Open in app

Sign in

Write

Sign in

India’s Personal Data Protection Bill — Highlights, first views and correlation with EU GDPR

Andrew David Bhagyam
8 min readJul 29, 2018

The Indian Personal Data Protection Bill (to be called the ‘Personal Data Protection Act 2018’) was released last Friday (27–07–18) by Justice B N Srikrishna committee. The history of this process is available here.

Consisting on 67 pages, 15 Chapters, 112 Sections and 2 Schedules, this Act is a springboard for Privacy and Data Protection in India. We all know that India ‘does’ direly need one.

The Act is categorized into Chapters and Sections under each Chapter.

While reading, I noticed some key points that I will cover in this blog as well some comparisons with the EU GDPR. I am also writing a summary (with synopsis) of this Act for those lazy readers :P

Summary:

- Scopes & Definitions (applicability, roles & terms)

- Child age is considered as 18 years (which is quite commonly acknowledged in India)

- Rights of data principals (a.k.a ‘data subjects’ as per the EU GDPR)

- Privacy by Design is mentioned as an important point

- Data breach notifications (time limits not mentioned explicitly, rather is left to the Authority to decide soon)

- Importance of DPIA (Data Protection Impact Assessments)

- Records of processing activities (keeping written documents of everything)

- Importance of Auditing by independent auditors for Compliance & demonstration

- Data Protection Officer(roles, responsibilities, qualifications)

- Data Processor engagements

- A new term called ‘Significant’ data fiduciary (a.k.a ‘data controller’ as per the EU GDPR)

- Grievance redressal mechanism provisions (similar to the ‘Right to Complain’ under the EU GDPR)

- Data localization (a need to keep a copy of the data in India DCs)

- International data flows(similar to GDPR but not the EU-recognized Model Contractual Clauses that we are currently present in our DPA with our EU customers, rather a own version of India’s Model contractual Clauses)

- Special considerations and exemptions for State bodies (a.k.a State Actors)

- Research, statistical purposes, archiving purpose provisions are similar to that of EU GDPR

- Domestic/Personal usage, journalistic purposes are exempt from the Act subject to some conditions

- There is consideration for small entities (criteria mentioned in Section 48(2))

- The appointment of a Data Protection Authority of India(‘Authority’) by the Central govt. The duration of the office, retirement, Powers(similar to those in the GDPR) and also some forms of Judicial power(through the appointment of an Appelate Tribunal, powers to conduct sudden raids like the Income Tax raids, issue directions/rules & regulations etc is mentioned

- Penalties for non-compliance has been categories similar to that in the GDPR. Can go up to 15 Crore rupees or 4% of the total worldwide turnover of the preceding financial year, whichever is higher.

- Provision for allocation of a Data Protection Fund

- Other offences committed in contravention to the Act is punishable with up to 5 years jail terms along with up to 3 Lakh rupees fines

- For offences committed by a company (either by negligence, connivance, illegally-on-a-consensus), the person involved, manager, team & senior management will be held guilty and be subject to legal proceedings and fines.

- Date of Enforcement : Few sections & chapters from 1 year of notification, major of the remaining portions within 1.5 years from the date of notification

- Biometric data should never be processed by anyone unless the law permits

- The Act amends some existing laws such as the IT Act of 2000 & the RTI Act of 2005(mentioned in the Schedules)

What’s missing?

A few Rights — Yea, that’s right.

- Right to Restriction of processing

- Right to Object (eg. to direct marketing)

- Right not to be subject wholly to a decision made solely by automated processing

Additionally, ‘Performance of a Contract’ as a lawful basis is not mentioned explicitly in the Act. Maybe it is hidden somewhere under Section 12(5). I would leave it to the lawyers to check on this.

Now, for the longer version…

Let’s start out with the important definitions of the ‘roles’.

- Data Principal is the data subject

- Data Fiduciary is the data controller

- Data Processor is the data processor

And yea, as usual, the law gives more importance and onus to the Data Fiduciary but it also has implications on the Data Processors.

‘Sensitive data’ includes ‘official identifiers’(any identifier allocated to someone under any Law for the purpose of identifying a person uniquely). It also includes

· tribe

· caste

· transgender status, intersex status and

· passwords

in addition to the quite commonly known ones as similar to those present in the EU GDPR

Certain highlights:

· The time limit (within 30 days) to notify the data principal when the data is not collected directly from them is NOT mentioned, rather orates as ‘reasonably practicable’

· Processing in the context of employment is mentioned and details provided under Section 16

· Personal data of a child (<18 years of age) is covered quite elaborately and also the verification mechanisms too are considered

· Requires Fiduciaries to have a Grievance Redressal mechanism in place (Right to Complain)

· Special considerations & exemptions for State actors

· Considerations for small entities (criteria is mentioned in Section 48(2))

· Allocation of Data Protection Fund

· Recovery Officer to be appointed to ensure the payment/receiving of the fines from Fiduciaries

Rights under this Act:

· Under the Right of Access, there is no requirement to ‘provide’ the ‘data’(as present in the EU GDPR) but there exists the Right to Data Portability (with some exemptions)

· The Right to be Forgotten is also present but subject to some limitations

· The time period to cater to Data Principal Rights is not mentioned as such but is written like ‘as prescribed’(which will be done by the Authority)

Privacy by design:

Privacy by Design (and not ‘Data protection by design’ as in the EU GDPR) is described saying :

· ‘privacy is protected throughout processing from the point of collection to deletion of personal data’ and

· ‘the interest of the data principal is accounted for at every stage of processing of personal data’

as core points.

Breach Notification:

The time period for data breach notification is not mentioned rather says like ‘as prescribed’ (which will be done by the Authority)

Audits:

· Third party independent auditing is expected annually (Section 35)

· A set of requirements that are to be audited is also mentioned

· Data Trust Scores to be assigned to Fiduciaries based on audit results

Data Protection Officer:

· Mandates the appointment of a Data Protection Officer (DPO) in every Fiduciary.

· If the Fiduciary is not based in India, then a DPO of that Fiduciary must be present in India.

· Does not talk about ‘representatives’ as present in the EU GDPR

Data Processors:

· Data Processor engagement requires a contract.

· Contracting a sub-processor requires authorization from the Fiduciary unless it is part of the contract with the Fiduciary (yeah! that’s a slight relief)

‘Significant’ Data Fiduciary:

· Authority can notify any Fiduciary as a ‘significant Data Fiduciary’ considering the data volume, processing activity, technologies, frequency etc.

· The Authority probably will mandate DPIA, Logs, Audits, DPO for these Fiduciaries but it may also require this from all Fiduciaries too.

Data Localization:

· Requires that at least one copy of the actual data must be in Indian Data centers(DC)

· The Central Govt. can mandate that ‘sensitive data’ be present and processed only in Indian DCs

International/Cross-border data flows:

· International (cross border) data flows are similar to those in the EU GDPR but then Standard Contractual Clauses (SCC) as approved for EU data transfers are not present, rather those new clauses that will be developed by the Central Govt. and Authority

· Consent is still valid for International data transfers

· ‘Adequacy’ decision will be made by the Authority soon

· Every Fiduciary is required to report to the Authority periodically about the transfer it is based on these new Approved SCCs.

Some interesting facts about ‘The Authority’:

· To be appointed by the Central Govt.

· To be located as mentioned by the Central Govt.

· To consist of 6 full-time members

· Requires >10 years of experience in the ‘field of data protection, information technology, data

· management, data science, data security, cyber and internet laws, and related subjects’

· Can be in power for a period of 5 years

· Retirement age is 65 & cannot be reappointed after

· Chairperson and team should not be employed by the Govt. (both Central or State) during their term and till end of 2 years after the term & also not be part of a ‘significant’ Data Fiduciary

· Decisions to be based on majority of votes

· IT returns, Accounts, Audits to be filed annually pertaining to the events, promotions and other initiatives done by Authority.

· Has exemptions on tax w.r.t Income Tax, profit or gains (Section 101)

· The Powers of the Authority are similar to that in the GDPR along with some additional powers like clarifying the ‘as prescribed’ parts of the Act

· Has some type of judicial power on Data Fiduciaries for law suites as under the Code of Civil Procedure.

· It can also conduct Inquiry (by an Inquiry Officer) on the Fiduciaries and the do the next steps accordingly, independently.

· Can issues Code of Practice (that are ought to be followed by the actors)

· Has the power to issue ‘directions’ but only after a public hearing

· Has the power to conduct sudden raids like an IT (Income Tax) raid through Authorised Officers(Section 66). The Omen! 666 alert! :P

· Can appoint the Appelate Tribunal to handle cases related to data protection (similar power as that of a Civil court)

· Appoints an Adjudicating officer who has quite a lot of responsibilities under the Authority

Penalties:

· ‘Up to 5 Crore rupees or 2% of its total worldwide turnover of the preceding financial year, whichever is higher’ for some issues and

· ‘Up to 15 Crore rupees or 4% of its total worldwide turnover of the preceding financial year, whichever is higher’ for some types of issues.

· For not catering to Data Principal requests: 5K rupees per day up to 10Lakh till it is completed.

· For not furnishing reports, information, returns etc .: 10K rupees per day up to 20 Lakhs till it is completed.

· For not complying with any issuance or direction: 20K rupees per day up to 2 Crore (if Fiduciary) or 5K rupees per day up to 50 Lakhs (if Processor).

To make sure we are not smart in interpreting ‘how much if there are many companies under a group’, they have defined ‘total worldwide turnover’ :/

Similarities to the EU GDPR:

· The conditions for ‘Consent’

· Security of processing

· DPIA (Data Protection Impact Assessment) provisions

· Records of processing activities (logs & documentation)

· Similar consideration for purposes of research, statistics, archiving purposes as present in the EU GDPR

· Conditions for imposing fines

· Compensating the Data Principal has a process & is mentioned briefly

These are some of the key provisions similar to that in the EU GDPR. However the above list is not exhaustive.

Offences:

Doing something in contravention to this Act (even re-identifying the data), knowingly or unknowingly or recklessly will be punished as mentioned below:

· imprisoned for up to 3 years and/or fine of up to 2Lakhs (for personal data)

· imprisoned for up to 5 years and/or fine of up to 3Lakhs (for sensitive personal data)

For offences by a company (negligence, connivance, illegally as a group on-a-consensus), the person involved, the manager, the associated team & the senior management will be held guilty and be subject to legal proceedings and fines.

Date of enforcement (Section 97) :

· Few Sections & Chapters from 1 year of notification,

· Major of the remaining portions within 1.5 years from the date of notification.

And do you know what? The Central Govt. has the power to exempt some data processors from following the Act (Section 104)

Before the law ends, it brings to ground the fact that ‘biometric data’ should not be processed by any Fiduciary unless the law permits them to.

Finally, this Act amends a couple of oldy-goldy Acts of India.

They are a couple of amendments in the

· IT Act of 2000 and

· RTI Act of 2005

The above article is based on my perception of the Act and my limited knowledge and experience in the field of data protection. If there are any inaccuracies or misunderstanding, please feel free to email me and I will be more than happy to do the necessary :)

Privacy
Gdpr
Pdpa India
Data Protection

--

--

Andrew David Bhagyam

Written by Andrew David Bhagyam

13 Followers

Security & Privacy geek, Data protection thought leader, hacker, musician, Christian(I don't believe in religion, but I believe in Jesus Christ)

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams