Compliances For Business Vis-à-vis Personal Data Protection Bill 2019

Data of an individual or an organization has a significant impact on the digital economy. Data is considered the new oil; as data of an individual helps businesses and companies. To have in-depth and behavioral understanding of the consumer’s search trends, which helps them strategically place advertisements based on. User Data is especially useful in the banking, insurance, e-commerce and health care sector. However, considering the rapid growth in the digital economy and amount of data. That is being processed, there is a constant fear of such data being misused. Misuse of an individual’s data may cause intrusion in one’s privacy.

Contents  hide 

1 Privacy and data protection work

2 Legal Framework in India

2.1 Sensitive personal data or information of a person as any personal data of a person which includes:

3 Personal Data Protection Bill.

4 Obligations under the PDPB Bill 2019

4.1 The key definitions under the Bill are:

4.2 The following are the obligations:

5 Key Compliances under the PDPB Bill.

5.1 Appointing a Data Protection Officer-

5.2 Data Protection Impact Assessment-

5.3 Data Localization in case of Cross-Border Transfer of Data-

5.3.1 Additionally, cross-border transfer is permit subject to the following condition:

6 Penalties

7 Conclusion

7.1 Related

 Privacy and data protection work

 Privacy and data protection work parallelly with each other. Every individual has the right to privacy and therefore has the right to practice a substantial degree of control over their respective data. In recent years, the right to privacy has gained judicial activism bringing it under the purview of fundamental rights under Article 21 of the Constitution of India. The Supreme Court in Kharak Singh vs the State of U.P interpreted the right to life shall mean life to dignified life. It further stated that the right to right is not enshrined under Article 21, however the same is a repository of residuary personal rights and recognized the common law right to privacy.

Data holds a significant importance in today’s world. However a data breach can cause significant harm to the privacy of an individual & can severely tarnish the reputation of a Company. Therefore, a robust legal framework is pertinent to safeguard the data from being misuse.

Legal Framework in India

At present, India does not have an extensive legal framework specifically regulating data protection. However certain relevant laws do regulate the processing and storing of personal data of individuals such as the Information Technology Act, 2000 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Section 43A of the Information Technology Act, 2000 stipulates that:

“a body corporate who is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected”.

Similarly under Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which only deals with Sensitive personal data or information of a person, defines

Sensitive personal data or information of a person as any personal data of a person which includes:

• Passwords;
• Financial information such as bank account or credit card or debit card or other payment instrument details;
• Physical, physiological, and mental health condition;
• Sexual orientation;
• Medical records and history;
• Biometric information.

The Information Technology Act, 2000, also provides for Punishment/Penalties for data breach under Section 72 A, which states that:

“any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both”

The Information technology Act, 2000 although regulates collection and processing of personal data, the main objective of the Act is to provide legal recognition and safeguard for the transactions carried out through digital means. The Act does not exclusively deal with the safeguarding of an individual’ privacy by regulating and scrutinizing the collection, processing and storing of the data of an induvial.

Personal Data Protection Bill.

On 24 August 2017, the Supreme Court in Justice K.S. Puttuswamy vs Union of India delivered a landmark judgement, wherein the court recognized the right to privacy as a fundamental right enshrined under Article 21 of the Constitution of India. The Supreme Court further emphasized for a need of data protection framework.

Subsequently, a committee headed by Justice B.N. Krishna framed and introduced the Personal Data Protection Bill 2018 and pursuant to several rounds of discussion with the stakeholders the Ministry of Electronic and Information Technology introduced the final bill called Personal Data Protection Bill 2018 (“PDPB Bill” ) in the Lok Sabha.

Obligations under the PDPB Bill 2019

Compliances For Business Vis-à-vis Personal Data Protection Bill 2019.

The PDPB Bill applies to the storing and processing of personal data of a data principal by the data fiduciary. 

The key definitions under the Bill are:

• Data Fiduciary – person / state / company / entity that determines purpose and means of processing personal data
• Data Principal – Individua / HUF / company / firm / association of persons or body of individuals / state / other entities
• Personal Data – data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute orany other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.

The PDPB Bill imposes certain obligations on the data fiduciary, for the processing of the personal data of a data principal.

The following are the obligations:

• Consent- A personal data of a data principal shall be processed only pursuant to the consent of the data principal. The Bill lays emphasize on the importance of consent of the data principal before the personal data is processed by the data principal.
• Reasonable Purpose- every personal data process by the Data fiduciary shall be process for a specific purpose and such purpose shall be fair and reasonable.
• Notice- every data fiduciary shall issue a notice to the data principal at the time of processing the data specifying the purpose for processing, nature of the personal data being processed and provide the contact details of the data protection officer. If the data is not collected directly from the individual, then the notice must be provided to such individual as soon as is reasonably practicable.
• Limited Retention- The data fiduciary shall process the data for a reasonable purpose and for a limited period. Once the data has satisfied the purpose for such collection, the data shall be deleted by the data fiduciary.

Therefore, a data fiduciary is obligate to process the data only after fulfilling the above obligations. However, it is pertinent to note here that these are just the primary obligations confer upon the data fiduciary under the PDPB Bill.

Key Compliances under the PDPB Bill.

Compliances For Business Vis-à-vis Personal Data Protection Bill 2019.

1. Privacy by Design: every data fiduciary shall prepare a privacy by design. A privacy by design shall contain the standard technical system used to identify the data and measures taken to prevent any data breach. It shall also contain the obligations of the data fiduciary, the technology used in processing the data and the transparency of processing the data. The privacy by design shall be certified by the Authority under the PDPB Bill.
2. Maintain Transparency- every data fiduciary shall process that data while maintaining transparency. It shall take steps maintain transparency by providing inter alia:

• The purpose and category of the data being process by the data fiduciary.
• The rights of the data principal
• The right of the data principal to file complaint in the even of any data breach

Appointing a Data Protection Officer-

every data fiduciary shall appoint a Data Protection Officer. The primary duty of data fiduciary shall be to assess and monitor the data processed by the data fiduciary, advice the data fiduciary with respect to the data protection impact assessment and act as point of contact in the event of any grievance.  Additionally, a data fiduciary shall also have a proper grievance redressal mechanism in place.

Data Protection Impact Assessment-

Compliances For Business Vis-à-vis Personal Data Protection Bill 2019.

every data fiduciary that undertakes to process data using new technology or processes large volumes of sensitive data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data principals, such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment in accordance with the provisions of this section.

Data Localization in case of Cross-Border Transfer of Data-

 Cross-Border transfer of sensitive data is permit under the PDPB Bill, however data can be store only in India.

Additionally, cross-border transfer is permit subject to the following condition:

Compliances For Business Vis-à-vis Personal Data Protection Bill 2019.

• the transfer is pursuant to a contract or intra-group scheme approve by the data protection authority; or
• the government has allow the transfer to a country or, such entity or class of entity in a country. An international organization on the basis of its finding of adequate level of protection. And that such transfer does not affect the enforcement of any other relevant law; or
• the data protection authority has allowed transfer of sensitive personal data. Or class of sensitive personal data necessary for a specific purpose.

Penalties

Compliances For Business Vis-à-vis Personal Data Protection Bill 2019.

The PDPB Bill imposes stringent penalties in case there is any contravention. Of any provisions under the PDPB Bill which may also include imprisonment.

Conclusion

Compliances For Business Vis-à-vis Personal Data Protection Bill 2019.

The PDPB Bill 2019 is a step towards better protection and safety of personal data of an individual. Considering the importance of data in today’s world and its significance in digital economy. It is pertinent to take steps to ensure protection of data by regulating the same. So as to obligate every organization/company processing such data to maintain certain safety standards and provide transparency. Therefore, pursuant to the implementation of the bill, every company. Shall have to frame their privacy policy as per the PDPB Bill and further ensure compliances under the Bill.