India’s Personal Data Protection Bill
Key Takeaways for Organizations
Shivangi Nadkarni, Co-founder & CEO
This is a quick, first-cut list of key take-aways, implications & ‘what lies ahead’ for organizations from the Personal Data Protection Bill 2019 that was introduced in Parliament on December 11, 2019.
Note: This was done as a series of tweets – so have collated them as-is here
PD: Personal Data
DP: Data Principal – the individual whose PD we are talking about
DF: Data Fiduciary – the orgn who collects & processes PD
DPA: Data Protection Authority – the regulator to be set up
Personal Data categorized as PD, Sensitive PD (SPD), Critical PD. Children’s PD also looked at separately.
Key: Collect only what you need – minimize the Personal Data you collect. Use only for the purpose(s) stated and not beyond.
#SomethingNew: “Data is kept in a form that distinguishes personal data based on facts from personal data based on opinions or personal assessments”. Implies another facet to classifying and categorizing your data within the organization.
Consent primary ground for processing.
Grounds other than consent: ‘reasonable purposes’. Includes:
- processing for prevention & detection of any unlawful activity including fraud;
- whistle blowing;
- network and information security;
- credit scoring;
- recovery of debt;
- processing of publicly available PD;
- operation of search engines.
#SomethingNew: If processing Children’s PD: To verify age and obtain the consent of parent or guardian
#SomethingNew: Organizations operating commercial websites or online services directed at children or processing large volumes of children’s PD to be classified as Guardian Data Fiduciaries.
CANNOT profile, track, do behavioural monitoring of or do targeted advertising directed at children
Privacy Notice required to be given to DPs. Notice to state:
- WHAT PD is being processed,
- WHERE have you got it from (if from a 3rd party),
- on WHAT BASIS,
- WHOM are you sharing with,
- is it crossing borders,
- how long will you keep it,
- how to withdraw consent,
- whom to complain to &
- your Data Trust Score
Retain Data only for how long it is required and not beyond, unless specifically consented to by the DP or required by some other law.
Right to Confirmation & Access: Inform DP WHETHER you are processing or have processed the DP’s PD, WHAT data and WHAT PROCESSING activity has been undertaken (brief summary), with WHOM it has been shared and what PD categories are they
Right to Correction & Erasure: Enable DP to correct/update her PD and erase if no longer required for the purpose. Ensure 3rd Parties who have this data also update/erase.
Right to Data Portability: For processing done via ‘automated means’, DP can ask for following PD in a ‘structured, commonly used and machine-readable format’: PD collected, obtained from elsewhere, generated or part of DP’s profile info.
Can also ask to be transferred to another DF
Right to be Forgotten: DP can ask to restrict or prevent “Continuing Disclosure” of her PD when it has served its purpose or consent has been withdrawn.
For actioning this, DP needs to apply to the Adjudicating officer who can issue an order to this effect
Rights to Confirmation & Access and Correction & Erasure to be serviced free. Fees (to be specified by regulations) can be charged for the other two. Response time for requests to be spelt out in regulations
#SomethingNew: A ‘Privacy by Design’ (PbD) policy. Needs to be submitted to the DPA for certification. To be published on your website and the DPA’s. Apart from the Notice.
PbD policy to contain:
-practices & tech systems designed to ‘anticipate, identify and avoid harm’ to the DP;
- obligations of DF,
- tech used is as per accepted/certified stds;
- Legit business interests do not compromise privacy interests;
- protection of privacy thru the PD lifecycle;
- processing is transparent;
- interest of DP accounted for all thru processing
#SomethingNew: DP can use a ‘Consent Manager’ to manage her consents - an entity that ‘enables a DP to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform’. #NewBusinessOpportunity
#SomethingNew: Breach Notification: Any breach to PD likely to cause harm to the DP to be reported to the DPA. Time period to report to be specified by regulations. DPA to determine if DP needs to be informed or not. DPA may require breach details to be posted on your and its own website.
#SomethingNew: Some DF’s to be categorized as ‘Significant Data Fiduciaries’(SDFs) – based on volume, sensitivity, risk of hard to DP, new techs used and/or turnover.
Extra Obligations include: (1) Conduct DPIA (2) Maintain Records (3) Appoint DPO
#SomethingNew: Social Media Intermediaries defined as those who ‘primarily or solely enable online interaction between two or more users and allow them to create, upload, share, disseminate, modify or access information using their services’.
ISPs, search-engines, on-line encyclopedias, e-mail services or online storage services not included here.
#SomethingNew: ‘Data Protection Impact Assessment’ (DPIA) to be carried out by an SDF. To contain description of proposed processing operation, nature of data being processed, purpose of processing, assessment of potential harms that may be caused to a DP by this processing, measures to manage/minimize/mitigate/remove these harms.
DPA to specify (a) When a DPIA needs to be carried out and (b) Whether it needs to be done by a Data Auditor. DPIA to be reviewed by your DPO and submitted to the DPA. DPA has the power to stop/ put conditions on your processing operations subject to the DPIA
#SomethingNew: Data Auditors to be ‘registered’ by the DPA. Criteria for Data Auditors to be specified. Data Auditors to conduct audits to check compliance of DFs to the requirements of the Act – details to be specified by DPA. Also, they will assign a Data Trust Score
#SomethingNew: Data Trust Scores. A metric for rating a DF based on a Data Audit conducted by a Data Auditor. Criteria to be specified by the DPA. Score to be displayed on DF’s Privacy Notice
#SomethingNew: Data Protection Officers (DPOs) need to be appointed by SDFs. They need to be based in India and would represent the organization under this Act.
Cross Border Transfers: Sensitive PD CAN be transferred outside India but a copy needs to be kept in India.
(1) Explicit Consent by DP
(2) Pursuant to a contract or intra-group scheme approved by the DPA
(3) Country or Entity/Group approved by the DPA
(4) Specific SPD/Class of SPD approved for transfer by DPA for a specific purpose
Critical PD cannot be transferred outside India except (1) for provision of health services or emergency services or (2) Country or Entity/Group has been approved by the Central Govt (not DPA)
Exemptions from this Act for (a) processing for research, archiving, or statistical purposes (b) manual processing done by small entities
Sandbox creation by the DPA for encouraging innovation in AI, ML or any other emerging technology in public interest
Codes of Practice to promote good practices and facilitate compliance can be
(1)specified by DPA
(2) developed by Industry bodies or sectoral regulators, Statutory Authorities, Govt Depts or Ministries and approved by DPA
Penalties & Liabilities:
Imprisonment upto 3 years and/or fine upto 2L for re-identification of de-identified data or further processing of re-identified data
So How can one Prepare for to comply?
Call us at Arrka for assistance with implementation. firstname.lastname@example.org