India's draft Data Protection Bill has been drafted by a committee of experts, before it becomes a law, you can share your inputs on the Bill.
Better understand the Bill through this presentation and share your feedback before 30th September on the MEITY website or www.civis.vote.
3. Background of the Draft Bill
● The Ministry of Electronics & Information Technology constituted a Committee
of Experts.
● Chairman – retired SC Judge, Justice B.N. Srikrishna.
● Mandate – study issues relating to data protection in India and suggest measures.
● Committee issued:
○ Data Protection Report - “A Free and Fair Digital Economy Protecting Privacy,
Empowering Indians”; and
○ Draft Personal Data Protection Bill, 2018
● MEITY has sought feedback from public We are here
4. How Does This Draft Bill Become a Law? (Next Steps):
● MEITY to consider feedback from public
● Draft Bill to be modified, if required
● Union Cabinet to pass the draft Bill
● Bill to be introduced in Parliament
5. Important Concepts in the Draft Bill
● Data
● Personal data
● Sensitive Personal Data:
○ Passwords
○ Financial data
○ Health data
○ Official identifier
○ Sex life / sexual orientation / Transgender status / intersex status
○ Biometric / genetic data
○ Caste or tribe
○ Religious / political belief or affiliation
○ Anything else specified by Authority
6. Important Concepts in the Draft Bill (Continued)
● Data principal – natural person to whom data relates
● Data Fiduciary
○ Any person – individual / company / Govt. / entity
○ Determines purpose and means of processing data
● Processing – collection / recording / organizing / storing /
disclosure / use / etc.
SPD
Personal
Data
Data
7. Obligations of the Data Fiduciary
● Processing in fair and reasonable manner
● Purpose limitation – clear, specific, lawful purposes
● Collection limitation– only necessary data
● Notice - DF to give notice to data principal about factors such as:
o Purpose
o Categories of data being collected
o Identity/contact details of DF
o Withdrawing consent
o Basis for processing and consequences of not providing data
o Identity of other DF or data processors with whom data shared
o Cross-border transfer of data
o Procedure for grievance redressal
o Source of collection etc.
● Quality of data – complete, accurate, not misleading and updated
● Data storage limitation – only as long as necessary
● DF must follow provisions of the Act
8. When can Personal Data be Processed?
● By consent - free, informed, specific, clear and capable of being withdrawn
● For functions of State
● To comply with law or order of court/tribunal
● For prompt action (medical emergencies, safety, etc.)
● For employment purposes
● For reasonable purposes to be specified by the Authority like:
○ Whistle-blowing
○ M&A
○ Credit scoring
○ Prevention of unlawful activity
○ Recovery of debt
○ Publicly available personal data.
9. ● By explicit consent
● For functions of State
● To comply with law or order of court/tribunal
● For prompt action
● Further categories of SPD may be specified by the Authority
When can personal data and SPD of children be processed?
● Protects / advances best interest of the child
● Age verification & parental consent
● Guardian data fiduciaries (GDFs): websites for children / DF who process large
volumes of personal data of children.
● GDFs cannot profile/track kids or give targeted ads for kids.
● If GDFs are child counselors or child protection services, parental consent is not
required.
When can Sensitive Personal Data be Processed?
10. Rights of Data Principals
● Right to confirmation and access
○ Confirmation about the fact of processing
○ Summary of the personal data being processed
○ Summary of processing activities undertaken
● Right to correct, complete and update personal data
● Right to data portability - Personal data available with DF can be transferred to
another DF on DP’s request
● Right to be forgotten – Upon application to Authority in following cases:
○ When purpose is served
○ When consent has been withdrawn
○ When disclosure was made contrary to provisions of the Bill or any other
law
11. How to Exercise These Rights?
● DP to make a request in writing to the DF (except Right to be forgotten)
● If data portability or summary of processing activities sought – DF can charge
fee
● DF to comply within reasonable time.
● If request declined by DF, need to give reasons in writing and inform DP about
her right to complaint to Authority
● DF not bound to comply with anything from S.24 to 27 if it would harm any
other DP.
12. How Does the Bill Impact Businesses?
● Provide ‘Notice’ before collecting Data that is clear, concise and can be easily
understood by the average person.
○ This Notice may be in multiple languages if required
● Organisations should provision for individual privacy and innovation can’t take
place at the risk of compromising an individual’s privacy.
● Create safeguards like the de-identification of data to prevent misuse.
● Be transparent about data being collected and processed and provide
information at periodic intervals about the data that is being processed.
● Maintain at least one copy of data collected on a server located in India.
13. Compliances
● Different standards of compliance for ‘significant data fiduciaries’, data
fiduciaries and small entities.
○ Significant data fiduciaries will be classified based on the volumes of data processed, sensitivity
of data, turnover, new technologies used, risk of harm from processing.
○ Small entities are organisations with a turnover under 20 lakh, that manually process data and
haven’t collected personal data of over 100 people in the last calendar year.
● Report data breaches to the authorities along with measures taken to remedy a
breach.
● Conduct annual data audits, through a recognised professional auditor. Conduct
Data Protection Impact assessments before using new technologies.
● Maintain records of data collected and the manner of it’s processing.
● Appoint a data protection officer with whom grievances can be raised and who
can provide advice to ensure data protection under this Bill.
14. Authorities and Penalties
● The Bill, provides for the creation of a Data Protection Authority and an
Appellate Tribunal.
● Penalties under this Bill are as follows:
● These penalties are separate from compensation.
5 crore or 2% of global
turnover
15 crore or 4% of global
turnover 5,000/- Failure to attend to indvidual's requests
10,000/- Failure to give information to the Authority
20,000/- Failure of significant fiduciaries to comply
with orders.
5,000/- Failure of fiduciaries to comply with orders.
1 crore - For significant fiduciaries where no penalty
is specified.
25 lakh - For fiduciaries where no penalty is
specified.
• Not acting promptly on a
data breach.
• Not undertaking data impact
assesment
• Not appointing a data
protection officer
• Not registering with the
authority
• Unlawful processing of data
• Violates the grounds for
processing
• Processing sensitive personal
data or children's data
incorrectly
• Failure to ensure data security
• Transferring personal data
contrary to the Act's provisions
15. ● All offences under the Act are cognizable and non-bailable. Offences under the
Act are:
○ Transferring data contrary to the Act - 2 lakh fine and/or 3 year
imprisonment.
○ Obtaining or selling personal data - 3 lakh fine and/or 5 years in jail.
○ Re-identifying and processing personal data without consent 2 lakh fine
and/or 3 years in jail.
Offences Under the Bill