstated. Several Indian high courts dealing with data protection issues such as the export of data, transfer of data among group companies, and the adequacy of consent, now have to consider the Supreme Court’s view that the privacy of personal information is part of the fundamental right to life and personal liberty. While no judicial trend can be discerned yet, it is clear that data collection and processing efforts in India must evaluate and anticipate the impact of this historic judgment. The decision has also provided the impetus and the founding principles for a new data protection law. While we do not yet know the extent to which the draft bill that is now in circulation will be part of that law, the principles laid down in Puttaswamy and the experience of Europe’s GDPR will indeed be influential. Data fiduciaries and processors may have to comply with a new set of obligations enforced by a new regulator through severe penalties. Do reach out to us if you have any comments or question. Mathew Chacko Ankita Hariramani mathew@spiceroutelegal.com ankita.hariramani@spiceroutelegal.com Aadya Misra Aishwarya Todalbagi aadya.misra@spiceroutelegal.com aishwarya.todalbagi@spiceroutelegal.c om