The Committee of Experts entrusted with creating a Framework for Data
Protection in India has released the much awaited Personal Data Protection Bill,
2018. The committee was constituted in August, 2017 by the Ministry of
Electronics and Information Technology, Government of India to examine issues
related to data protection, recommend methods to address them and draft a data
protection bill.After years of deliberations and a series of public
consultations, the committee chaired by retired Supreme Court Judge, Justice B.N.
Srikrishna has released the much awaited draft. The title of the draft bill
was“A Free and Fair Digital Economy Protecting Privacy, Empowering
Indians”which provides context to the deliberations of the committee. The bill
defined personal data as any data which can be used to identify an individual
either directly or indirectly. Also, under the bill sensitive data is defined as
any data which is related to intimate matters where there is higher expectation
of privacy i.e. caste, religion and sexual orientation of the individual.
Therefore, with the data protection bill, the committee sought to distinguish
personal data protection from the protection of sensitive data, since its
processing could result in greater harm to the individual.
The Data Protection Authority of India (hereinafter referred to as‘DPA’) is
charged with the responsibility to enforce the law effectively and efficiently.
The categorization of certain fiduciaries as significant fiduciaries is done by
DPA on the basis of their capability to cause greater harm to data principals as
a consequence of their data processing activities.Further, if the data
fiduciaries are found to be in contravention of law, the DPA has the power to
cease, desist or temporarily suspend their business or activities. The
significant data fiduciaries categorized by DPA are required to undertake
obligations such as:-
a. They are required to register themselves with the DPA
b. They have to assess Data Protection Impact
c. They are required to do audits on routine basis and maintain the
records for the same.
d. Appointment of Data Protection Officer.
The committee has recommended that the law should be applicable to processing of
personal data if the data has been shared, disclosed or processed in India. The
law will be applicable to any fiduciary that are not present in India but having
a business connection to India and are engaged in activities such as profiling.
Further, the law shall be applicable to any company incorporated under Indian
laws and engaged in collecting sharing, disclosing and processing of personal
data. It is not necessary for the data to be actually processed in India.
However, the center has the power to exempt companies who are engaged in
processing the personal data of foreign nationals not present in India.
Some of the main points in the bill are:-
# The new draft bill will be applicable on all the foreign data
processors having a business connection to India or are engaged in carrying
activities involving profiling of individual in India. It means that the draft
bill has extra-territorial application.
# Differential obligations have been imposed on Personal Data and
Sensitive Personal data i.e. imposing obligations should be based on criticality
# The data controller i.e. Data Fiduciary is charged with the
responsibility of Purpose Limitation, Collection Limitation, maintaining data
quality, storage limitation etc.
# The bill was intended to be made applicable to both the private
parties as well as the state.
# The bill defined child as someone who is less than 18 years of age and
prohibited profiling, tracking or behavioral monitoring of or targeted
advertising towards children.
# The bill laid down rights related to data subjects. The rights include
right to data correction, data portability etc.
# The bill introduced the concept of data breach and privacy by design.
# The bill mandated registration requirements to all the data processors
who are engaged in conducting high risk data processing.High Risk Data
Processors are required to implement trust scores, data audits as well as a Data
Protection Impact Assessment.
# The Government through the Data Protection Bill has retained the power
to exempt storage of copies of Sensitive Personal Data in exceptional cases.
Also, it is required that the copies of all the personal data must be stored in
India and the government may notify certain types of personal data that should
be mandatorily processed in India.
# The bill mandated the use of model clauses and possible adequacy
requirements for consent cross border transfers i.e. the approval of government
is required for cross border data flows.
# All the codes of Practices will be provided and endorsed by the “Data
Protection Authority of India”.
# The bill provides GDPR style penalties up to 4% of global turnover in
some cases. Also, the bill introduced criminal penalties in limited cases.