Explore - Experience - Excel

Data Privacy regime in India

By: Joydeep Dass
Faculty – Finance
Mobile: +91-9175360870
Introduction – The Government of India constituted a committee under the leadership of Justice B.N Sri Krishna on August 2017. The Committee studied the issues related to data protection, recommend methods to address data privacy issues, make specific suggestions and draft a data protection bill. The committee submitted its report and the draft bill on July 27, 2018 and known as the Personal data protection bill, 2018. Per the white paper released by the Ministry of Electronics & Information Technology the objective of setting up the committee of experts is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected”
Summary of Key suggestions in the bill

1. Territorial Scope– The data protection bill would apply to
I) Entities incorporated within India and processing of personal data of Indian residents and citizens.
II) Foreign entities conducting business in India and processing personal information of Indian residents and citizens. Extra territorial jurisdiction is under review.

2. Persons – Law recognized two types of persons, natural & representative. The bill would apply to only natural persons and not to any juristic person, for e.g. a Company.
3. Data Fiduciaries/Principal – Data fiduciary has been refers to any entity that determines the purpose and means of processing personal data. Processing involves collecting, organizing, storing and structuring of personal data. Data principal as defined in the bill includes any natural persons and the residents from whom data is collected. An Organization may be designated as significant data fiduciary (SFD) based on the volume of sensitive data it processes & risk involved in processing.
4. Sensitive personal data – The bill clearly defines “Sensitive personal data”. The classification is due to the two reasons – I) some information are extremely personal to the individual. II) Such categories of information may be misused to discriminate against an individual. An individual’s religion, race, caste, sexual orientation, passwords, financial data, official identifier, biometric or genetic data, marital status, mental & physical health conditions, transgender status, political affiliation, place of birth, descent or place of residence have been classified as sensitive personal data. The bill does not have any provisions for processing of anonymized data.
5.Consent – The bill provides that consent is a sine qua non for processing. Consent to be from source from data principals in writing and should be free, unbiased, concise, informed and meaningful. The bill provides for adequate safeguards to vulnerable categories of data principals, such as children and old aged person. In cases where consent based processing is not possible there are provisions made in the bill to process data without consent. The bill identified four instances where non-consent based processing would be permitted
a)       Where processing is relevant for the state to discharge its welfare functions,
b)      To comply with any provisions of any law or with court orders in India
c)      To protect life & property and
d)     In employment contracts, in limited situations such, as where giving the consent requires an unreasonable effort for the employer.
e)       Debt recovery, credit scoring or prevention of illegal activity.
6.NoticeThe Data Principal is required to give notice, before or at the time of collection. The notice must state the purpose for which Personal Data is collected, categories of data collected, details of the Data Fiduciary, details pertaining to sharing and transferring of Personal Data, and rights of the Data Principal. Such notice needs to be clear, concise, and easily comprehensible for a reasonable person to understand the contents of the notice.
7.Participation Rights – The bill provides for greater participation for data principals to ensure transparency & accountability. The Committee specified four categories of rights in line with fundamental right to privacy.
             I)            Right to access, confirmation and rectification
            II)           Right to object to data processing
           III)          Right to data portability
           IV)          Right to be forgotten, delist or erasure.
8. Enforcement – The Bill provides for the establishment of a Data Protection Authority. The functions, powers & duties of DPA include the following
I)        Take necessary steps to protect interests of data principals & monitor the law
II)      Take corrective action in response to data security breach
III)    Maintain a list of data fiduciaries and rank them based on their scores.
IV)    Examine data audit reports & ensure compliance with the Bill.
V)      Registration of data auditors & monitor cross border transfer of data
VI)    Issue best practices codes, handle complaints & conduct inspection and inquiries as required & assist higher authorities in cases of prosecution.

The data protection authority will consist of a chairperson and six members, with knowledge of at least   10 years of experience in the Industry in the field of data protection and information technology. Orders of the Authority shall be appealable with the Appellate Tribunal established by the central government. A person aggrieved by the order of the tribunal can further raise it with the Supreme Court. All entities collecting personal data should appoint a data protection officer (DPO). The DPO should notify data breaches to the appropriate authority and they should conduct Data privacy impact assessment (DPIAs) in each instances of data breach. The data fiduciaries should register themselves with the Data protection authority, maintain records & mandatorily carry out periodical data protect
ion audits.
9.Compliance with allied laws – The Information Technology Act, 2000, Census Act, 1948, RTI act, 2005, Indian Telegraph act, 1885 and Aadhaar Act, 2016 also require or authorize the processing of personal data. The bill provides minimum data protection processing standards in the country. In the event of inconsistency or conflict, the standards set in the bill will prevail and apply to the processing of data. The Committee also recommended suitable amendments & overriding provisions to other existing laws to strengthen its data protection framework.
     10.Cross-border data transfer – The bill provides that data can move beyond national boundaries to ensure a seamless flow of information exchange. The exchange of data can take place if the two conditions are satisfied.
I)      Data safety standards should be adequate in the transferee country.
II)    Data transferred should be subject to comparable level of protection as it would have been in India.
The bill further provides for data localization rules. The entities are required to store personal data on servers located within the geographical territory of India. Mirroring of data is not permissible that is a copy of the data cannot be in India while the master data is stored outside India. The rules notifying data localization is with the Central Government and RBI to decide.
11. Civil & Criminal penalties – The bill made provisions for extensive civil & criminal penalties. First, an amount of 5 crores or 2% of total turnover whichever is higher will be imposed in case of violation of compliance requirements. Second, 15 crores or 4% of the total turnover whichever is higher will be imposed in cases of breach in processing of data or transfer made outside of national boundaries without prior approval of the supervising authority. Imprisonment for a term of 3 to 5 years have been prescribed for persons who knowingly, intentionally, recklessly obtain, disclose, transfer or sell sensitive personal data which might cause significant harm to the data principals. For entities, the penalty will apply to all persons in charge of operations, directors, managers, secretaries or other officers.

12.Implementation – The bill contemplates implementation in a time bound phased manner. Once the law is enacted, certain provision like setting up of the Data Protection Authority (DPA) in 3 months, the power to make rules and regulations are to come into effect immediately. The operative provisions of the bill are to come into effect from 18 months from the date of enactment.

Conclusion – The data protection bill, 2018 will provide an ecosystem for responsible data handling. The Organizations who will collect data as part of their business should start reshuffling their IT processes and infrastructure in such a manner th
at once the regulation comes into force, does not affect them. The bill incorporated the global best practices from the recent GDPR (General Data Protection Regulation) in the European Union, data protection legislations in other countries. Critics say that the bill is ambiguous and imperfect and data imperialism would hurt the economy and affect the prospects of economic growth. Nevertheless, this is a step in the right direction and surely going to a game changer and an effective law for data protection in India.

DisclaimerThe views, opinions and content on this blog are solely those of the authors. ISME does not take responsibility of content, which are plagiarised or not quoted.