What is The Personal Data Protection Bill of 2019?

On December 11, 2019 India's minister of Electronics and Information Technology, Mr Ravi Shankar Prasad, introduced the Personal Data Protection Bill in Lok Sabha, India, aiming to provide protection of the personal and sensitive data of the citizens of India. The bill seeks to govern the processing of personal data of the individual by the Indian government, Indian companies, any citizen of India and foreign companies who handle personal data of Indian Citizens.

Terminology of the PDPB

Personal Data

First let's begin with looking at what personal data means. Personal data is any information that is related to a naturally born person, which enables the identity of that person. The exact definition in the bill is as follows:

personal data" means data about or relating to a natural person who is
directly or indirectly identifiable, having regard to any characteristic, trait, attribute or
any other feature of the identity of such natural person, whether online or offline, or
any combination of such features with any other information, and shall include any
inference drawn from such data for the purpose of profiling

https://www.meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf

Examples of personal information are:

• full name
• home address
• email address
• date of birth
• place of birth

Sensitive Data

Sensitive data is personal data that is protected against unauthorised access. Examples of sensitive personal data are

• financial information
• health information
• caste
• bio metric data
• religious beliefs
• genetic data

Data fiduciary

The term data fiduciary is defined by the DPBP as

any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.

https://www.meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf

Data principal

The data principal is the natural person that the data is relating to.

Who does the bill apply to?

The PDPB applies to the following entities who process personal data about individuals of India:

• the Indian government
• companies incorporated in India
• foreign companies who deal with the personal data of individuals in India

Exemptions for small business

Under the PDPB there a few exceptions for small entities as follows:

• a turnover less than twenty lakh rupees (approx 28.000 USD)
• doesn't share personal information with any other business
• did not process the personal data of more than 100 data principals on a single day in the past 12 months

The main features of India's Personal Data Protection Bill are:

• the protection of the individuals privacy in relation to personal data
• obligations of the data fiduciary
• rights of the individual
• grounds for data processing
• data protection authority
• transfer of personal data outside of India
• exemptions
• offences
• transparency and accountability

Protecting the Individual's Privacy

Privacy is a fundamental human right. It is the right to "freedom from unauthorised intrusion." When it relates to personal information, it means that the individual should have some right over how their personal information is handled.

With so much of our personal information now being collected online, many countries have created personal data regulations to help protect their residents data and privacy. The GDPR, CCPA and Australian Privacy Act 1988 are just a few of them. India's Personal Data Protection Bill 2019, which is expected to pass this year, is an important data governance infrastructure that will have consequences for any company that does business in or with India.

Obligations of the Data Fiduciary

The data fiduciary decides the means and purpose for processing personal data. The processing of the data is subject to the following conditions:

• for specific, clear and lawful purpose.
• in a fair and reasonable manner, ensuring the privacy of the data principle.
• for the purpose which has been consented to by the data principal or which is connected to the initial purpose of collection, and which the data principal would reasonably expect that the data would be used for.
• collection of personal data is only as necessary for the purpose of processing.
• the data principal is given notice at the time of collection.This notice must include:
  • your company name and contact details
  • your purpose for processing
  • what personal data you collect
  • notice to the data principal that they have the right to withdraw consent
  • the basis for processing
  • source of collection if other than data principal
  • whom the data may be shared with, if this applies
  • how long you store personal data
  • how data principals can exercise their rights
  • the process for addressing grievances
  • the right to make a complaint
• necessary steps will be taken in order to ensure that the personal data is complete, accurate, not misleading, up to date and having regard to the purpose of processing it.
• personal data will not be retained for any longer than is necessary, unless it has been consented to by the data principal or is required by law.
• the data fiduciary is responsible for complying with the provisions laid out in the act
• consent must be given by the data principal before any data processing commences.
• proof of consent for processing of personal and sensitive data must be able to be shown by the data fiduciary.

Rights of the Individual

The data principal has certain rights under the PDPB, they are as follows:

• the right to confirmation and access: to be provided, in a clear and concise manner the following information:
  • confirmation of the processing of their personal data
  • what personal data has been processed,
  • a brief summary of the processing activities that have been undertaken
  • the right to access who the personal data has been shared with.
• the right to correction and erasure: the right to have inaccurate or misleading data corrected, to have incomplete data completed, to have personal information that is out-of-date updated and to have personal data which is no longer necessary for the purpose it was processed erased.
• the right to data portability: where the data has been processed by automated means then the individual has the right to have a copy of the data in a "structured, commonly used and machine-readable format." This data includes:
  • personal data provided to the data fiduciary,
  • data that has been generated while providing goods or services
  • any data which is part of a profile created about the data principal.
• the right to be forgotten: the right to restrict or prevent continuing disclosure of personal information in the following circumstances:
  • the data is no longer required for the purposes it was collected for
  • consent for processing has been withdrawn
  • the data was disclosed unlawfully

Grounds for Data Processing

The PDPB states that personal data may only be processed with consent from the data principal. However there are a number of circumstances which allow the data fiduciary to process personal data without consent. these are:

• in order to perform a function of the State: The Indian government may process personal information without consent in order to provide a government service or benefit to the individual or for the issuance of a certificate, license or permit made by Parliament or State legislature.
• legal compliance: personal data may be process without consent if required under any law made by the Indian Government or in order to comply with the courts or tribunals of India.
• in response to a medical emergency: in the event of a medical emergency which involves a threat to the life of, or severe threat to the health of the individual then personal data may be processed without consent. It may also be processed without consent in order to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other public health threat.
• for purposes related to employment: the processing of personal data, not including sensitive data, may be processed in order to recruit or terminate employment, in order to provide a service or benefit requested by the employee, in order to verify the attendance of the employee and for any activity that relates to the assessment of the employees performance.
• other reasonable purposes: in order to determine what are reasonable purposes for processing the data the following needs to be considered:
  • what are the interests of the data fiduciary?
  • can consent be reasonably obtained?
  • is there a public interest for processing?
  • what effects will the processing have on the individual?
  • would the individual reasonably expect the processing?

Reasonable purposes may include the following:

(a) prevention and detection of any unlawful activity including fraud;
(b) whistle blowing;
(c) mergers and acquisitions;
(d) network and information security;
(e) credit scoring;
(f) recovery of debt;
(g) processing of publicly available personal data; and
(h) the operation of search engines.

Data Protection Authority

The Indian government shall establish a Data Protection Authority for the purposes of this act. The duty of the Authority will be to

• (i) protect the interests of the individual,
• (ii) monitor and enforce the provisions of the Act
• (iii) take prompt, appropriate action in the case of data breaches
• (iv) maintaining a database on its website that contains the names of significant data fiduciaries along with a trust score
• (v) examine data audit reports
• (vi) issue certificates of registration to data auditors and maintain the renewal, withdrawal, suspension or cancellation of them, along with maintaining a database of registered data auditors.
• (vii) promote awareness and understanding of the risks, rules, safeguards and rights of personal data in accordance with the Bill
• (viii) monitoring technological developments and commercial practices affecting personal data
• (ix) advising the Indian government on measures that are required to protect personal data and to ensure the application and enforcement of the act.
• (x) to specify fees and charges in order t carry out purposes of this Act
• (xi) dealing with complaints under this Act
• (xii) performing any other functions as required

Transferring Personal Data Outside of India

Sensitive personal data may be transferred outside of India, but must still be stored in India. In order for the data to be transferred the data principal must give consent and meet the following conditions

• the transfer is made as per a contract or an Authority approved scheme
• the Indian government has allowed the transfer to the country, an entity of the country, or international organisation
• the Authority has allowed the transfer for a specific purpose

Exemptions

The Indian government can exempt any of its agencies if it is satisfied that it is "necessary and expedient" and:

• it's in the interest of the sovereignty and integrity of India and positive relations with foreign states and public order
• it will prevent the incitement to the commission of any cognizable offence

Exemptions to the bill are also found in the processing of personal data for the following purposes:

• for prevention, detection, investigation and prosecution of an offense or breach of the law
• as required for legal proceedings
• if it is necessary for judicial function
• personal or domestic purposes
• journalistic purpose

All processing of the above must be for specific, clear and lawful purposes.

Offences

Violations under the bill are punishable by a fine and in some cases imprisonment. They are as follows:

• processing or transferring of personal data in violation of the PDPB provisions is liable to a penalty of up to 15 crore rupees (approx 2.7 million USD) or 4% of the company worldwide turnover, whichever is higher
• selling personal data that results in harming an individual or re-identifying anonymized data may result in imprisonment for up to 3 years

Transparency and Accountability

Like the majority of privacy laws, India's Personal Data Protection Bill requires that you have a privacy policy. In order to be compliant with the PDPB your privacy policy will need to include the following:

• types of personal data are collected and how you collect it
• the purposes for processing the personal data
• categories of personal data that are collected in exceptional circumstances
• the rights of the data principal and how they can access them
• the individuals right to file a complaint about you
• if applicable a data trust score
• where applicable, information regarding cross border transfers of personal information

If you already have a GDPR, CCPA and Australian Privacy Act compliant privacy policy then you many of these will already be covered.

In order to safeguard the personal data you collect and store the following need to be implemented:

• de-identification and encryption methods
• protection of the integrity of personal data
• necessary steps that will prevent the misuse, unauthorised access to, modification, disclosure or destruction of personal data

If for any reason there is a breach of any personal data that you have processed then the Authority must be informed of the breach, if it is likely to cause any harm to the individual. The notice needs to include the following:

• the nature of personal data that is subject to the breach
• the number of data principals affected by the breach
• the possible consequences of the breach
• the action you are taking to remedy the breach

The PDPB requires that a Data Protection Officer is employed if they are considered a "significant data fiduciary" by the Authority. The Authority classifies a data fiduciary as significant based on :

• volume of personal data processed
• sensitivity of personal data processed
• the turnover
• risk of harm by processing of the data fiduciary
• use of new technologies for processing
• any other factor causing harm from such processing

Conclusion

India's Personal Data Protection Bill is about to become the latest international law which helps protect the privacy rights of the individual. The enactment of this bill will make India a safe country in which to handle and process personal information. There are a few things which you can do in order to be prepared for when the PDPB becomes a law:

• review and update data protection policies
• review how you notify your users that you collect their data
• review how you obtain consent from your users
• review how you keep personal data safe
• consider how you will meet the requests of your users data principal rights