?? ?? Decoding India's Personal Data Protection Bill 2023 ????
?? 1. A Milestone in Data Protection:
This is the fifth iteration of the personal data protection bill ???. Lok Sabha has already passed it, but Rajya Sabha's approval and the President's signature are still pending ???.
?? 2. Lean, Yet Comprehensive:
The Bill is lean, principle-based, and high-level, with implementation details to be set in rules. The implementation date remains unknown, but the industry anticipates a six-month preparation period ?.
?? 3. Parties in the Play:
The bill involves various parties:
(i) Data Principals (aka Data Subjects) ??
(ii) Data Fiduciary (aka Data Controller) ?? ??
(iii) Data Processors ??
(iv) Significant Data Fiduciary ???
(v) Data Protection Board ???
Example Illustration:
?? Data Principal: A user consenting to a social media platform (Facebook/Instagram) using their data for targeted ads.
?? Data Fiduciary: A healthcare provider processing patient data for medical records. Or a payroll processing services provider processing clients' employee data for payment of salary.
?? Data Processor: A cloud service provider (eg. AWS) managing data storage for an e-commerce platform.
?? Significant Data Fiduciary: A large financial institution handling sensitive customer data or processing large volumes of transactions. (eg. Facebook, Flipkart, Jio)
??? Data Protection Board: Government body responsible for enforcing regulations and issuing penalties for non-compliance. (but not a regulator)
?? 4. Scope of Applicability:
The Bill applies only to digitally processed personal data for business purposes. It excludes non-digital data, personal/domestic use, and publicly available data.
?? 5. Jurisdiction Matters:
The bill applies to business entities collecting personal data for offering goods/services to Indian citizens. It extends to personal data outside India if related to goods/services for Indian citizens.
?? 6. Consent - The Pillar of Trust:
Consent must be free, specific, informed, unconditional, and unambiguous, signifying an agreement for data processing through clear affirmative action. The 2023 Bill limits consent validity to the personal data necessary for the specified purpose. Data principals have the right to withdraw consent and utilize consent managers if needed.
?? 7. Notice Requirements:
Data fiduciaries must provide a comprehensive notice to data principals, describing personal data processing, consent withdrawal, grievance redressal, and complaint filing with the Data Protection Board ??.
?? 8. Grounds of Processing:
Data can be processed only with explicit consent by the data principal and for 'legitimate uses'. Legitimate uses' includes (i) a specified purpose for which data has been provided by an individual voluntarily, (ii) provision of benefit or service by the government, (iii) medical emergency, and (iv) employment.
Under the 2023 Bill, data fiduciaries can process data without consent when the data principal voluntarily provides it its personal data without expressing unwillingness.
Example Illustration:
?? Phone Numbers Shared: Sharing phone numbers with a pharmacy for obtaining a receipt.
?? State Functions: Processing data for the performance of state functions.
?? Health Emergency: Assisting during a health emergency.
?? 9. Duties of Data Fiduciary:
(i) they are responsible for compliance with the bill, even for any processing undertaken on their behalf by a data processor.
(ii) they must establish grievance redressal mechanisms.
(iii) they must ensure the accuracy and completeness of personal data if it is used to make a decision that affects a user or is to be shared with another data fiduciary.
(iv) they must delete data, and cause its data processor to delete it if the user withdraws their consent or if it is reasonable to assume that the specified purpose is no longer being served, i.e. when the user does not contact the fiduciary for the performance of the purpose or exercise their rights for a specified period (suggesting if an account is inactive for a while, the platform must delete data).
(v) The fiduciary can continue retaining the data if required by law.
领英推荐
(vi) they must report data breaches to both the DPB and data principals.??.
?? 10. Obligations of Significant Data Fiduciary:
(i)The government may notify ‘significant data fiduciaries’ (SDFs) by assessing factors like volume and sensitivity of the personal data processed, risk to the rights of the data principals, and potential impact on the sovereignty and integrity of India, among other things.
(ii) SDFs must: (a) appoint a data protection officer (DPO) based in India – who will be responsible to the board of directors of the SDF;(b) appoint an independent data auditor to evaluate the SDF’s compliance with the Bill;(c) undertake data protection impact assessments (DPIA).
?? 11. Data Processors' Role:
(i) Data fiduciaries can engage data processors under a valid contract. User consent is not required for the appointment of a data processor by the data fiduciary.
(ii) The requirement to set security safeguards & report data breaches to authorities and users is on the data fiduciary & not on the data processor. Hence, the liability for not reporting breaches or failing to institute safeguards shall fall on data fiduciaries only.
However, the Data fiduciary can cover itself by entering into a contract with a strong indemnity clause with the data processor.
?? 12. Safeguarding Children's Data:
(i) "child" shall mean an individual below the age of 18 years.
(ii) Data fiduciaries must continue to obtain ‘verifiable’ parental consent to process children’s data.
(iii) It also prohibits tracking and advertising targeted towards children and processing that is likely to cause any ‘detrimental effect’ on the well-being of a child.
(iv) The government can exempt classes of data fiduciaries and processing for certain purposes from the requirement of obtaining parental consent and prohibiting behavioral monitoring. It also empowers the government to exempt data fiduciaries in certain scenarios from processing data of children above a certain age (but below 18 years) without the obligations attached to processing children’s data.
?? 13. Empowering Data Principals:
(i) They can seek information on the personal data being processed, the processing activities, and the identities of all the data fiduciaries and processors that their data has been shared with.
(ii) They may also ask data fiduciaries to correct or erase their personal data.
(iii) They have the right to nominate an individual to exercise rights on their behalf in the event of their death or incapacitation.
(iv) Data fiduciaries must also offer readily available grievance redressal mechanisms to data principals. However, the bill emphasizes that the data principal must exhaust all options for grievance redressal before approaching the DPB.
(v) The 2023 Bill also casts responsibility on the data principal to not impersonate another person or suppress information when applying for any document or proof from the state, and to provide only authentic information while exercising their right to data erasure.
?? 14. Cross-Border Data Transfers:
(i) Data transfers are allowed to all jurisdictions, except those barred by government notification.
(ii) The principles/conditions under which such countries will be barred are not specified. Any stricter sectoral restrictions on data transfers – like the Reserve Bank of India’s payments data localization mandate – will continue to apply.
?? 15. Data Protection Board - Guardian of Privacy:
i) DPB acts as an adjudicatory and enforcement body, and not a regulator.
(ii) The central government exercises control over the composition and operations of the DPB.
(iii) This bill provides details about the composition of the DPB and the criteria for membership.
(iv) The DPB will enforce the provisions of the bill. It can issue directions and direct data fiduciaries to adopt urgent measures in case of data breaches, receive complaints by affected persons or references by the central or state governments, and impose penalties for non-compliance.
(v) It can conduct hearings, summon and enforce attendance, and examine persons on oath, among other functions.
?? 16. Exemptions and Penalties:
This bill exempts the application of certain provisions for data processing for:-
(i) investigation of offenses;
(ii) implementation of the scheme of compromise or merger or amalgamation;
(iii) detecting financial frauds;
(iv) The government can exempt the entire application of the Bill for notified state agencies in the interests of the sovereignty and integrity of India, security of the state, friendly relations with foreign states, and maintenance of public order, among other reasons.
(v) It may also provide exemptions for research, archiving, or statistical purposes – if the data is not used to take any decision specific to a data principal.
(vi) the government can also notify certain data fiduciaries including startups that may be exempt from the Bill – keeping in mind the volume and nature of personal data processed by them.
Lastly, the DPB can also issue monetary penalties to data fiduciaries in case of non-compliance. Penalties are only applicable to data fiduciaries. The maximum penalty that can be issued is INR 250 crore. The government has the power to amend the schedule to increase the penalties but cannot increase them to more than double the existing figures.
?? 17. Rules and Central Government's Role:
The Central government holds discretionary powers to make decisions and subordinate legislation under the Bill.