The Personal Data Protection Bill, 2019 was tabled before the lower house of the Partliament on 11.12.2019
India as a country is home to 1/7th of the world’s population. Furthermore, India has a young demographic which has access to two important tools – (a) SmartPhones (b) Attractive data tariffs. The unique combination of these factors makes India the world’s most attractive destination for digital platforms. These digital platforms are uniquely poised to bring togethr buyers and sellers for various goods and services by providing a seamless user experience by leveraging one key resource – DATA.
Conversations revolving around use of personal data as a key resource for an organization has increased in recent times due to the following factors: the explosion of social media applications and website, the success of gitital e-commerce platforms, and the recognition of privacy as a fundamental right available to every person under the Constitution of India. Furthermore, after realizing the success that digital businesses have had by leveraging data, traditional business have also recognized the importance of data and have made data a central focus of their business strategies.
The resulted in growing discussions demanding the installation of a robust data protection framework to ensure that personal data of individuals is collected for legitimate purposes by businesses. The framework shall also enable the Govt. to exercise regulatory control over business which seek to use personal data as a resource. Further, businesses also require legislative certainty to understand their compliance requirements towards issues like handling personal data, croll-border transfer of data, data localization, etc. In the afore-stated background, the personal data peortection Bill 2019 was tabled before the lower house of the Parliament on 11.12.2019.
The Bill in its present form seeks to create a legislative framework providing the rights and duties of individuals and entities processing the personal data of individuals. Terms like ‘Data’ and ‘Personal Data’ have been broadly defined under the Bill. The ‘data’ includes a representation of information, facts, concepts, opinion or instruction in a manner suitable for communication, interpretation or processing by humans or automated means.
Obligations of Data Fiduciaries –
(i) Implementing security safeguards (such as a data encryption and preventing misuse of data), and (ii) instituting grievance redressal mechanisms to address complaints of individuals. They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children. Furthermore, the Bill seeks to treat sensitive personal data and critical personal data of an individual with enhanced safeguards by placing limitations on the mode of seeking consent, transferring data cross border for processing and applying data localization requirement.
Rights of Data Principal –
Person’s right to privacy, Bill provides data principals the right to :
(i) Seek access and confirmation, that is to obtain confirmation from the fiduciary on whether their personal data has been processed for the purpose for which consent was provided,
(ii) Seek correction of inaccurate, incomplete, or out of date personal data and erasure of data once the processing activity is complete,
(iii) Right to data portability wherein a data principal can seek his personal data from a data fiduciary in a structured and machine readable format to ensure interoperality that is facilitating switching between different telecom service providers and
(iv) The right to be forgotten which restricts continuing disclosure of a data principal’s personal data by a fiduciary, if is is no longer necessary or consent is withdrawn.
The key takeaways for businesses are following –
Larger businesses which may foreseeably be categorized as “Significant Data Fiduciaries” (both online and offline) should work towards an early bird adoption framework for the compliance requirements mandated by the Act.
Business and Industry shall initially need to work towards increasing intra-organization awareness and appoint a Data Protection Analist Manager to ensure compliance with the upcoming legislation.
Business and Industry to internally audit all existing contractual obligations to ensure compliance relating to protection of personal data.
Businesses dealing in any manner with “Sensitive Personal Data” to brace themselves for stricter compliance requirements.
Business to monitor and inventorize every transaction involting sharing of personal data to comply with data principal requests.