SlideShare a Scribd company logo

An overview of the Indian Data Privacy Bill

Komal Gadia, profile picture
Komal Gadia

The Personal Data Protection Bill (PDPB) in India governs the collection, processing, and storage of personal data, applying to data processed by Indian entities and certain foreign entities under specific conditions. The bill includes strict penalties for non-compliance and establishes a Data Protection Authority (DPA) to oversee enforcement and approve provisions, with significant focus on consent, accountability, and safeguarding personal data. Key takeaways emphasize the need for organizations to adapt their data management practices in light of the law's stringent requirements and potential penalties, including imprisonment for serious violations.

Law
Related topics:
Data Privacy
1 of 19
Downloaded 55 times
1
2
Most read
3
Most read
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
PERSONAL DATA PROTECTION BILL
2 APPLICABILITY Processing of personal data: • Where such data has been collected, disclosed, shared or otherwise processed within the territory of India; and • by any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law. The PDPB does not apply to processing of anonymised data. PDPB shall apply to data fiduciaries or data processors not present within the territory of India, only if such processing is: in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or in connection with any activity which involves profiling of data principals within the territory of India. Remarks:  If personal data of foreign nationals is shared with an Indian Company to comply with management/statutory reporting requirement, PDPB shall not apply to such foreign company.  If personal data of a person is anonymised through an irreversible process, such that the person cannot be identified, PDPB shall not apply.
3 TRANSITIONAL PROVISION The Act once notified, a period of 12 months thereto is prescribed for notifying various Rules and Regulations thereunder. The Data Protection Authority (DPA) will be constituted within a period of 15 months from enactment of the Act. DPA is conferred with the powers to issue code of practice on various principles of data protection obligations and to notify exceptional grounds for processing personal data without seeking consent. The Act once notified, various provisions will come into effect within a span of 1 to 2 and a half year. Remarks:  Although the Bill has prescribed a transition period, the penalties prescribed are quite onerous and are almost at par with GDPR of EU. Further after the landmark judgement of Supreme Court recognising privacy as fundamental right, it is imperative for the organisation to re-look at its systems and processes while the law is being enacted. OVERRIDING EFFECT OF THIS ACT In event of any inconsistency, PDPA will have an overriding effect over any other laws. The said laws will also rescind the existing the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.
4 GROUNDS FOR PROCESSING OF PERSONAL DATA Remarks:  Except the events stated herein above in the diagram, consent is a pre-requisite before processing personal data. The consent has to qualify all the attributes of sec. 12 of PDPB.  The burden of proof to establish that a valid consent was given by the individual is on the data fiduciary.  In the event an individual, who is a party to a contract withdraws consent to processing of his personal data, which is necessary to performance of a contract, all legal consequences arising out of such withdrawal has to borne by the respective individual only.  The Bill explicitly states that consent is not essential to processing of personal data of an employee in relation to employment. However, processing of sensitive personal data in relation to employment may require explicit consent of the employees, currently there is an ambiguity on this aspect and clarification is being sought.  In the event of corporate restructuring events such as mergers and acquisitions, prevention and detection of frauds, network and information security measures, etc., given the fact these purposes are reasonable purpose and seeking consent wouldn’t be a viable option, DPA will issue a list of such purposes along with the security measures company should ensure thereto. PERMISSIBLE PROCESSING Basis Consent Function of the State Compliance with law or compliance with any order of the court or tribunal In case of emergency In relation to employment For reasonable purposes Consent is not a pre-requisite in such events.
5 PROCESSING THROUGH CONTRACTORS/SUB-CONTRACTORS A Company can process personal data of an individual through contractor/sub-contractor strictly only on execution of a valid contract. The contract so executed should restrict the vendor from further engaging a sub – contractor unless expressly agreed by the Company in the contract. The purpose for processing such data should be solely determined by the Company. Remarks:  It is imperative to bind the contractor with obligation to protect and treat the data as confidential. It is also important to ensure that the liability of the contractor in the event of breach is not capped and unlimited, further the Company should also have indemnity right.
6 CROSS-BORDER TRANSFER OF PERSONAL DATA Cross- border transfer of personal data will be allowed only pursuant to standard contractual clauses or intra- group scheme duly approved by Authority. PDPB mandates storage of one copy of the personal data to whom the Act applies, on a server maintained in India. The Authority will notify list of critical data which mandatorily needs to be maintained only in India. Central Government may notify few exemptions to the above. Remarks:  On account of increasing instances of fraud/scams, recently RBI vide its circular dated 6th April, 2018 has mandated maintenance of all payments system within India latest by 15th Oct, 2018. While there are multiple re-presentations to the Government on the matter, RBI haven’t relaxed the condition yet and in the interim the Bill aswell now mandates maintenance of one copy of the personal data being processed outside India, in India. It is imperative for the organisations maintaining personal data of individuals outside India to review their processes and system.
7 TRANSPARENCY AND ACCOUNTABILITY MEASURES Remarks:  Actions listed in Group B are required to be complied only by such class of data fiduciary and significant data fiduciaries as may be notified by Data Protection Authority. PRIVACY BY DESIGN •The management, organisational practices should be aligned to the interest of the Data Principals. TRANSPARENCY •The purpose and operation involved in processing is required to be disclosed to the Data Principals SECURITY SAFEGUARDS •Organisation should take appropriate security measures to protect the integrity of the data. PERSONAL DATA BREACH •Depending on the severity of the harm caused, the Data Principal is required to be initiated. GroupA DATA PROTECTION IMPACT ASSESSMENT • Before undertaking any new processing activity or technological change or large scale profiling or use of SPD, Company mandatorily has to undertake Data Impact Assessment RECORD KEEPING • Company need to maintain complete record of end - to end data processing activity for such period as may be notified by the Authority. DATA AUDITS •Company has to get its processes involved in processing of personal data audited by an independent data auditor annually. DATA PROTECTION OFFICER • A DPO needs to be appointed who can guide the Company in relation to its obligation arising out of PDPA. • The aforesaid role can be in addition to any other role played by the DPO. GroupB
8 RIGHTS OF DATA SUBJECT Remarks:  An application has to be made to the Company in writing for exercise of any of the said rights.  If Right to be Forgotten is exercised by an individual, however there exist a dispute or company envisage a litigation, regulatory enquiry or is required to maintain the data until the stipulated statutory period, in such events Company can refuse eraser of data to the person concerned in writing.  Company is required to have in place a robust grievance redressal mechanism in place. A DPO so designated or an officer authorised for this purpose should be the point of contact for the data principals.  The grievance if raised has to be resolved within a period of 30 days, if not resolved or not satisfactorily resolved data principal has a right to file a complaint with adjudicating wing. POWERS VESTED WITH THE AUTHORITY The Authority is vested with the power to call for information, conduct inquiry, search and seizure. Rights of Data Subject Right to correction Right to Data Portability Right to confirmation and access Right to be forgotten
9 DATA PROTECTION OBLIGATIONS Remarks:  An application has to be made to the Company in writing for exercise of any of the said rights.  If Right to be Forgotten is exercised by an individual, however there exist a dispute or company envisage a litigation, regulatory enquiry or is required to maintain the data until the stipulated statutory period, in such events Company can refuse eraser of data to the person concerned in writing.  Company is required to have in place a robust grievance redressal mechanism in place. A DPO so designated or an officer authorised for this purpose should be the point of contact for the data principals.  The grievance if raised has to be resolved within a period of 30 days, if not resolved or not satisfactorily resolved data principal has a right to file a complaint with adjudicating wing. Fair and reasonable processing Purpose limitation Collection limitation Lawful processing Notice Data Quality Data Storage Limitation Accountability
10 PENALTIES PROVISIONS PENALTY  Failure to take prompt action in response to data security breach  Failure on the part of significant data fiduciary:  To undertake data protection impact assessment  To conduct data audit  To register with the Authority Up to 5 Crs. Or 2% of the worldwide turnover of the preceding financial year, whichever is higher  Processing of personal data against the data protection obligation principles  Processing of personal data not in accordance with the grounds of processing as provided under the law  Processing of sensitive personal data not in accordance with the grounds of processing as provided under the law  Failure to adhere to the security safeguards  Transfer of personal data in violation of the Act Up to 15 Crs. Or 4% of the worldwide turnover of the preceding financial year, whichever is higher
11 PROVISIONS PENALTY Total worldwide turnover in relation to a data fiduciary is the total worldwide turnover of the data fiduciary and the total worldwide turnover of any group entity of the data fiduciary where such turnover of a group entity arises as a result of the processing activities of the data fiduciary, having regard to factors, including— (i) the alignment of the overall economic interests of the data fiduciary and the group entity; (ii) the relationship between the data fiduciary and the group entity specifically in relation to the processing activity undertaken by the data fiduciary; and (iii) the degree of control exercised by the group entity over the data fiduciary or vice versa, as the case may be.  Without any reasonable explanation, failure to comply with data principals request Rs. 5000/- for each day during which the default continues, subject to a maximum of Rs. 10 Lakhs in case of significant data fiduciaries and 5 lakhs in other cases.  Failure to furnish reports, returns, information to the Authority Rs 10,000 for each day during which such default continues, subject to a maximum Rs.20 lakhs in case of significant data fiduciaries and 5 lakhs in other cases. PENALTIES CONTINUED…
12 PROVISIONS PENALTY Failure to comply with the order of the Authority Data Fiduciary - Up to Rs 20,000 for each day during which such default continues, subject to a maximum Rs.2 Crs. Processor – Up to Rs 5,000 for each day during which such default continues, subject to a maximum Rs. 50 lakhs. Penalty for contravention where no penalty is prescribed Significant Data Fiduciary – maximum 1 Cr. Other data fiduciary – maximum Rs. 25 lakhs. PENALTIES CONTINUED… Remarks on Penalties:  In addition to the penalty, the data principals also have right to compensation for damages suffered.  The compensation awarded or penalty imposed, under the PDPA does not limit the award of compensation or imposition of any other penalty or punishment under any other law for the time being in force.
13 OFFENCES PUNISHABLE WITH IMPRISONMENT Offence Liability Personal Data In contravention of the provision of the Act, one obtains, disclose transfer, sell or offer to sell personal data of a person which causes significant harm to the data principal Imprisonment for a term not exceeding 3 years or shall be liable to fine which may extend up to 2 lakhs or both. Sensitive Personal Data In contravention of the provision of the Act, one obtains, disclose transfer, sell or offer to sell personal data of a person which causes significant harm to the data principal Imprisonment for a term not exceeding 5 years or shall be liable to fine which may extend up to 3 lakhs or both. Anyone who re-identification and processes de-identified personal data without the consent of data fiduciary or processor Imprisonment for a term not exceeding 3 years or shall be liable to fine which may extend up to 2 lakhs or both.
14 Remarks:  Offences under PDPA are cognizable and non-bailable offence.  Offences committed by Company: Every person who is in charge is responsible to the Company for the conduct of the business of the Company as well as the Company shall be deemed to be guilty. This includes Managing Director, Manager and/or Whole- time Director of the Company. Further, also if it is proved that the offence by the Company has been committed with the consent or connivance of, or is attributable to any neglect on the part of any director, manager, secretary or other officer of the company, such persons shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly. OFFENCES PUNISHABLE WITH IMPRISONMENT CONTINUED…
15 KEY TAKEAWAYS The Personal Data Protection Bill 2018 of India is a law with extra – territorial jurisdiction and is aligned to the privacy principles as laid down under GDPR, including severe fine in case of data breach. After the Supreme Court Landmark Judgement recognising privacy as a fundamental right, people have become more vigilant towards their rights and are questioning any usage of their data for purposes other than they have consented to. In order to enjoy competitive edge in the sectors the Business is operating in, especially the sectors whose business model is directly linked to the customers’ data, the law will have far reaching implications. IMPLICATIONS In the event of breach, not only one will be liable to pay penalty and pay damages to the aggrieved person but will also be subjected to business and reputational loss. In the event it is determined that significant harm is caused to an individual, the officer in default may even be sentenced to imprisonment. The liability in certain events extents even to the directors and manager of the Company. Further, depending upon the harm caused to an individual, the respective international privacy regulatory authority may even restrict processing of data principals’ personal data residing in the respective jurisdiction by an Indian Entity.
16 ACTION POINTS  One of the essential pillar to data protection laid under the law, is the importance of ‘adequate safeguards’ such as including de-identification, encryption, and tools to prevent misuse, unauthorized access, modification, disclosure, or destruction of personal data.  Temporal limitations on processing and retention of personal data. Store the data as long as “reasonably necessary" to satisfy its intended purpose or to comply with legal obligations. Undertake periodic review to check that no one is unnecessarily retaining personal data.  Undertake gap assessment exercise, frame privacy & security policy of the company and adopt the code of practice as may be notified by the Authority.  Review existing contracts with vendors, bind them with restrictive covenants aswell as security and privacy policy of the Company.  Undertake data – audits in case of any outsourced processing assignments.  Given the nature of operation of the Company, consider taking Data Insurance.
17 GLOSSARY OF KEY TERMS Data means and includes a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means. Data fiduciary means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data. Data principal means the natural person to whom the personal data referred to in sub-clause (28) relates. Data processor means any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary. Harm includes— (i) bodily or mental injury; (ii) loss, distortion or theft of identity; (iii) financial loss or loss of property, (iv) loss of reputation, or humiliation; (v) loss of employment; (vi) any discriminatory treatment; (vii) any subjection to blackmail or extortion; (viii) any denial or withdrawal of a service, benefit or good resulting from an evaluative decision about the data principal; (ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveyed; or (x) any observation or surveillance that is not reasonably expected by the data principal.
18 GLOSSARY OF KEY TERMS CONTINUED… Person means— (i) an individual, (ii) a Hindu undivided family, (iii) a company, (iv) a firm, (v) an association of persons or a body of individuals, whether incorporated or not, (vi) the State, and (vii) every artificial juridical person, not falling within any of the preceding sub-clauses; Personal data means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information Personal Data Breach (PDB) means any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction, loss of access to, of personal data that compromises the confidentiality, integrity or availability of personal data to a data principal Profiling means any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interest of a data principal Sensitive Personal Data (SPD) means personal data revealing, related to, or constituting, as may be applicable— (i) passwords; (ii) financial data; (iii) health data; (iv) official identifier; (v) sex life; (vi) sexual orientation; (vii) biometric data; (viii) genetic data; (ix) transgender status; (x) intersex status; (xi) caste or tribe Significant data Fiduciary (SDF) means a data fiduciary notified by the Authority under section 38. Significant harm means harm that has an aggravated effect having regard to the nature of the personal data being processed, the impact, continuity, persistence or irreversibility of the harm.
19 THANK YOU

More Related Content

PPTX
Digital personal data protection act, 2023.pptx
DineshPrasad64
 
PPTX
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
PDF
GDPR Overview
Trish McGinity, CCSK
 
PPTX
Digital Personal Data Protection Bill 2023 PPT.pptx
RohanTyagi57
 
PDF
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
PPTX
skillcast-gdpr-training-presentation-q320.pptx
RahulGarg294918
 
PDF
Checklist for SMEs for GDPR compliance
Sarah Fox
 
PDF
GDPR Demystified
SPIN Chennai
 
Digital personal data protection act, 2023.pptx
DineshPrasad64
 
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
GDPR Overview
Trish McGinity, CCSK
 
Digital Personal Data Protection Bill 2023 PPT.pptx
RohanTyagi57
 
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
skillcast-gdpr-training-presentation-q320.pptx
RahulGarg294918
 
Checklist for SMEs for GDPR compliance
Sarah Fox
 
GDPR Demystified
SPIN Chennai
 

What's hot (20)

PDF
Personal data protection bill
Mathew Chacko
 
PPTX
Presentation on GDPR
DipanjanDey12
 
PPT
Data protection in_india
Altacit Global
 
PPT
Data Privacy in India and data theft
Amber Gupta
 
PPTX
Introduction to GDPR
Priyab Satoshi
 
PDF
Data Protection Predictions for 2023.pdf
DarylBallesteros3
 
PPTX
Right to privacy on internet and Data Protection
atuljaybhaye
 
PPTX
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
PPTX
GDPR Introduction and overview
Jane Lambert
 
PPTX
GDPR Presentation slides
Naomi Holmes
 
PDF
Privacy and Data Security
WilmerHale
 
PDF
DPDP Act 2023.pdf
Priyanka Aash
 
PDF
Overview on data privacy
Amiit Keshav Naik
 
PPTX
GDPR
Gopi PD
 
PPTX
Privacy & Data Protection
sp_krishna
 
PPTX
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
PDF
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
PPTX
Data protection ppt
grahamwell
 
PDF
What about GDPR?
Martin Hawksey
 
PPTX
Pdpa presentation
Alan Teh
 
Personal data protection bill
Mathew Chacko
 
Presentation on GDPR
DipanjanDey12
 
Data protection in_india
Altacit Global
 
Data Privacy in India and data theft
Amber Gupta
 
Introduction to GDPR
Priyab Satoshi
 
Data Protection Predictions for 2023.pdf
DarylBallesteros3
 
Right to privacy on internet and Data Protection
atuljaybhaye
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
GDPR Introduction and overview
Jane Lambert
 
GDPR Presentation slides
Naomi Holmes
 
Privacy and Data Security
WilmerHale
 
DPDP Act 2023.pdf
Priyanka Aash
 
Overview on data privacy
Amiit Keshav Naik
 
GDPR
Gopi PD
 
Privacy & Data Protection
sp_krishna
 
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
Data protection ppt
grahamwell
 
What about GDPR?
Martin Hawksey
 
Pdpa presentation
Alan Teh
 
Ad

Similar to An overview of the Indian Data Privacy Bill (20)

PDF
Data Decoded: Understanding India's Draft Data Protection Bill
Antaraa Vasudev
 
PDF
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
PPTX
PDPA Compliance Preparation
LawPlus Ltd.
 
PPTX
Law and Data Protection.pptx by Dr. M.K.
ManishChoudhary246763
 
PDF
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
PDF
Personal Data Protection Singapore - Pdpc corporate-brochure
Jean Luc Creppy
 
PPTX
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
PPTX
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
Terry Gorry
 
PDF
DAMA Ireland - GDPR
DAMA Ireland
 
PDF
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
PPTX
Digital Personal Data Protection-Fin 2.pptx
RichaSharma727
 
PDF
Protection des données et de la vie privée : nouvelles obligations pour les e...
Forums financiers de Wallonie
 
PDF
India's Data Protection Law 2018- Future Road Ahead
EquiCorp Associates
 
PDF
Pasoco ITSMF,SPMI-PDPA-140626-public
PasocoPteLtd
 
PDF
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
PPTX
3A – DATA PROTECTION: ADVICE
CFG
 
PPTX
Data Privacy and Data Protection-ACT-2023-15-12-2023.pptx
Abhishek759064
 
PDF
Digital Personal Data Protection Act - DPDPA
golebac970
 
PDF
CyberQ Personal Data Protection Hand-out V6.0.pdf
MathewPVarghese1
 
PPTX
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
ssuser36d167
 
Data Decoded: Understanding India's Draft Data Protection Bill
Antaraa Vasudev
 
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
PDPA Compliance Preparation
LawPlus Ltd.
 
Law and Data Protection.pptx by Dr. M.K.
ManishChoudhary246763
 
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
Personal Data Protection Singapore - Pdpc corporate-brochure
Jean Luc Creppy
 
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
Terry Gorry
 
DAMA Ireland - GDPR
DAMA Ireland
 
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
Digital Personal Data Protection-Fin 2.pptx
RichaSharma727
 
Protection des données et de la vie privée : nouvelles obligations pour les e...
Forums financiers de Wallonie
 
India's Data Protection Law 2018- Future Road Ahead
EquiCorp Associates
 
Pasoco ITSMF,SPMI-PDPA-140626-public
PasocoPteLtd
 
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
3A – DATA PROTECTION: ADVICE
CFG
 
Data Privacy and Data Protection-ACT-2023-15-12-2023.pptx
Abhishek759064
 
Digital Personal Data Protection Act - DPDPA
golebac970
 
CyberQ Personal Data Protection Hand-out V6.0.pdf
MathewPVarghese1
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
ssuser36d167
 
Ad

Recently uploaded (20)

PDF
A SEP and FRAND Overview 13 Aug 2024.pdf
Jane Lambert
 
PPTX
FFFFFFFFFFFFFFFFFFFFFFTA_012425_PPT.pptx
bLackseaL2
 
PPTX
PART-3-FILIPINO-ADMINISTRATIVE-CULTURE.pptx
JadeParreno1
 
PDF
The Advocate, Vol. 34 No. 1 Fall 2024
LexArchive
 
PPT
Cyber-Crime-in- India at Present day and Laws
rajmohanjangid
 
PDF
TRAFFIC-MANAGEMENT-AND-ACCIDENT-INVESTIGATION-WITH-DRIVING-PDF-FILE.pdf
chouziyu14
 
PDF
APPELLANT'S AMENDED BRIEF – DPW ENTERPRISES LLC & MOUNTAIN PRIME 2018 LLC v. ...
Jeremy Bass
 
PDF
Louisiana Bar Foundation 2023-2024 Annual Report
LexArchive
 
PPTX
2.....FORMULATION OF THE RESEARCH PROBLEM.pptx
pacifey700
 
PDF
Notes on Plausibility - A Review of the English and EPO Cases
Jane Lambert
 
PPT
looking_into_the_crystal_ball - Merger Control .ppt
williamawulff
 
PDF
New York State Bar Association Journal, September 2014
LexArchive
 
PPT
Criminal law and civil law under of collage corriculum
HerobrinediamondPane1
 
PPTX
prenuptial agreement ppt my by a phd scholar
rajuyadav42111
 
PDF
CRIMINAL PROCEDURE BY HON. JUSTICE BAH.pdf
PiepandaMusa
 
PPTX
Peter Maatouk Is Redefining What It Means To Be A Local Lawyer Who Truly List...
Maatouks Law Group
 
PPT
3. INDUTRIAL RELATIONS INTRODUCTION AND CONCEPTS.ppt
muthukumark49
 
PDF
algor mortis or cooling of body after death THANATOLOGY
AfnanGill
 
PDF
Constitution of India and fundamental rights pdf
abiramianitha2509
 
PDF
Plausibility - A Review of the English and EPO cases
Jane Lambert
 
A SEP and FRAND Overview 13 Aug 2024.pdf
Jane Lambert
 
FFFFFFFFFFFFFFFFFFFFFFTA_012425_PPT.pptx
bLackseaL2
 
PART-3-FILIPINO-ADMINISTRATIVE-CULTURE.pptx
JadeParreno1
 
The Advocate, Vol. 34 No. 1 Fall 2024
LexArchive
 
Cyber-Crime-in- India at Present day and Laws
rajmohanjangid
 
TRAFFIC-MANAGEMENT-AND-ACCIDENT-INVESTIGATION-WITH-DRIVING-PDF-FILE.pdf
chouziyu14
 
APPELLANT'S AMENDED BRIEF – DPW ENTERPRISES LLC & MOUNTAIN PRIME 2018 LLC v. ...
Jeremy Bass
 
Louisiana Bar Foundation 2023-2024 Annual Report
LexArchive
 
2.....FORMULATION OF THE RESEARCH PROBLEM.pptx
pacifey700
 
Notes on Plausibility - A Review of the English and EPO Cases
Jane Lambert
 
looking_into_the_crystal_ball - Merger Control .ppt
williamawulff
 
New York State Bar Association Journal, September 2014
LexArchive
 
Criminal law and civil law under of collage corriculum
HerobrinediamondPane1
 
prenuptial agreement ppt my by a phd scholar
rajuyadav42111
 
CRIMINAL PROCEDURE BY HON. JUSTICE BAH.pdf
PiepandaMusa
 
Peter Maatouk Is Redefining What It Means To Be A Local Lawyer Who Truly List...
Maatouks Law Group
 
3. INDUTRIAL RELATIONS INTRODUCTION AND CONCEPTS.ppt
muthukumark49
 
algor mortis or cooling of body after death THANATOLOGY
AfnanGill
 
Constitution of India and fundamental rights pdf
abiramianitha2509
 
Plausibility - A Review of the English and EPO cases
Jane Lambert
 

An overview of the Indian Data Privacy Bill

  • 2. 2 APPLICABILITY Processing of personal data: • Where such data has been collected, disclosed, shared or otherwise processed within the territory of India; and • by any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law. The PDPB does not apply to processing of anonymised data. PDPB shall apply to data fiduciaries or data processors not present within the territory of India, only if such processing is: in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or in connection with any activity which involves profiling of data principals within the territory of India. Remarks:  If personal data of foreign nationals is shared with an Indian Company to comply with management/statutory reporting requirement, PDPB shall not apply to such foreign company.  If personal data of a person is anonymised through an irreversible process, such that the person cannot be identified, PDPB shall not apply.
  • 3. 3 TRANSITIONAL PROVISION The Act once notified, a period of 12 months thereto is prescribed for notifying various Rules and Regulations thereunder. The Data Protection Authority (DPA) will be constituted within a period of 15 months from enactment of the Act. DPA is conferred with the powers to issue code of practice on various principles of data protection obligations and to notify exceptional grounds for processing personal data without seeking consent. The Act once notified, various provisions will come into effect within a span of 1 to 2 and a half year. Remarks:  Although the Bill has prescribed a transition period, the penalties prescribed are quite onerous and are almost at par with GDPR of EU. Further after the landmark judgement of Supreme Court recognising privacy as fundamental right, it is imperative for the organisation to re-look at its systems and processes while the law is being enacted. OVERRIDING EFFECT OF THIS ACT In event of any inconsistency, PDPA will have an overriding effect over any other laws. The said laws will also rescind the existing the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.
  • 4. 4 GROUNDS FOR PROCESSING OF PERSONAL DATA Remarks:  Except the events stated herein above in the diagram, consent is a pre-requisite before processing personal data. The consent has to qualify all the attributes of sec. 12 of PDPB.  The burden of proof to establish that a valid consent was given by the individual is on the data fiduciary.  In the event an individual, who is a party to a contract withdraws consent to processing of his personal data, which is necessary to performance of a contract, all legal consequences arising out of such withdrawal has to borne by the respective individual only.  The Bill explicitly states that consent is not essential to processing of personal data of an employee in relation to employment. However, processing of sensitive personal data in relation to employment may require explicit consent of the employees, currently there is an ambiguity on this aspect and clarification is being sought.  In the event of corporate restructuring events such as mergers and acquisitions, prevention and detection of frauds, network and information security measures, etc., given the fact these purposes are reasonable purpose and seeking consent wouldn’t be a viable option, DPA will issue a list of such purposes along with the security measures company should ensure thereto. PERMISSIBLE PROCESSING Basis Consent Function of the State Compliance with law or compliance with any order of the court or tribunal In case of emergency In relation to employment For reasonable purposes Consent is not a pre-requisite in such events.
  • 5. 5 PROCESSING THROUGH CONTRACTORS/SUB-CONTRACTORS A Company can process personal data of an individual through contractor/sub-contractor strictly only on execution of a valid contract. The contract so executed should restrict the vendor from further engaging a sub – contractor unless expressly agreed by the Company in the contract. The purpose for processing such data should be solely determined by the Company. Remarks:  It is imperative to bind the contractor with obligation to protect and treat the data as confidential. It is also important to ensure that the liability of the contractor in the event of breach is not capped and unlimited, further the Company should also have indemnity right.
  • 6. 6 CROSS-BORDER TRANSFER OF PERSONAL DATA Cross- border transfer of personal data will be allowed only pursuant to standard contractual clauses or intra- group scheme duly approved by Authority. PDPB mandates storage of one copy of the personal data to whom the Act applies, on a server maintained in India. The Authority will notify list of critical data which mandatorily needs to be maintained only in India. Central Government may notify few exemptions to the above. Remarks:  On account of increasing instances of fraud/scams, recently RBI vide its circular dated 6th April, 2018 has mandated maintenance of all payments system within India latest by 15th Oct, 2018. While there are multiple re-presentations to the Government on the matter, RBI haven’t relaxed the condition yet and in the interim the Bill aswell now mandates maintenance of one copy of the personal data being processed outside India, in India. It is imperative for the organisations maintaining personal data of individuals outside India to review their processes and system.
  • 7. 7 TRANSPARENCY AND ACCOUNTABILITY MEASURES Remarks:  Actions listed in Group B are required to be complied only by such class of data fiduciary and significant data fiduciaries as may be notified by Data Protection Authority. PRIVACY BY DESIGN •The management, organisational practices should be aligned to the interest of the Data Principals. TRANSPARENCY •The purpose and operation involved in processing is required to be disclosed to the Data Principals SECURITY SAFEGUARDS •Organisation should take appropriate security measures to protect the integrity of the data. PERSONAL DATA BREACH •Depending on the severity of the harm caused, the Data Principal is required to be initiated. GroupA DATA PROTECTION IMPACT ASSESSMENT • Before undertaking any new processing activity or technological change or large scale profiling or use of SPD, Company mandatorily has to undertake Data Impact Assessment RECORD KEEPING • Company need to maintain complete record of end - to end data processing activity for such period as may be notified by the Authority. DATA AUDITS •Company has to get its processes involved in processing of personal data audited by an independent data auditor annually. DATA PROTECTION OFFICER • A DPO needs to be appointed who can guide the Company in relation to its obligation arising out of PDPA. • The aforesaid role can be in addition to any other role played by the DPO. GroupB
  • 8. 8 RIGHTS OF DATA SUBJECT Remarks:  An application has to be made to the Company in writing for exercise of any of the said rights.  If Right to be Forgotten is exercised by an individual, however there exist a dispute or company envisage a litigation, regulatory enquiry or is required to maintain the data until the stipulated statutory period, in such events Company can refuse eraser of data to the person concerned in writing.  Company is required to have in place a robust grievance redressal mechanism in place. A DPO so designated or an officer authorised for this purpose should be the point of contact for the data principals.  The grievance if raised has to be resolved within a period of 30 days, if not resolved or not satisfactorily resolved data principal has a right to file a complaint with adjudicating wing. POWERS VESTED WITH THE AUTHORITY The Authority is vested with the power to call for information, conduct inquiry, search and seizure. Rights of Data Subject Right to correction Right to Data Portability Right to confirmation and access Right to be forgotten
  • 9. 9 DATA PROTECTION OBLIGATIONS Remarks:  An application has to be made to the Company in writing for exercise of any of the said rights.  If Right to be Forgotten is exercised by an individual, however there exist a dispute or company envisage a litigation, regulatory enquiry or is required to maintain the data until the stipulated statutory period, in such events Company can refuse eraser of data to the person concerned in writing.  Company is required to have in place a robust grievance redressal mechanism in place. A DPO so designated or an officer authorised for this purpose should be the point of contact for the data principals.  The grievance if raised has to be resolved within a period of 30 days, if not resolved or not satisfactorily resolved data principal has a right to file a complaint with adjudicating wing. Fair and reasonable processing Purpose limitation Collection limitation Lawful processing Notice Data Quality Data Storage Limitation Accountability
  • 10. 10 PENALTIES PROVISIONS PENALTY  Failure to take prompt action in response to data security breach  Failure on the part of significant data fiduciary:  To undertake data protection impact assessment  To conduct data audit  To register with the Authority Up to 5 Crs. Or 2% of the worldwide turnover of the preceding financial year, whichever is higher  Processing of personal data against the data protection obligation principles  Processing of personal data not in accordance with the grounds of processing as provided under the law  Processing of sensitive personal data not in accordance with the grounds of processing as provided under the law  Failure to adhere to the security safeguards  Transfer of personal data in violation of the Act Up to 15 Crs. Or 4% of the worldwide turnover of the preceding financial year, whichever is higher
  • 11. 11 PROVISIONS PENALTY Total worldwide turnover in relation to a data fiduciary is the total worldwide turnover of the data fiduciary and the total worldwide turnover of any group entity of the data fiduciary where such turnover of a group entity arises as a result of the processing activities of the data fiduciary, having regard to factors, including— (i) the alignment of the overall economic interests of the data fiduciary and the group entity; (ii) the relationship between the data fiduciary and the group entity specifically in relation to the processing activity undertaken by the data fiduciary; and (iii) the degree of control exercised by the group entity over the data fiduciary or vice versa, as the case may be.  Without any reasonable explanation, failure to comply with data principals request Rs. 5000/- for each day during which the default continues, subject to a maximum of Rs. 10 Lakhs in case of significant data fiduciaries and 5 lakhs in other cases.  Failure to furnish reports, returns, information to the Authority Rs 10,000 for each day during which such default continues, subject to a maximum Rs.20 lakhs in case of significant data fiduciaries and 5 lakhs in other cases. PENALTIES CONTINUED…
  • 12. 12 PROVISIONS PENALTY Failure to comply with the order of the Authority Data Fiduciary - Up to Rs 20,000 for each day during which such default continues, subject to a maximum Rs.2 Crs. Processor – Up to Rs 5,000 for each day during which such default continues, subject to a maximum Rs. 50 lakhs. Penalty for contravention where no penalty is prescribed Significant Data Fiduciary – maximum 1 Cr. Other data fiduciary – maximum Rs. 25 lakhs. PENALTIES CONTINUED… Remarks on Penalties:  In addition to the penalty, the data principals also have right to compensation for damages suffered.  The compensation awarded or penalty imposed, under the PDPA does not limit the award of compensation or imposition of any other penalty or punishment under any other law for the time being in force.
  • 13. 13 OFFENCES PUNISHABLE WITH IMPRISONMENT Offence Liability Personal Data In contravention of the provision of the Act, one obtains, disclose transfer, sell or offer to sell personal data of a person which causes significant harm to the data principal Imprisonment for a term not exceeding 3 years or shall be liable to fine which may extend up to 2 lakhs or both. Sensitive Personal Data In contravention of the provision of the Act, one obtains, disclose transfer, sell or offer to sell personal data of a person which causes significant harm to the data principal Imprisonment for a term not exceeding 5 years or shall be liable to fine which may extend up to 3 lakhs or both. Anyone who re-identification and processes de-identified personal data without the consent of data fiduciary or processor Imprisonment for a term not exceeding 3 years or shall be liable to fine which may extend up to 2 lakhs or both.
  • 14. 14 Remarks:  Offences under PDPA are cognizable and non-bailable offence.  Offences committed by Company: Every person who is in charge is responsible to the Company for the conduct of the business of the Company as well as the Company shall be deemed to be guilty. This includes Managing Director, Manager and/or Whole- time Director of the Company. Further, also if it is proved that the offence by the Company has been committed with the consent or connivance of, or is attributable to any neglect on the part of any director, manager, secretary or other officer of the company, such persons shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly. OFFENCES PUNISHABLE WITH IMPRISONMENT CONTINUED…
  • 15. 15 KEY TAKEAWAYS The Personal Data Protection Bill 2018 of India is a law with extra – territorial jurisdiction and is aligned to the privacy principles as laid down under GDPR, including severe fine in case of data breach. After the Supreme Court Landmark Judgement recognising privacy as a fundamental right, people have become more vigilant towards their rights and are questioning any usage of their data for purposes other than they have consented to. In order to enjoy competitive edge in the sectors the Business is operating in, especially the sectors whose business model is directly linked to the customers’ data, the law will have far reaching implications. IMPLICATIONS In the event of breach, not only one will be liable to pay penalty and pay damages to the aggrieved person but will also be subjected to business and reputational loss. In the event it is determined that significant harm is caused to an individual, the officer in default may even be sentenced to imprisonment. The liability in certain events extents even to the directors and manager of the Company. Further, depending upon the harm caused to an individual, the respective international privacy regulatory authority may even restrict processing of data principals’ personal data residing in the respective jurisdiction by an Indian Entity.
  • 16. 16 ACTION POINTS  One of the essential pillar to data protection laid under the law, is the importance of ‘adequate safeguards’ such as including de-identification, encryption, and tools to prevent misuse, unauthorized access, modification, disclosure, or destruction of personal data.  Temporal limitations on processing and retention of personal data. Store the data as long as “reasonably necessary" to satisfy its intended purpose or to comply with legal obligations. Undertake periodic review to check that no one is unnecessarily retaining personal data.  Undertake gap assessment exercise, frame privacy & security policy of the company and adopt the code of practice as may be notified by the Authority.  Review existing contracts with vendors, bind them with restrictive covenants aswell as security and privacy policy of the Company.  Undertake data – audits in case of any outsourced processing assignments.  Given the nature of operation of the Company, consider taking Data Insurance.
  • 17. 17 GLOSSARY OF KEY TERMS Data means and includes a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means. Data fiduciary means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data. Data principal means the natural person to whom the personal data referred to in sub-clause (28) relates. Data processor means any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary. Harm includes— (i) bodily or mental injury; (ii) loss, distortion or theft of identity; (iii) financial loss or loss of property, (iv) loss of reputation, or humiliation; (v) loss of employment; (vi) any discriminatory treatment; (vii) any subjection to blackmail or extortion; (viii) any denial or withdrawal of a service, benefit or good resulting from an evaluative decision about the data principal; (ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveyed; or (x) any observation or surveillance that is not reasonably expected by the data principal.
  • 18. 18 GLOSSARY OF KEY TERMS CONTINUED… Person means— (i) an individual, (ii) a Hindu undivided family, (iii) a company, (iv) a firm, (v) an association of persons or a body of individuals, whether incorporated or not, (vi) the State, and (vii) every artificial juridical person, not falling within any of the preceding sub-clauses; Personal data means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information Personal Data Breach (PDB) means any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction, loss of access to, of personal data that compromises the confidentiality, integrity or availability of personal data to a data principal Profiling means any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interest of a data principal Sensitive Personal Data (SPD) means personal data revealing, related to, or constituting, as may be applicable— (i) passwords; (ii) financial data; (iii) health data; (iv) official identifier; (v) sex life; (vi) sexual orientation; (vii) biometric data; (viii) genetic data; (ix) transgender status; (x) intersex status; (xi) caste or tribe Significant data Fiduciary (SDF) means a data fiduciary notified by the Authority under section 38. Significant harm means harm that has an aggravated effect having regard to the nature of the personal data being processed, the impact, continuity, persistence or irreversibility of the harm.