Data Protection Bill, India

The creation of a Data Protection Law of India had been going on for a long time. An expert’s committee constituted by the Government of India put forward the data protection law’s first draft in 2018, which was redrafted and presented in the Parliament of India titled, ‘Personal Data Protection Bill (PDPB)’ in 2019. For a deeper examination of the Bill, it was sent to a Joint Parliamentary Committee (Committee) that had members of the both the Houses of the Parliament.

The committee presented their report with overarching recommendations, along with a revised version of the PDPB, after which, it was known as the ‘Data Protection Bill, 2021’.

Entities Involved with Data Protection Bill

The Data Protection Bill (Bill) regulates ‘data fiduciaries’ and data processors,’ and establishes the Data Protection Authority of India (Authority).

• Data Fiduciary: Anyone that alone or with others establishes the aim and medium of processing personal data.
• Data Processor: Any individual that processes personal data in place of the data fiduciary.
• Data Principal: Individual whose personal data is being processed.

The Authority members are appointed by the Government of India. The selection committee for this includes of the Attorney General of India, Directors of the Indian Institutes of Technology (IITs) and Indian Institutes of Management (IIMs), an independent professional chosen by the Government, and the Secretary to the Government of India in the Ministry or Department dealing with Legal Affairs.

The Committee allotted a period of approximately 24 months for the implementation of the provisions of the Bill and help data fiduciaries and data processors work more effectively as per the new guidelines.

Applicability of Data Protection Bill

Material Applicability: The Bill has a much far-reaching and inclusive than the originally suggested PDPB. It is applicable on the processing of personal data, sensitive personal data and non-personal data. Renaming the Bill to the ‘Data Protection Bill, 2021’ underlines the Committee’s plan to identify personal data and other types of data and enforce different legal frameworks for the various types of data.

• Personal Data: Data about an individual that can be identified by or is related to such data.
• Non-personal Data: Anything apart from personal data.

Territorial Applicability: The Bill is applicable to digital personal data processing within Indian territory when:

• Personal data is collected from Data Principals online, and
• Personal data is first collected offline and then digitized.

The Bill may also be enforced for digital personal data processing outside the Indian territory if the processing is connected to business in India, any systematic process of catering goods and services to data principals or any data principal profiling activity in India.

Exemptions to Applicability of Data Protection Bill

The Bill or some provisions may not be applicable to certain entities due to various reasons. Some of the exempted entities are:

• Government Agencies,
• Contravention of Law
• Legal and Judicial Proceedings
• Personal or Domestic Use
• Journalistic Purposes,
• Processing Data of Data Principals outside India,
• Research, Archiving or Statistical Purposes,
• Non-Automated Processing by Small Entities i.e., entities within a particular category classified by the Authority.
• Data Fiduciaries and Start-Ups included in Regulatory Sandboxes developed by the Authority.

Obligations of Data Fiduciaries

Purpose and Collection Limitation: Data fiduciaries may only process personal data in a fair and reasonable way that ensures the privacy of data principals. It may only be collected to the extent that is required for the processing purposes.

Privacy Notice: Data principals must be given a notice by data fiduciaries that states specific details including reasons of processing, the type and category of personal data being collected and the core basis of processing. The report must be clear and easily understandable for any individual and available in multiple languages.

Note: No notice is required if such a notice would, in any way, interfere with the personal data processing for public interest.

Quality of Personal Data: Necessary steps must be taken by data fiduciaries to ensure that the personal data collected is complete, accurate, updated, and not misleading.

Data Retention: Personal data collected may only be retained for the period when it is needed for processing; after which, the data must be completely deleted. If the data principal provides consent or it is necessary to comply to any law in force, it may be retained.

Accountability: When processing any personal data, data fiduciaries must always comply with the Bill and any rules and regulations related to it. For this reason, data fiduciaries and data processors need to sign contracts.

Grounds for Data Processing

With Consent: Personal data may only be processed after gaining the consent of the individual.

• Personal data can only be processed after a data principal provides free, informed, specific, and clear consent that can be withdrawn at any given time.
• Explicit consent of data principals is required to process sensitive personal data.
• Data fiduciaries are responsible for proving that consent from data principals has been taken.
• Data fiduciaries can only process data for the purposes that they have consent for from data principals or for reasons that are incidental and connected to such purpose.

The supply of goods or services, terms of a contract, or the benefits of a legal right or claim cannot be:

1. leveraged to get consent to process any other data apart from the ones required for the said purpose, and
2. denied based on the choice made by the individual.

Without Consent

For Public Interest: There are various reasons for which the personal data and sensitive personal data may be processed without the data principal’s consent. They may do so:

• For some state functions’ performance.
• To comply to orders or judgements of courts, quasi-judicial authorities or tribunals of India.
• To provide medical assistance or health services during epidemics, disease outbreaks or other dangers to public health.
• To facilitate assistance, safety measures or services to anyone during disasters or breakdowns of public order.
• To act in case of medical emergencies that involve a risk to the health or life of the principal or any individual.

For Employment-Related Purposes: Consent might not be required if the personal data is being processed for employment purposes, including recruitment, termination, assessments, and employee attendance verification.

Note: Sensitive personal data cannot be handled on this basis.

For Other Reasonable Purposes
Reasonable purposes like corporate restructuring or combination of transactions, network or information security, debt recovery, or operating search engines may be excused from having to get consent from data principals after considering:

• Data fiduciary’s legitimate interest.
• If the data fiduciary can be expected to obtain the data principal’s consent.
• If it is practically possible to obtain the consent of the data principal.
• Any public interest.
• The levels of adverse effects on the data principal’s rights.
• The data principal’s reasonable expectations.

Note: There is no specific definition of ‘reasonable purposes.’ The Authority may assert the extent of these ‘reasonable purposes’ and share guidelines for the protection of data principals, whose facing data processing under this clause.
Personal Data of Children

The personal data of a child (i.e., someone less than 18 years old) must be processed in such a way that it safeguards the child’s rights.

• Before the personal data of children starts being processed, data fiduciaries must verify the age of the child and get the consent of their parent or guardian.
• Profiling, behavioral monitoring or tracking or direct advertising directed at children or carrying out any processing that can cause significant harm to a child are completely barred for data fiduciaries when it comes to data processing.

Penalties

Nature of Offence	Maximum Penalties
Failure to comply with security and transparency obligations by data fiduciary	The right to levy penalties lies with the Government, but these penalties cannot be more than INR 150,000,000 or 4% of the worldwide turnover in the preceding year of a data fiduciary, whichever is higher (or the higher of INR 50,000,000 or 2% of the worldwide turnover in the preceding year of a data fiduciary, whichever is higher, depending on the offence’s nature.)
Failure to comply with data principals' requests with respect to data principals' rights	Significant data fiduciaries: INR 1,000,000 Data fiduciaries: INR 500,000
Failure to furnish reports and information to the Authority	Significant data fiduciaries: INR 2,000,000 Data fiduciaries: INR 500,000
Failure to comply with orders or directions of the Authority	Data fiduciaries: INR 20,000,000 Data processors: INR 5,000,000
Reidentification and processing of de-identified personal data without the consent of a data fiduciary or data processor	Imprisonment of up to 3 years and a fine which may extend to INR 200,000
Offences for which specific penalties have not been provided	Significant data fiduciaries: INR 10,000,000 Data fiduciaries and data processors: INR 2,500,000

 

 Note: Significant data fiduciaries are fiduciaries that deal with high amount of personal data.

Conclusion

The Data Protection Bill aims to protect the personal data of the citizens of India from being exploited and used unless required by authorities for legal purposes. Until it is in public interest, you will always be informed and asked for consent whenever your personal data is being processed. To make sure there is no potential for fraudulent activities using your personal data, it is imperative that you know your rights and how to protect yourself from such activities.