The Committee of Experts entrusted with creating a Framework for Data Protection in India has released the much awaited Personal Data Protection Bill, 2018. The committee was constituted in August, 2017 by the Ministry of Electronics and Information Technology, Government of India to examine issues related to data protection, recommend methods to address them and draft a data protection bill.After years of deliberations and a series of public consultations, the committee chaired by retired Supreme Court Judge, Justice B.N. Srikrishna has released the much awaited draft. The title of the draft bill was“A Free and Fair Digital Economy Protecting Privacy, Empowering Indians”which provides context to the deliberations of the committee. The bill defined personal data as any data which can be used to identify an individual either directly or indirectly. Also, under the bill sensitive data is defined as any data which is related to intimate matters where there is higher expectation of privacy i.e. caste, religion and sexual orientation of the individual. Therefore, with the data protection bill, the committee sought to distinguish personal data protection from the protection of sensitive data, since its processing could result in greater harm to the individual.
The Data Protection Authority of India (hereinafter referred to as‘DPA’) is charged with the responsibility to enforce the law effectively and efficiently. The categorization of certain fiduciaries as significant fiduciaries is done by DPA on the basis of their capability to cause greater harm to data principals as a consequence of their data processing activities.Further, if the data fiduciaries are found to be in contravention of law, the DPA has the power to cease, desist or temporarily suspend their business or activities. The significant data fiduciaries categorized by DPA are required to undertake obligations such as:-
a. They are required to register themselves with the DPA
b. They have to assess Data Protection Impact
c. They are required to do audits on routine basis and maintain the records for the same.
d. Appointment of Data Protection Officer.
The committee has recommended that the law should be applicable to processing of personal data if the data has been shared, disclosed or processed in India. The law will be applicable to any fiduciary that are not present in India but having a business connection to India and are engaged in activities such as profiling. Further, the law shall be applicable to any company incorporated under Indian laws and engaged in collecting sharing, disclosing and processing of personal data. It is not necessary for the data to be actually processed in India. However, the center has the power to exempt companies who are engaged in processing the personal data of foreign nationals not present in India.
Some of the main points in the bill are:-
# The new draft bill will be applicable on all the foreign data processors having a business connection to India or are engaged in carrying activities involving profiling of individual in India. It means that the draft bill has extra-territorial application.
# Differential obligations have been imposed on Personal Data and Sensitive Personal data i.e. imposing obligations should be based on criticality of data.
# The data controller i.e. Data Fiduciary is charged with the responsibility of Purpose Limitation, Collection Limitation, maintaining data quality, storage limitation etc.
# The bill was intended to be made applicable to both the private parties as well as the state.
# The bill defined child as someone who is less than 18 years of age and prohibited profiling, tracking or behavioral monitoring of or targeted advertising towards children.
# The bill laid down rights related to data subjects. The rights include right to data correction, data portability etc.
# The bill introduced the concept of data breach and privacy by design.
# The bill mandated registration requirements to all the data processors who are engaged in conducting high risk data processing.High Risk Data Processors are required to implement trust scores, data audits as well as a Data Protection Impact Assessment.
# The Government through the Data Protection Bill has retained the power to exempt storage of copies of Sensitive Personal Data in exceptional cases. Also, it is required that the copies of all the personal data must be stored in India and the government may notify certain types of personal data that should be mandatorily processed in India.
# The bill mandated the use of model clauses and possible adequacy requirements for consent cross border transfers i.e. the approval of government is required for cross border data flows.
# All the codes of Practices will be provided and endorsed by the “Data Protection Authority of India”.
# The bill provides GDPR style penalties up to 4% of global turnover in some cases. Also, the bill introduced criminal penalties in limited cases.