The Draft of the Personal Data Protection Bill was released on July 27, 2018 by the Justice Srikrishna Committee, along with its report on Data Protection in India. This Bill incorporates many features of the EU-GDPR modified according to Indian stand on the privacy of individuals. Although not as stringent in its requirements or as widely applicable as the GDPR, the Bill imposes largely similar obligations on the recipients of an individual’s data. The salient features of the Bill include:
- Categorisation of the individual as the “data principal” and the recipient of the data as the “data fiduciary”.
- Obligation on data fiduciary to collect data only for necessary purposes after satisfying certain conditions.
- Categorisation of data into personal and sensitive personal data.
- Transparency and accountability measures
Data localization requirements
- Offences and penalties
- Setting up of a data protection authority and other state authorities for enforcement.
These features have been briefly discussed below.
Full text of the proposed bill can be accessed here.
Some important terms have been defined in the proposed bill. The simplified version of the said definitions is provided below.
Data includes information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means. (Refer to Section 3 (12) of the Bill)
Data fiduciary is the entity which alone or in conjunction with others determines the purpose and means of processing of personal data.
Although the Bill does not expressly state this, it envisions a fiduciary relationship between the data principal and the data fiduciary with respect to data. (Refer to section 3 (13) of the Bill)
Data principal is the natural person whose personal data may be collected and/or processed. (Refer to section 3 (14) of the Bill)
Data processor is any entity, including the State, which processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary. (Refer to section 3 (15) of the Bill)
The state may also fall under the ambit of Data fiduciary or Data processor.
Applicability of the Bill
The Bill applies to all parts of India. No exceptions have been made for any state.
This Bill applies where:
(a) personal data has been collected, disclosed, shared or otherwise processed within the territory of India; and
(b) personal data is being processed by the State or any Indian individual or entity.
The Bill also applies to a data fiduciary or processor not present within India, when:
- It carries out business or offers goods or services in India; or
- It is involved in profiling of data principals in India.
The Bill does not apply to anonymized data. (Refer to section 1 and 2 of the Bill)
The Bill empowers the Central Government to establish a Data Protection Authority of India (“Authority”), having a chairperson and six full-time members appointed by the committee consisting of the Chief Justice of India, the Cabinet secretary, and one expert nominated by Chief Justice of India. (Refer to Sections 49 and 50 of the Bill)
The Authority is responsible for protecting the interest of data principals, prevent misuse of personal data, ensure proper compliance with this Bill and promote awareness about data protection. In addition to these general responsivities, the Bill further provide specific functions of the Authority. (Refer to Sections 60-67 of the Bill)
To dispose the matters related to penalties the Authority is required to have a separate adjudicating wing, headed by the adjudicating officer. Adjudicating Officers shall be persons of ability, integrity and standing, and must have specialized knowledge of, and not less than seven years professional experience in the fields of constitutional law, cyber and internet laws, information technology law and policy, data protection and related subjects. (Refer to Section 68 of the Bill).
Obligations of Data Fiduciaries/ Processors
The Bill imposes the following obligations on Data Fiduciaries and Data Processors:
The data fiduciary/processor can only process personal data for clear, specific and lawful purposes, or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for. (Refer to Sections 4 and 5 of the Bill)
Collection of personal data is limited to data necessary for the purposes of processing. (Refer to Section 6 of the Bill)
Before or at the time of collecting personal data, the data fiduciary must provide to the data principal, clear and concise information related to the purposes of data collection, categories of data collected, right to withdraw consent, period for which data will be retained, etc. (Refer to Section 8 of the Bill)
The data fiduciary must reasonably ensure that personal data processed is complete, accurate, updated, and not misleading, with regard to the purposes for which it is processed. (Refer to Section 9 of the Bill)
The data fiduciary must retain personal data only as long as reasonably necessary to satisfy the purpose for which it is processed, based on periodic reviews. Longer retention is allowed if explicitly mandated, or necessary to comply with any obligation, under a law. (Refer to Section 10 of the Bill)
The data fiduciary is also responsible for complying with all obligations under the Bill in respect of any processing undertaken by any third party. (Refer to Section 11 of the Bill)