This is a summary of the key provisions of the Personal Data Protection Bill, 2018 (“the Bill”/ “the Act”).
The Bill has been divided into 15 Chapters. It is composed of 112 Sections, with 2 schedules and 4 recitals. According to Section 1 of the Bill, the law shall apply to the whole of India.
- The Bill has recognized the right to privacy as a fundamental right and protection of personal data as an essential facet of informational privacy.
- The intent of the Bill is to:
- Protect individual autonomy in relation to their personal data;
- Specify where flow and usage of personal data is appropriate;
- Create a relation of trust between persons and entities;
- Specify rights of individuals towards their data;
- Create a framework for processing of personal data;
- Layout norms for cross-border transfer of personal data;
- To ensure accountability of entities processing personal data;
- Provide remedies for unauthorised and harmful processing of data; and
- Establish a Data Protection Authority for overseeing processing activities.
Key Definitions (Section 3 of the Act lists all definitions)
- Personal Data: Personal data means data relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity, or any combination of such features;
- Sensitive Personal Data includes: passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief etc.;
- Data Principal: means the natural person whose personal data is collected;
- Data Fiduciary: means any person, including the State, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing personal data;
- Processing: means any operation performed on personal data and may include collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment, or combination, indexing, disclosure by transmission, dissemination, restriction, erasure or destruction.
Scope of the Act (Section 2 of the Act)
- Section 2 defines the scope of the Act. It states that the Act applies to processing of personal data which has been collected, disclosed, shared or processed within India. It’s applicable to the State, Indian companies, Indian citizens and persons created or incorporated under Indian law.
- The Act will be applicable to foreign entities if they process data in connection with business carried on in India or if they conduct activities of profiling of data principals within India.
Data Protection Obligations (Chapter II of the Act)
- This chapter places certain obligations on data fiduciaries with regard to data protection.
- It provides for Purpose Limitation, which means that personal data shall be processed only for purposes that are clear, specific and lawful and for incidental purposes which the data principal would reasonably expect.
- It also enshrines the principles of collection limitation (limiting collection of personal data to that which is necessary) and storage limitation (storage of data only as long as it is reasonably necessary).
- Section 8 provides for the giving of Notice. Every Data Fiduciary shall give the data principal various kinds of information at the time of collection or as soon as practicable. Some of the key requirements of the Notice clause are:
- Purpose for which personal data is being processed;
- Identity and contact details of the data fiduciary and data protection officer;
- Right of data principal to withdraw consent and procedure of withdrawal;
- Information regarding any cross-border transfer of personal data; and
- The procedure for grievance redressal.
Grounds for Processing of Personal Data (Chapter III of the Act)
- Personal data may be processed on the basis of consent, but such consent must be free, informed, specific, clear and meaningful. Consent should be also be capable of being withdrawn.
- Section 13 empowers the Parliament and State Legislatures to process personal data if its necessary for their functions. It also gives power to the State to process personal data for any function authorised by law.
- Personal data may also be processed if there is:
- Public interest in processing such data;
- prevention and detection of any unlawful activity;
- whistle blowing;
- network and information security; etc.
Grounds for Processing of Sensitive Personal Data (Chapter IV of the Act)
- Sensitive personal data may be processed only on the basis of explicit consent, certain functions of the State, in compliance with law or any order of a court or tribunal, and for certain situations requiring prompt action. Consent will be considered explicit only if it is – informed, clear and specific.
Personal And Sensitive Personal Data Of Children (Chapter V of the Act)
- U/S 3(9), child is a data principal under 18 years of age. The Act provides for special safeguards for processing personal data of children for their best interests. It includes providing for age verification, parental consent(Sec 23).
- The Authority shall notify guardian data fiduciaries i.e those who provide online services to children or process their personal data. They are barred from ‘profiling, tracking, or behavioural monitoring of, or targeted advertising directed at children’ or data processing that may cause children ‘significant harm’.
Rights of Data Principals (Chapter VI of the Act)
- Right to confirmation and access: The data principal shall have a right to obtain confirmation on processing of personal data; a brief summary of personal data being processed or that has been processed; and a brief summary of processing activities undertaken by the data fiduciary.
- Right to correction of information.
- Right to Data Portability: The data principal will have the right to receive personal data in a machine-readable format and have it transferred to any other data fiduciary.
- Right to be Forgotten: The data principal will have the right to restrict or prevent continuing disclosure of personal data. This right can only be enforced through the Adjudicating Officer (as appointed by the Data Protection Authority of India). It is available only when the right of the data principal override the right to free speech and right to information of any citizen.
Transparency And Accountability Measures(Chapter VII of the Act)
This Chapter imposes following duties on data fiduciaries:
- Implementing policies and measures to ensure protection of privacy by incorporating it in managerial, business practices and technical systems/certifications;
- Taking reasonable steps to maintain transparency in practices related to processing personal data;
- Notifying the Authority in event of a personal data breach;
- Undertaking Data Protection Impact Assessment, Data Audit, Record Keeping;
- Appointing Data Protection Officers for carrying out functions like ensuring compliance to this Act, monitoring data processing activities;
- Establishing proper procedures and mechanisms for grievance redressal of data principals;
- Alongwith data processors, implementing security safeguards such as de-identification and encryption.
Transfer Of Personal Data Outside India(Chapter VIII of the Act)
- S. 40 imposes restrictions on cross-border transfer of personal data. A copy of personal data must be kept at a server or data centre in India. Besides, critical personal data, as determined by Central Government, shall only be processed in India. However, certain categories of personal data may be exempted from localisation requirement.
- Under, S. 41, data besides that in S. 40 may be transferred outside India but after meeting certain conditions like consent of data principal or under contractual obligations/intra-group schemes prescribed by the Authority or countries/sectors prescribed by Central Government with concurrence of the Authority or in a situation of necessity.
- Central government while permitting data transfer must ensure that it is subject to adequate level of protection such as applicable laws, international agreements and law enforcement. However, the transfer may be permitted without meeting these conditions in case of health and emergency services, or where transfer is necessary for any class of data fiduciaries or data processors and it does not hamper effective enforcement of the Act.
- While prescribing contractual obligations/intra-group schemes, the Authority must ensure adequate level of data protection for data transferred. In such cases data fiduciary must certify that it adheres to the contractual obligations and shall be liable for non-compliance.
Exemptions(Chapter IX of the Act)
- This Chapter exempts application of certain provisions of this Act for data processing for specific purposes.
- The following data protections would not be applicable, if data is processed for Security of State(Sec 42); for Prevention, Detection, Investigation And Prosecution Of Contraventions Of Law(Sec 43); for Domestic Purposes i.e. non-commercial or undisclosed to public(Sec 46); for Journalistic purposes(Sec 47):
- Ch II: Data Protection Obligations(Except Sec 4),
- Ch III: Grounds For Processing Of Personal Data,
- Ch IV: Grounds For Processing Of Sensitive Personal Data,
- Ch V: Personal And Sensitive Personal Data Of Children,
- Ch VI: Data Principal Rights,
- Ch VII: Transparency And Accountability Measures(Except Sec 31),
- Ch VIII: Transfer Of Personal Data Outside India
- Compliance to Ch II to VII(except Sec 4, 31) are exempted for purpose of Legal Proceedings or by any Court or Tribunal(Sec 44).
- The Authority may exempt certain provision of this Act(except Sec 4, 31, 33) for Research, Archiving Or Statistical Purposes(Sec 45). Besides U/S 48, compliance of a few other provisions is also exempted for manual processing by small entities.
Data Protection Authority Of India(DPAI)(Chapter X of the Act)
- Section 49 provides for establishment of DPAI by Central government. It shall have 1 chairperson and 6 whole-time members. They are appointed by a 3 member committee comprising of: Chief Justice of India or any SC judge of the Supreme Court, the Cabinet Secretary and one expert in field of data protection, IT, cyber and internet laws etc. They must be persons of ability, integrity and have atleast 10 years of relevant professional experience.
- Section 51 ensures their independence which includes tenure of 5 years or 65 years age and protection of salaries and allowances. To ensure integrity, they cannot hold government office or appointment with any data fiduciary until 2 years after holding office.
- Section 52 provides for their removal on grounds such as insolvency, physical or mental incapacity, moral turpitude, public interest and conflict of interest.
Powers of DPAI:
Sections of 60 to 66 gives DPAI wide powers and functions to ensure enforcement of the Act. These include:
- Monitoring and enforcement of the Act, taking prompt action of data security breach, examining data audit reports of data fiduciaries, monitoring data transfers outside country, awareness generation, conducting inquiries on data fiduciaries with powers same as that of a civil court under CPC, 1908(Sec 60);
- Issuing ‘codes of practice’ to promote good practices and facilitate compliance under this Act(Sec 61);
- Issuing directions to data fiduciaries and data processors, and ensuring their compliance(Sec 62), calling for information from data fiduciaries or data processors(Sec 63);
- Power to conduct inquiry U/S 64 where Authority reasonably believes that activities of data fiduciary or data processor are detrimental to interests of data principals or where the former has violated provisions of this Act.
- Pursuant to the inquiry, the Authority can take actions like issuing warnings, mandating business modification, suspending or cancelling any registration etc(Sec 65);
- Conducting search and seizure(Sec 66);
- Section 68 provides for a separate adjudication wing with designated officers for purposing of conducting inquiries, imposing penalties.
Penalties And Remedies(Chapter XI of the Act)
The Act provides for a gradation of penalties on data fiduciaries including:
- 5 crore rupees or 2% worldwide turnover for not complying to obligation under the Act such as responding to data security breach, undertaking data audits etc;
- 15 crore rupees or 4% worldwide turnover for violating obligation given in Chapters II to V;
- Upto 10 lakhs on failure to comply with data principal requests under Chapter VI;
- Upto 20 lakhs on failure to furnish report, returns, information, etc;
- Upto 2 crores on failure to comply with direction or order issued by the Authority;
- Besides, any data principal who has suffered harm due to violation of any provision by data processor or data fiduciary, has right to seek compensation.
Appellate Tribunal(Chapter XII of the Act)
- Section 79 provides for establishment of an Appellate Tribunal to hear and dispose of any appeal from orders of Adjuticating Officers or the Authority. The composition of the Tribunal shall be determined by the Central Government;
- The appeal against the order of the Tribunal shall lie before the Supreme Court of India.
Offences(Chapter XIII of the Act)
This chapters provides for list of offences and consequent punishments related to this Act. Investigation of these offences shall be conducted under the Code of Criminal Procedure, 1973(Cr.P.C.) and they shall be cognizable and non-bailable. These include:
- Obtaining, transferring or selling of personal data contrary to the Act;
- Obtaining, transferring or selling of sensitive personal data contrary to the Act;
- Re-identification and processing of de-identified personal data.
- It provides for special procedures to deal with offences by Companies, Central or State Governments.
Transitional Provisions (Chapter XIV of the Act)
- Section 97 of the Act provides for transitional provisions of this Act. The Act once enforced, will made applicable in phases.
- Within a year of the enactment of this Act, provisions relating to – the Data Protection Authority, the Central Govt.’s power to make Rules and the Authority’s power to make regulations will come into force.
- Within a year from when the Authority comes into existence, certain other regulations under the Act which are to be notified by the Authority itself, shall be made applicable.
- All other provisions of this Act, shall come into force only after a year and a half (18 months) have passed from the coming into existence of the Data Protection Authority.
Schedules Annexed to the Act
- Schedule 1 amends the Information and Technology Act, 2000 (“the IT Act”) by omitting Section 43A (Compensation for failure to protect Data) and changing the Rule making power of the Central Government in a particular case under the IT Act.
- Schedule 2 seeks to amend the Right to Information Act, 2005 (“the RTI”) and replace Section 8(1)(j) of the RTI appropriately to give effect to changes made under the Personal Data Protection Bill, 2018. Section 8 of the RTI provides exemptions from the disclosure of information.
We will be publishing an analysis of the Bill soon.