Early in 2019, the Indian parliament introduced a bill that concerned the privacy of data of billions in the country – the Personal Data Protection Bill (PDPB). As the very preface of the bill suggests, it has been introduced keeping in mind the growing use of data in the digital economy. The key purpose of the bill is to ‘protect personal data as an essential facet of informational privacy’ and thereby upholding the fundamental right to privacy of Indian citizens. However, even since the bill has hit the floor various stakeholders – including lawmakers, citizen representatives, and corporations – have raised concerns about some inclusions in the bill. Many have even called the bill ‘pro-government’.

To present a context, the bill has been modelled around the GDPR but in a very crude manner, and with authoritarian leanings. The PDPB has a framework which enables government surveillance and allows the government access to citizen data as and when it deems fit. This certainly undermines citizen privacy. The blurred distinctions between personal and non-personal data are also of grave concern. These, and many other such concerns, have led to the bill being tabled in the Parliament in December 2019. It is currently under analysis by the Joint Parliamentary Committee. 

Let’s take a closer look at the bill and understand the key provisions included. 

Data Protection Inclusions

Or should we say, obligations? The PDPB lays down some key obligations for data fiduciaries – companies that concern with the use, processing, or transfer of data – which they must adhere to. As per the bill, fiduciaries must –

  • Process personal data for a specific, clear, and lawful purpose 
  • Process personal data in a fair, reasonable, and privacy-protective manner for the purpose specified and reasonably expected given the context 
  • Collect only the personal data necessary for the purpose 
  • Provide data principals with notice of the collection and processing of their personal data, including the purpose, the fiduciary’s identity, the retention period, the principals’ rights, and other details 
  • Ensure that the personal data is complete, accurate, up-to-date, and not misleading 
  • Retain the personal data for no longer than necessary to complete the purpose and to delete the data upon completion of processing 
  • Ensure accountability with the PDPB 
  • Obtain data principals’ consent to process their personal data, ensuring that the consent is freely given, informed, specific to the purpose, clearly provided through affirmative action, and capable of being withdrawn

While this is just an overview of the key accountable of the bill, let’s further understand some of them in detail. 

Data Principal Rights 

Data Principals – or data subjects as defined in GDPR – have some specific data-related rights enlisted as part of the PDPB. These rights have been designed in-line with the data subjects’ rights listed in GDPR. Let’s understand them in detail – 

  1. Data Processing – Principals have the right to get a confirmation from the fiduciaries about the processing of their data. Fiduciaries must give them access to the types of data processed and the details of processing activities in clear, layman terms.
  2. Data Accuracy – The PDPB gives principals the right to correct, update, and complete any incomplete or incorrect personal data. Principals can also ask fiduciaries to erase their data if it is no longer necessary for the original processing purpose.
  3. Data Portability – Under PDPB data principals have the right to port their data. Fiduciaries must provide principals with personal data in a structured, commonly used, and machine-readable format, including data that forms part of a profile of a principal. 
  4. Data Disclosure – Data principals have the right to demand the discontinuation of data disclosure where the purpose of disclosure has already been served, or the data is no longer required for that purpose, the PDPB violates the disclosure, or the principals have withdrawn consent. However, this right can only be enforced by the order of an Adjudicating Officer appointed by the Data Protection Authority (DPA).

Consent for Processing of Personal Data

The Personal Data Protection Bill mandates the fiduciaries to obtain data principals’ consent before processing any personal data. However, just like GDPR, the PDPB also enlists various circumstances under which fiduciaries can process data with consent. Some such instances are listed below – 

  • To comply with a law 
  • To comply with a court order or judgment 
  • To respond to a medical emergency involving the data principal or another individual 
  • To ensure an individual’s safety during any disaster or any breakdown of public order 

Some other cases wherein PDPB allows data processing without consent include – 

  • Processing of non-sensitive personal data when needed for purpose of employment (hiring or terminating employment)
  • Processing of non-sensitive personal data when needed for purpose of employment (hiring or terminating employment)

Transparency and Accountability Measures 

The PDPB encourages data fiduciaries to be transparent and accountable when it comes to obtaining and processing sensitive data. As per the bill, the fiduciaries must be transparent about their privacy policies, listing details of the types of personal data collected and processed, the purposes of the processing, and information on cross-border transfers of personal data.

It is also imperative that the data fiduciaries ensure the security of personal data processed by them. The PDPB requires them to implement some safeguards to ensure this – steps to prevent misuse, unauthorized access to, modification, disclosure, or destruction of personal data, and de-identification and data encryption. Moreover, in the case of a data breach, the fiduciary must inform the DPA. 

The PDPB also lays down strict guidelines for data processors working with fiduciaries. The bill requires fiduciaries to have proper contracts in place which bind the processors to process data as per fiduciaries’ instructions and treat data as confidential. 

Finally, data fiduciaries must implement procedures and mechanisms to intake and resolve data principals’ complaints in an efficient and speedy manner. 

Cross-Border Personal Data Transfers 

The PDPB, unlike the GDPR, prohibits the transfer of “critical personal data” outside India, except in certain circumstances.  And even in such cases where they may transfer data across borders, the fiduciaries must store that data within India. Plus, they must take explicit consent from the data principals before transferring the data. 

The PDPB is a complex bill which is still under review, pending voting. It has various aspects that are similar to the GDPR, but there are many new concepts which need to be reviewed and understood. The whole review process has been delayed in wake of the COVID-19 Pandemic. 

The bill was supposed to go to India’s parliament on July 7, but it has been stalled on the route. There is no news on when the bill might be enacted upon. However, as and when the bill is passed and enacted, organisations all across the globe will face compliance challenges. Secuvy can help you manage these challenges from the ground up. Get in touch today: info@secuvy.com