The Personal Data Protection Bill, 2019 – All you need to know

Right to privacy is a fundamental right.

According to Nasscom’s recent publication ‘The future of internet in India‘; by 2020 – 75% of new internet users growth in India to come from rural areas – consuming content in local languages, preferring videos over text, accessing internet via mobile. India’s internet user growth expected to be 3x the world average. With increase in access to information and communication technologies, the digital economy has expanded the use of data in business.

The personal data protection bill, 2019 provides protection of privacy of individuals to their personal data.

Overview and key definitions

This bill has 98 Clauses and 14 Chapters. Under this bill – No personal data shall be processed by any person, except for any specific, clear and lawful purpose. The definition of sensitive personal data means such personal data related to

  • financial data
  • health data
  • official identifier
  • sex life
  • sexual orientation
  • bio-metric data
  • genetic data
  • transgender status
  • intersex status
  • caste or tribe
  • religious or political belief or affiliation

Here ‘data’ includes a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means. Likewise “data fiduciary” means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data

This bill seeks to provide for data principal’s right to seek compensation from the data fiduciary in case of suffering harm. Here ‘harm’ refers to bodily or mental injury; loss, distortion or theft of identity; financial loss or loss of property; loss of reputation or humiliation; loss of employment; any discriminatory treatment; any subjection to blackmail or extortion; any denial or withdrawal of a service, benefit or good resulting from
an evaluative decision about the data principal; any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed.

Privacy by design policy

The bill enforces every data fiduciary to prepare a privacy by design policy, containing the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal; the technology used in the processing of personal data is in accordance with commercially accepted or certified standards; the legitimate interests of businesses including any innovation is achieved without compromising privacy interests; the protection of privacy throughout processing from the point of collection to deletion of personal data; the processing of personal data in a transparent manner; and the interest of the data principal is accounted for at every stage of processing of personal data.

The Personal data protection bill, 2019 mandates to implement cyber security controls such as de-identification, encryption, protect integrity, prevent misuse, unauthorized access to modify, disclose or destruct of personal data.

Reporting of personal data breach

The data fiduciary shall inform the authority about the breach of any personal data processed by the data fiduciary where such breach is likely to cause harm with following particulars

  • (a) nature of personal data which is the subject-matter of the breach;
  • (b) number of data principals affected by the breach;
  • (c) possible consequences of the breach; and
  • (d) action being taken by the data fiduciary to remedy the breach

Upon receipt of a notice, the Authority shall determine whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate such harm. The Authority may, in addition, also post the details of the personal data breach on its website.

Data protection impact assessment

The Authority may, by regulations specify, such circumstances, or class of data fiduciary, or processing operation where such data protection impact assessment shall be mandatory, and also specify the instances where a data auditor under this Act shall be engaged by the data fiduciary to undertake a data protection impact assessment. The data protection impact assessment shall contain

  1. detailed description of the proposed processing operation, the purpose of processing and the nature of personal data being processed;
  2. assessment of the potential harm that may be caused to the data principals whose personal data is proposed to be processed; and
  3. measures for managing, minimising, mitigating or removing such risk of harm

The significant data fiduciary shall have its policies and the conduct of its processing of personal data audited annually by an independent data auditor under this Act. Every significant data fiduciary shall appoint a data protection officer possessing such qualification and experience as may be specified by regulations to work with authority

Data protection authority of India

The Central Government shall, by notification, establish, for the purposes of this Act, an Authority to be called the Data Protection Authority of India. The Authority shall consist of a Chairperson and not more than six whole-time Members, of which one shall be a person having qualification and experience in law. The Chairperson of the Authority shall have powers of general superintendence and direction of the affairs of the Authority and shall also exercise all powers and do all such acts and things which may be exercised or done by the Authority under this Act.

It shall be the duty of the Authority to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness about data protection. The Authority shall, by regulations, specify codes of practice to promote good practices of data protection and facilitate compliance with the obligations under this Act. The Authority shall, by an order in writing, appoint one of its officers as an Inquiry Officer to inquire into the affairs of such data fiduciary or data processor and to report to the Authority on any inquiry made.

Penalties, compensation and offences

The bill has obligations to take prompt and appropriate action in response to a data security breach. It shall be liable to a penalty which may extend to five crore rupees or two per cent. of its total worldwide turnover of the preceding financial year, whichever is higher.

Where a data fiduciary contravenes any of the provisions including (a) processing of personal data in violation of the provisions, (b) processing of personal data of children in violation of the provisions, (c) failure to adhere to security safeguards and (d) transfer of personal data outside India in violation of the provisions. It shall be liable to a penalty which may extend to fifteen crore rupees or four per cent. of its total worldwide turnover of the preceding financial year, whichever is higher

Any person who, knowingly or intentionally re-identifies personal data which has been de-identified by a data fiduciary or a data processor, as the case may be; or re-identifies and processes such personal data as mentioned in clause without the consent of such data fiduciary or data processor, then, such person shall be punishable with imprisonment for a term not exceeding three years or with a fine which may extend to two lakh rupees or both

Salient features of the Data Protection Bill, 2019

  1. To promote the concepts such as consent framework, purpose limitation, storage limitation and the data minimization;
  2. To lay down obligations on entities collecting personal data (data fiduciary) to collect only that data which is required for a specific purpose and with the express consent of the individual (data principal);
  3. To confer rights on the individual to obtain personal data, correct inaccurate data, erase data, update the data, port the data to other fiduciaries and the right to restrict or prevent the disclosure of personal data;
  4. To establish an Authority to be called the “Data Protection Authority of India” (the Authority) which shall consist of a Chairperson and not more than six whole-time Members to be appointed by the Central Government;
  5. To provide that the Authority shall protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of the proposed legislation and promote awareness about the data protection;(vi) to specify a provision relating to “social media intermediary” whose actions have significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India and to empower the Central Government, in consultation with the Authority, to notify the said intermediary as a significant data fiduciary;
  6. To confer a “right of grievance” on data principal to make a complaint against the grievance to the data fiduciary and if aggrieved by the decision of such data fiduciary, he may approach the Authority;
  7. To empower the Central Government to exempt any agency of Government from application of the proposed Legislation;
  8. to empower the Authority to specify the “code of practice” to promote good practices of data protection and facilitate compliance with the obligations under this legislation;
  9. To appoint the “Adjudicating Officer” for the purpose of adjudging the penalties to be imposed and the compensation to be awarded under the provisions of this legislation;
  10. To establish an “Appellate Tribunal” to hear and dispose of any appeal from an order of the Authority under clause 54 and the Adjudicating Officer under clauses 63 and 64; and
  11. To impose “fines and penalties” for contravention of the provisions of the proposed legislation

Also read – How to achieve 72 hours for breach notification