In the recent times, India has achieved a resounding success in revalidating the constitutional framework on the “Right to privacy” and the whole credit goes to Justice K.S. Puttasamy case, wherein, the Supreme Court, unequivocally declared that ”The right to privacy is a fundamental inalienable right under The Constitution of India and it is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedom guaranteed by Part III of the Constitution”. This 547-page Judgement also insists the Government create a data protection regime to protect the privacy of the individual, which has paved the way for the formation of “Personal Data Protection Bill, 2019”.
The Right to Privacy:
To unlock the data economy, while ensuring the data of the citizens are secure and protected, the formulation of a robust legal regime for Data protection is the need of the hour. For this purpose, Government had set up a committee headed by Retired Justice B.N Srikrishna, who submitted “The Personal Data Protection Bill, 2019” in Lok Sabha, on December 11, 2019. The remarkable Bill, for first time in the history of Indian Legislations, successfully declared that the “Right to privacy is a fundamental inalienable right under the Constitution of India”.
Processing Personal Data:
This Bill will be applicable for the processing of personal data by
(ii) Companies incorporated in India and
(iii) Any Foreign Companies (dealing with personal data of individuals in India).
Processing of data shall be by data fiduciary (person who decides the means and purpose of processing personal data) or data processors (who processes personal data on behalf of the data Fiduciary). The Data Principal means a natural person to whom the personal data relates.
The Bill categorises ‘Personal data’ into three types, which are as follows:
⦿ Personal Data: means which includes name, address, phone number, location, shopping history, photographs, telephone records, food preferences, movie preferences, online search history, messages, devices users own, and social media activity, etc.
⦿ Sensitive Personal Data: means which includes genetic data, financial data, biometric data, caste, religious or political beliefs, or any other category of data and
⦿ Critical personal Data (yet to be notified by the Central Government)
The Bill specifically enumerates that the Personal data shall be processed only for specific, clear, and lawful purposes. Every data fiduciary processing the same is required to provide notice to the Data principal on data collected. Processing of data by fiduciaries can be made only with the consent of the Data principal. However, there are certain exemptions to the same, wherein the Bill permits personal data processing without consent for the performance of the government providing benefits to the individual for compliance with the Court order and in medical emergencies.
Responsibility of Data Fiduciary:
The Data fiduciary’s role has become very crucial, that it is mandated to implement proper safeguards and safety measure for data protection against data encryption, data misuse etc., instituting grievance redressal mechanism to address the complaint of Data Principal and mandated to maintain a proper mechanism when processing Sensitive personal data of children. All employers are construed as ‘Data fiduciary’ on employment-related disclosures by employees. The Bill has widened the rights of the Data Principal by providing more leverages on the right to confirmation, access and correction, data portability and raise objection on processing, etc.
The Bill permits the transfer of ‘Personal data’ outside India without any limitations. However, transfer of all sensitive Personal data across cross-borders has been permitted only for the purpose of processing with explicit consent from the data Principal and all such data shall be stored only in India, whereas the Critical Personal Data shall be processed only in India and its transfer outside India is strictly prohibited.
Data Protection Authority of India (DPAI):
The Bill establishes an independent regulatory body called the Data Protection Authority of India (DPAI), who is responsible for the enforcement and effective implementation of the Data Protection. Certain primary functions of DPAI are
(i) Monitoring and enforcement of Date protection;
(ii) Legal affairs, policy and standard setting;
(iii) Research and awareness;
(iv)Inquiry, grievance handling and adjudication.
DPAI shall have the Powers of the Civil Court under the Code of Civil Procedure. The DPAI shall have the authority to conduct search and seizure powers, for inquiry. An appeal against the order of the DPAI shall be to the Appellate authority and the Order against the Appellate authority shall be entertained only by Supreme Court.
Impact on employment:
The Data Fiduciary (companies) is required to maintain a proper framework on data collection, processing, storage, retention of data, and proper safety mechanism. The Bill has made registration of Data fiduciary as mandatory with the Authority. The Bill also permits Data Principal to move their data from one provider to another and allows Data Principal to know the number of companies with whom the data is being shared. The burden of proof of the consent that has been given by the Data Principal for processing of the personal data shall lie with the Data Fiduciary. Data Fiduciary shall be subjected to report any breach of security incidents to the Authority. Security audits shall be conducted periodically. A Data Protection Officer shall be appointed for the same. ‘Privacy by design policy’ containing the systems and technology which anticipates, identify and avoid harm to the Data Principal, shall be prepared by Data Fiduciary and submitted with the Authority for certifications. The Social media platform providers (Data Fiduciary) will also be mandated to enable Customers (Data Principal) to verify their accounts. Further DPAI, imposes restrictions on the retention of the data by Data Fiduciary for the period as consented by Data Principal, and the same shall be deleted after the retention period.
The Authority may categorise certain fiduciaries as ‘Significant data fiduciaries’ based on the volume of the personal data being processed, nature of personal data, type of processing activity undertaken, turnover of the data fiduciary, the risk of harm and the type of technology used to undertake processing. Such fiduciary shall be subjected to additional regulatory procedural aspects to comply, which includes data protection impact assessment, engaging Data Auditors etc.
The Bill proposes tough penalties for different contraventions and violations. Penalties are imposed on data fiduciaries and the compensation shall be awarded to Data Principals for violations of the Data Protection Law. If any Data Fiduciary (Company) breaches the data security, the penalty shall be up to five crore rupees or two percent of its total worldwide turnover of the preceding financial years whichever is higher. If a Data Fiduciary (entity) contravenes more serious sections, such as processing personal data, the penalty shall extend up to fifteen crore rupees or four percent of its total worldwide turnover of the preceding financial year, whichever is higher. And further individuals representing the companies can also be sentenced to imprisonment if illegally re-identifying the de-identified data (prevent someone’s personal identity from being revealed).
Currently, there are nearly 50 statutes and regulations which will have a potential overlapping effect with the Bill. In the event of any inconsistency between the data protection law and enacted legislation, the former will have an overriding effect. The concerned departments shall take appropriate steps to make possible amendments in line with the Bill.
Introduction of the Bill is a groundbreaking step in thwarting the misuse of personal data in our country. The Bill not only envisages to protect the autonomy of individuals, that are being exposed to the social media or other means but also provide various methodologies in simplifying the cumbersome mechanism of Data Protection. Global companies like Google, Facebook etc., may have to face serious implications in coping up with the procedural compliances of the Bill. The Bill has curtailed transferring of Data across cross borders, which will streamline major drawbacks on national security, foreign investment and international trade. It is a stepping stone for India to become part of the global community with the common motive to prevent data breaches by declaring deterrent penalization. However, let’s wait, till the Bill succeeds the ratification process and receives royal assent from the President and along with the enactment of suitable Regulations, which shall fill up loopholes and discrepancies, if any, in the Bill.
Information Security is an important aspect for each organization as part of their business process, not just with IT also with other operating divisions. Moving ahead compliance industry is not the exception and should consider today’s needs for information security on priority then compared to the earlier traditional way of business.
Aparajitha, been a compliance partner for the past two decades for 1400 clients, with our experiences and knowledge, we understand the statutory compliance applicability for each industry, and also from time to time, we upgraded our process to the latest technology.
Aparajitha Corporate Services
Consultation and Audit department
Disclaimer: “The article represents the opinions of the author and the author is solely responsible for the facts, cases, and legal or otherwise reproduced in the article”