Full text of the proposed bill can be accessed here.
Rights of Data Principal
The Bill provides the following important rights to the data principal:
- Right to confirmation and access: Data principal may obtain the following information from the data fiduciary:
- Confirmation whether the data fiduciary is processing its personal data,
- Summary of the personal data processed by the data fiduciary, and
- Summary of processing activities undertaken by the data fiduciary with respect to its personal data.
The Data fiduciary is obligated to provide the information asked by the data principal in a clear and concise manner (See Section 24).
- Right to correction: The data principal shall have the right to obtain from the data fiduciary:
- the correction of inaccurate or misleading personal data;
- the completion of incomplete personal data; and
- the updating of personal data that is out of date.
If a data fiduciary does not comply with an application for correction of data, it must provide the data principal with adequate justification in writing for rejecting the application.
Where the data fiduciary corrects, completes, or updates personal data, it must take reasonable steps to notify all relevant entities to whom such personal data may have been disclosed regarding the relevant correction, particularly where such action would have an impact on the rights of the data principal or on decisions made regarding them (See Section 25).
- Right to data portability: except specifically provided in the Bill, data principal has a right to receive following data in structured, commonly used and machine-readable format:
- Which is provided by data principal to data fiduciary;
- Which is generated in the course of provision of services or goods by data fiduciary; or
- Which forms part of any profile on the data principal (See Section 26).
- Right to be Forgotten: the data principal has a right to restrict the data fiduciary from continuing disclosure of its personal data if:
- Such disclosure has served the purpose for which it was made;
- Such disclosure was made on basis of the consent, which is now withdrawn;
- Such disclosure was made contrary to any law.
This right can only be implemented after the applicability of the above provisions is determined by the Adjudicating officer (See Section 27).
The Bill also specifies certain general conditions for exercising these rights (See Section 28).
Grounds for Processing Personal Data, Sensitive Personal Data and Child Data
As per the definition, Personal data is the data of a natural person through which he/she can be directly or indirectly identified.
Personal data may be processed on the following basis:
- Consent, provided consent is free, informed, specific, clear and capable of being withdrawn (See Section 12).
- Necessity for state functions (See Section 13).
- Compliance with law or orders of a court or tribunal (See Section 14).
- Prompt actions, as in case of emergencies (See Section 15).
- Employment of data principals by data fiduciary, including termination, attendance, assessment, etc (See Section 16).
- For other reasonable purposes may be specified by the Authority, including prevention of unlawful activities, credit scoring, debt recovery, etc (See Section 17).
The data fiduciary cannot make access to goods or services conditional on the data principal consenting to the processing of his/her data, unless such data is necessary for this purpose (See Section 12).
Sensitive Personal Data
As per the definition, Sensitive Personal Data is personal data revealing, related to, or constituting one or more of 12 types of data listed under Section 3 of the Bill, including passwords, financial data, biometric data, etc.
Sensitive personal data may be processed on the following basis:
- Consent, provided consent is free, informed, specific, clear and capable of being withdrawn (See Section 18).
- Necessity for state functions (See Section 19).
- Compliance with law or orders of a court or tribunal (See Section 20).
- Prompt actions, as in case of emergencies (See Section 21).
Personal Data of the Child
Every data fiduciary must process personal data of children in a manner that protects and advances the rights and best interests of the child, incorporating appropriate mechanisms for age verification and parental consent (See Section 23).
This post is authored by Arjun Kansal and Ashwini Arun, Associates, BananaIP Counsels.