Privacy by design – India gears up for an overhaul of its data protection laws

India is on the anvil of a comprehensive overhaul of its current data privacy regime once the Personal Data Protection Bill, 2019 (Bill) is enacted. The recent spate of serious data breach incidents in India, exacerbated by home working, made the introduction of the new data framework timely and highly anticipated.

Highlights of the Bill

The Bill is inspired by the European Union General Data Protection Regulations (GDPR) but also introduces novel provisions making it a unique legislation. Consequently, compliance with GDPR would not necessarily mean compliance with the Bill.

Applicability

The Bill proposes to apply to personal data¹ that has been processed within the territory of India by the Indian government, any company or entity incorporated in India and foreign companies dealing with personal data of individuals in India provided certain nexus requirements are met.²

Supervising Authority

The Bill contemplates creation of a Data Protection Authority (DPA) entrusted with wide-ranging rule-making, administrative and quasi-judicial functions.

Obligations of data fiduciaries

The Bill imposes major compliance obligations on data fiduciaries³ including providing data principals⁴ with detailed notice (in multiple languages where necessary and practicable) prior to data collection and obtaining their valid consent; processing data only for a clear, specific and lawful purpose and in a fair and reasonable manner; retaining data only until the purpose of collection is completed and implementing measures to demonstrate transparency and accountability. If there is a breach while processing data which is likely to cause harm to the data principal, the data fiduciary is required to notify the DPA who may determine if the data principal should also be notified of such breach.

Significant data fiduciaries⁵ must comply with additional accountability requirements including registration with the DPA, record keeping, appointment of a data protection officer, conducting data protection impact assessment prior to significant processing activities and independent data audits.

Data localization and cross-border transfers

The Bill mandates different localization rules for different categories of personal data. Sensitive personal data⁶ may be transferred outside India for processing if expressly consented to by the individual and subject to certain additional conditions but must continue to be stored in India. Critical personal data⁷ can only be processed in India. Personal data that does not fall under the aforementioned categories is not subject to cross-border transfer restrictions.

Enforcement

The Bill envisages enforcement through civil compensation to individuals for harm suffered as a result of infringement, financial penalties which may extend to the higher of approximately USD2 million or 4% of the total worldwide turnover of the data fiduciary and criminal penalties (fines and/or imprisonment for three years) for re-identifying de-identified data without appropriate consent.

Comment

India is an important player in the global data economy. The Bill has implications for investors and businesses particularly in data-intensive sectors like software, education, pharmaceutical, health care and banking.

Interesting times lie ahead as we await the final form of the Bill which may undergo further changes before enactment. Watch this space for further updates.

 

---

¹ Personal data is defined as “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.” (Section 3(28))
² The Bill is designed to have extra-territorial applicability if the processing of data by foreign companies is “(i) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or (ii) in connection with any activity which involves profiling of data principals within the territory of India.” (Section 2(A)(c))
³ Data fiduciary is defined as “any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.” (Section 3(13))
⁴ Data principal is defined as “the natural person to whom the personal data relates” (Section 3(14)).
⁵ The DPA may notify any data fiduciary as a significant data fiduciary having regard to “(a) volume of personal data processed;(b) sensitivity of personal data processed;(c) turnover of the data fiduciary;(d) risk of harm by processing by the data fiduciary;(e) use of new technologies for processing; and (f) any other factor causing harm from such processing.” (Section 26(1))
⁶ Sensitive personal data is defined as “such personal data, which may, reveal, be related to, or constitute—(i) financial data; (ii) health data;(iii) official identifier;(iv) sex life;(v) sexual orientation; (vi) biometric data;(vii) genetic data; (viii) transgender status;(ix) intersex status;(x) caste or tribe;(xi) religious or political belief or affiliation; or (xii) any other data categorised as sensitive personal data under section 15.” (Section 3(36))
⁷ Critical personal data is defined as “such personal data as may be notified by the Central Government to be the critical personal data”. (Section 33(2))