Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Data Decoded: Understanding India's Draft Data Protection Bill
Ähnlich wie Data Decoded: Understanding India's Draft Data Protection Bill (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Data Decoded: Understanding India's Draft Data Protection Bill
- 3. Background of the Draft Bill ● The Ministry of Electronics & Information Technology constituted a Committee of Experts. ● Chairman – retired SC Judge, Justice B.N. Srikrishna. ● Mandate – study issues relating to data protection in India and suggest measures. ● Committee issued: ○ Data Protection Report - “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians”; and ○ Draft Personal Data Protection Bill, 2018 ● MEITY has sought feedback from public We are here
- 4. How Does This Draft Bill Become a Law? (Next Steps): ● MEITY to consider feedback from public ● Draft Bill to be modified, if required ● Union Cabinet to pass the draft Bill ● Bill to be introduced in Parliament
- 5. Important Concepts in the Draft Bill ● Data ● Personal data ● Sensitive Personal Data: ○ Passwords ○ Financial data ○ Health data ○ Official identifier ○ Sex life / sexual orientation / Transgender status / intersex status ○ Biometric / genetic data ○ Caste or tribe ○ Religious / political belief or affiliation ○ Anything else specified by Authority
- 6. Important Concepts in the Draft Bill (Continued) ● Data principal – natural person to whom data relates ● Data Fiduciary ○ Any person – individual / company / Govt. / entity ○ Determines purpose and means of processing data ● Processing – collection / recording / organizing / storing / disclosure / use / etc. SPD Personal Data Data
- 7. Obligations of the Data Fiduciary ● Processing in fair and reasonable manner ● Purpose limitation – clear, specific, lawful purposes ● Collection limitation– only necessary data ● Notice - DF to give notice to data principal about factors such as: o Purpose o Categories of data being collected o Identity/contact details of DF o Withdrawing consent o Basis for processing and consequences of not providing data o Identity of other DF or data processors with whom data shared o Cross-border transfer of data o Procedure for grievance redressal o Source of collection etc. ● Quality of data – complete, accurate, not misleading and updated ● Data storage limitation – only as long as necessary ● DF must follow provisions of the Act
- 8. When can Personal Data be Processed? ● By consent - free, informed, specific, clear and capable of being withdrawn ● For functions of State ● To comply with law or order of court/tribunal ● For prompt action (medical emergencies, safety, etc.) ● For employment purposes ● For reasonable purposes to be specified by the Authority like: ○ Whistle-blowing ○ M&A ○ Credit scoring ○ Prevention of unlawful activity ○ Recovery of debt ○ Publicly available personal data.
- 9. ● By explicit consent ● For functions of State ● To comply with law or order of court/tribunal ● For prompt action ● Further categories of SPD may be specified by the Authority When can personal data and SPD of children be processed? ● Protects / advances best interest of the child ● Age verification & parental consent ● Guardian data fiduciaries (GDFs): websites for children / DF who process large volumes of personal data of children. ● GDFs cannot profile/track kids or give targeted ads for kids. ● If GDFs are child counselors or child protection services, parental consent is not required. When can Sensitive Personal Data be Processed?
- 10. Rights of Data Principals ● Right to confirmation and access ○ Confirmation about the fact of processing ○ Summary of the personal data being processed ○ Summary of processing activities undertaken ● Right to correct, complete and update personal data ● Right to data portability - Personal data available with DF can be transferred to another DF on DP’s request ● Right to be forgotten – Upon application to Authority in following cases: ○ When purpose is served ○ When consent has been withdrawn ○ When disclosure was made contrary to provisions of the Bill or any other law
- 11. How to Exercise These Rights? ● DP to make a request in writing to the DF (except Right to be forgotten) ● If data portability or summary of processing activities sought – DF can charge fee ● DF to comply within reasonable time. ● If request declined by DF, need to give reasons in writing and inform DP about her right to complaint to Authority ● DF not bound to comply with anything from S.24 to 27 if it would harm any other DP.
- 12. How Does the Bill Impact Businesses? ● Provide ‘Notice’ before collecting Data that is clear, concise and can be easily understood by the average person. ○ This Notice may be in multiple languages if required ● Organisations should provision for individual privacy and innovation can’t take place at the risk of compromising an individual’s privacy. ● Create safeguards like the de-identification of data to prevent misuse. ● Be transparent about data being collected and processed and provide information at periodic intervals about the data that is being processed. ● Maintain at least one copy of data collected on a server located in India.
- 13. Compliances ● Different standards of compliance for ‘significant data fiduciaries’, data fiduciaries and small entities. ○ Significant data fiduciaries will be classified based on the volumes of data processed, sensitivity of data, turnover, new technologies used, risk of harm from processing. ○ Small entities are organisations with a turnover under 20 lakh, that manually process data and haven’t collected personal data of over 100 people in the last calendar year. ● Report data breaches to the authorities along with measures taken to remedy a breach. ● Conduct annual data audits, through a recognised professional auditor. Conduct Data Protection Impact assessments before using new technologies. ● Maintain records of data collected and the manner of it’s processing. ● Appoint a data protection officer with whom grievances can be raised and who can provide advice to ensure data protection under this Bill.
- 14. Authorities and Penalties ● The Bill, provides for the creation of a Data Protection Authority and an Appellate Tribunal. ● Penalties under this Bill are as follows: ● These penalties are separate from compensation. 5 crore or 2% of global turnover 15 crore or 4% of global turnover 5,000/- Failure to attend to indvidual's requests 10,000/- Failure to give information to the Authority 20,000/- Failure of significant fiduciaries to comply with orders. 5,000/- Failure of fiduciaries to comply with orders. 1 crore - For significant fiduciaries where no penalty is specified. 25 lakh - For fiduciaries where no penalty is specified. • Not acting promptly on a data breach. • Not undertaking data impact assesment • Not appointing a data protection officer • Not registering with the authority • Unlawful processing of data • Violates the grounds for processing • Processing sensitive personal data or children's data incorrectly • Failure to ensure data security • Transferring personal data contrary to the Act's provisions
- 15. ● All offences under the Act are cognizable and non-bailable. Offences under the Act are: ○ Transferring data contrary to the Act - 2 lakh fine and/or 3 year imprisonment. ○ Obtaining or selling personal data - 3 lakh fine and/or 5 years in jail. ○ Re-identifying and processing personal data without consent 2 lakh fine and/or 3 years in jail. Offences Under the Bill
- 16. www.meity.gov.in www.saveourprivacy.in www.civis.vote twitter.com/_maadhyam_ What can you do about the Bill and how?