Given, the many data breaches, it was important for India to consider a separate law for protecting the personal data of its citizens.
Personal Data Protection Bill, 2019, (“PDP Bill”) is the outcome of the judgment of the Hon’ble Supreme Court in the matter of KS Puttuswamy v. Union of India where the Right to Privacy was upheld as a Fundamental Right. Considering that PDP Bill deals with extensive data, including non-personal data, Joint Parliamentary Committee (“JPC”) recommends amending the marginal heading of clause 2 to include non-personal data.
PDP Bill defines “data fiduciary” as any person who determines the purpose and means of the processing of personal data. It is also regarded as a Consent Manager, enabling a data principal to give, withdraw, review, and manage their consent.
Considering that NGOs in India play a significant role in collecting data in rural India, JPC recommends including NGOs in the definition of data fiduciary.
Chapter II of the PDP Bill provides for the obligations of data fiduciary. Some important ones are:
- Personal data shall not be processed, except for any specific, clear, and lawful purpose.
- Data fiduciary shall process data fairly and reasonably and ensure privacy.
- Data fiduciary will take steps to ensure that personal data processed is complete, accurate, not misleading, and updated, with focus on the purpose for which it is processed.
- Data fiduciary cannot retain any personal data beyond the period necessary for the purpose for processing and has to delete the personal data at the end of the processing.
- Consent of data principals to process personal data must be free, informed, specific, clear, and capable of being withdrawn.
- Burden of proof that, data principal has given the consent to process the personal data shall be on the data fiduciary.
- The provision of any goods or services or the quality thereof, the performance of any contract, or the enjoyment of any legal right or claim, shall not be made conditional on the consent to the processing of any personal data not necessary for that purpose.
Data breach now includes, both, personal and non-personal data in the context of personal data. Under the guiding principles to handle a data breach, JPC recommends that the Data Protection Authority (“DPA”) ensure data principals’ privacy when posting details of a personal data breach. The burden of proof of demonstrating reasonable is on the data fiduciary to prove that the delay in notifying the DPA / data principal. Data fiduciaries are recommended to maintain a log of all data breaches for DPA’s review.
Before processing, the personal data of a child, the data fiduciary has to verify the child’s age and the consent has to be that of the child’s parent or guardian. Although, recourse for when the child turns major is not included in the PDP Bill. JPC recommends, fiduciaries exclusively dealing with children’s data, register themselves with the DPA and incorporate a mechanism of obtaining consent from the child upon turning major.
Through PDP Bill, the data principal can obtain confirmation and summary from data fiduciary for processing of his personal information. It is now material for fiduciaries to highlight data principal’s right to have their data erased, embodied in the right to be forgotten. For minimal implementation implications, JPC recommends that DPA be authorised to implement regulations in consonance with the international best practices without imposing an obligation on the fiduciary to delete all data, at the end of processing. The data may also be processed multiple times for welfare purposes.
Hardware manufacturers also collect data through the products for various reasons which are not factored in the PDP Bill. JPC recommends, empowering DPA for incorporating regulations for this, including a provision for certification of integrity and security of all digital devices. To safeguard national security and promote data localisation, JPC recommends that a mirror copy of all sensitive and critical information in possession of foreign entities must be mandated to India.
Further, to curb sharing, transfer, and transmission of data, it prevents sharing, transfer, and transmission in cases where the purpose of processing personal data is, prejudiced.
JPC recommendations implicate regulating social media platforms that do not act as intermediaries as content publishers. The interplay of the PDP Bill and amendment to the Information Technology (Intermediaries Guidelines) Rules, 2011, to regulate social media platforms, will be an interesting implementation.
This is only for informational purposes. Nothing contained herein is, purports to be, or is intended as legal advice and you should seek legal advice before you act on any information or view expressed herein.
Endeavoured to accurately reflect the subject matter of this alert, without any representation or warranty, express or implied, in any manner whatsoever in connection with the contents of this. This isn’t an attempt to solicit business in any manner.