As we are seeing global trends where countries are coming up with data protection policies, Govt of India also set-up a committee headed by Justice BN Shrikrishna to come up with Personal Data Protection bill framework which government can implement.
While the draft bill is on lines of General Data Protection Regulation (GDPR) which was passed by the European Union in 2016, the Draft Bill once implemented will result in major challenge for most of the businesses who are using personal data of citizens without any specific permission and the bigger challenge will be for the compliance officers and technology leaders who will have to create awareness about data protection as corporate culture and to build technology to ensure that there is no violation of Data Protection law.
APPLICABILITY OF LAW
As defined in the Bill, the act, if passed, will be applied to :
A: processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India; and
B: processing of personal data by the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law.
In addition, the act shall also apply to the processing of personal data by data fiduciaries or data processors not present within the territory of India, only if such processing is —
(a) in connection with any business carried on in India, or any systematic activity of
offering goods or services to data principals within the territory of India; or
(b) in connection with any activity which involves profiling of data principals within
the territory of India.
CRITICAL ELEMENTS OF LAW
There are four main elements of Personal Data Protection Bill 2018 :
- DATA: Data means and includes a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means;
- DATA FIDUCIARY: Data fiduciary means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data;
- DATA PRINCIPAL: Data principal means the natural person to whom the personal data relates
- DATA PROCESSOR: Data processor means any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary
DATA PROTECTION OBLIGATION
1. As per Chapter 2 of Bill, the data protection obligations for data processor or data fiduciary are to ensure that the data processing is done in a fair and reasonable manner that respects the privacy of the Data Principal.
2. Personal data protection bill shall be processed only for purposes specified or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for, having regard to the specified purposes, and the context and circumstances in which the personal data was collected.
GROUNDS FOR PROCESSING OF DATA
1. Personal data may be processed only on the basis consent of Data Principal.
2. The consent has to be free, explicit, specific, informed, clear and capable of being withdrawn by Data Principal
3. The burden of proof of obtaining consent lies with Data Fiduciary
PENALTIES
In case Data Fiduciary contravenes any provisions, the penalties the penalties can go up to Rs. 15 crores or 4{e2c1e7703bf7b6642b5af6e60324f3a1752447b5447bd7c54193dc70712531ff} of its worldwide turnover, whichever is higher.
EXEMPTIONS
SECURITY OF STATE: Processing of personal data in the interest of the security of state as permitted by law shall be exempted from provisions of this Act.
PREVENTION, DETECTION, INVESTIGATION, AND PROSECUTION OF CONTRAVENTIONS OF LAW: Processing of personal data in the interest of prevention, detection, investigation, and prosecution of any offense in law.
PROCESSING FOR PURPOSE OF LEGAL PROCEEDING
RESEARCH, ARCHIVE OR ANY STATISTICAL PURPOSE DULY APPROVED
PERSONAL OR DOMESTIC PURPOSE
Personal data processed by a natural person in the course of a purely personal or domestic purpose shall be exempted from provisions of the Act.
In our next article you, we will elaborate on the impact of this law on businesses at large and ToDos for Compliance Officers and Technology Leaders
