As the world continues to struggle with delays caused by COVID-19, India has delayed the review of its new data privacy legislation, the Personal Data Protection Bill, 2019 (PDPB). The PDPB uses the European Union’s General Data Protection Regulation (GDPR) as a model but contains several novel requirements.
If the PDPB passes, data fiduciaries—those who determine the purpose and means of processing of personal data—will face new obligations and requirements, while data principals–the natural persons to whom the personal data relates—will gain new rights in relation to their personal data. This post summarizes the PDPB’s key provisions.
Data Protection Obligations
The PDPB obligates data fiduciaries to follow well-established processing principles. In particular, the bill requires them to:
- Process personal data for a specific, clear, and lawful purpose
- Process personal data in a fair, reasonable, and privacy-protective manner for the purpose specified and reasonably expected given the context
- Collect only the personal data necessary for the purpose
- Provide data principals with notice of the collection and processing of their personal data, including the purpose, the fiduciary’s identity, the retention period, the principals’ rights, and other details
- Ensure that the personal data is complete, accurate, up-to-date, and not misleading
- Retain the personal data for no longer than necessary to complete the purpose and to delete the data upon completion of processing
- Ensure accountability with the PDPB
- Obtain data principals’ consent to process their personal data, ensuring that the consent is freely given, informed, specific to the purpose, clearly provided through an affirmative action, and capable of being withdrawn
Processing Personal Data Without Consent
The PDPB’s requirement that data fiduciaries obtain data principals’ consent for processing aims to ensure the principals’ fundamental right to privacy. Like the GDPR, however, the PDPB provides several grounds for processing without consent.
For example, data fiduciaries may process personal data without consent in the following cases:
- To comply with a law
- To comply with a court order or judgment
- To respond to a medical emergency involving the data principal or another individual
- To ensure an individual’s safety during any disaster or any breakdown of public order
In addition, the PDPB allows the processing of non-sensitive personal data without consent when necessary for purposes related to employment, such as recruiting or terminating employment. The PDPB also permits the processing of personal data without consent in cases that the Data Protection Authority (DPA) specifies by regulation as “reasonable purposes,” such as prevention and detection of unlawful activity, credit scoring, and search engine operations.
Data Principal Rights
To protect the privacy of individuals, the PDPB grants data principals several rights relating to their personal data. These rights are similar to those under the GDPR.
Under the PDPB, data principals have the right to confirm if the data fiduciary is processing or has processed their personal data, to access the types of personal data and details about the processing activities. Data fiduciaries must respond clearly and concisely so the average person will understand.
Data principals also have the right to correct inaccurate or misleading personal data, complete incomplete data, updated outdated data, and erase data which is no longer necessary for the original processing purpose.
Moreover, the PDPB grants data principals the right to data portability, i.e., to receive their personal data in a structured, commonly used, and machine-readable format, including data that forms part of a profile of a principal.
Finally, data principals have the right to restrict or prevent the continuing disclosure where that disclosure has served the purpose of the initial collection or the data is no longer necessary for that purpose, the principals have withdrawn consent, or the disclosure violated the PDPB or another law. However, only an Adjudicating Officer appointed by the DPA may enforce this right through an order. And data principals would have to demonstrate that their rights or interests in preventing or restricting the disclosure of their “personal data overrides the right to freedom of speech and expression and the right to information of any other citizen.”
Transparency and Accountability Measures
As with other modern privacy laws, transparency and accountability are crucial areas when it comes to privacy legislation. The PDPB requires data fiduciaries to develop privacy by design policies and to ensure the transparency of their processing activities, such as providing privacy policies detailing the types of personal data collected and processed, the purposes of the processing, and information on cross-border transfers of personal data
Data Fiduciaries also must implement security safeguards to protect personal data. Such safeguards include de-identification and encryption and steps to prevent misuse, unauthorized access to, modification, disclosure, or destruction of personal data. Moreover, if a data breach does occur and the breach is likely to cause harm to a data principal, the data fiduciary must inform the DPA.
The PDPB also regulates data processor relationships, requiring data fiduciaries to have contracts with data processors and requiring such processors to process personal data in accordance with the fiduciaries’ instructions, while treating the data as confidential.
Finally, data fiduciaries must implement procedures and mechanisms to intake and resolve data principals’ complaints in an efficient and speedy manner.
Significant Data Fiduciaries
Two critical aspects that clearly distinguishes the PDPB from the GDPR are its concept of “significant data fiduciaries” and those fiduciaries’ additional obligations. The DPA will have the power to classify data fiduciaries as significant based on a multi-factor analysis, including, among others, the volume and sensitivity of personal data processed, the risk of harm by processing the data, and the use of new processing technologies.
Another unique aspect of the PDPB is its creation of the classification of “social media intermediary”–namely, “an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services.” The bill deems any social media intermediary as a significant data fiduciary where it has a certain number of users (a threshold which has yet to be determined by the government) and whose actions have, or are likely to have a significant impact on India’s electoral democracy, security, public order, or sovereignty and integrity.
On top of the requirements set forth for data fiduciaries (above), the PDPB increases significant data fiduciaries’ legal obligations. First, a significant data fiduciary must conduct a data protection impact assessment before it engages in any processing involving new technologies, large scale profiling, or the use of sensitive personal data, or any other processing which carries a risk of significant harm to data principals. Second, a significant data fiduciary must maintain accurate and up-to-date records of its processing operations and security safeguards reviews, among other information. Third, a significant data fiduciary must undergo an annual audit of its policies and processing activities by an independent data auditor. Based on the audit results, the data auditor may assign a rating in the form of a data trust score to the significant data fiduciary. Fourth, each significant data fiduciary must appoint a qualified and experienced data protection officer. Finally, social media intermediaries must enable users to verify their accounts to obtain a demonstrable and visible mark of verification.
Cross-Border Personal Data Transfers
Unlike the GDPR, the PDPB places heightened restrictions on transfers of personal data outside India. The PDPB does not explicitly set forth requirements for transfers of personal data. However, it prohibits the transfer of “critical personal data,” which has yet to be defined by the government, except in certain circumstances. For example, data fiduciaries may transfer such data where necessary to provide prompt health or emergency services or where permitted by the government and the DPA.
While data fiduciaries may transfer sensitive personal data outside India, they would have to continue to store that data within India. Moreover, they may only transfer such data with data principals’ explicit consent and where another condition applies, such as where the government and the DPA permit the transfer based on a finding that the destination country or entity provides an adequate level of data protection.
Due to the 2020 coronavirus pandemic, many important events have been put on hold. Reviewing and voting about the PDPB are no different. The bill was supposed to go to India’s parliament on July 7, but it has been stalled on route. There’s no word about a new date set, so the bill is unlikely to be enacted any time soon.
The PDPB is complicated and detailed. Many aspects are familiar due to its predecessors like the GDPR. But there are many new concepts to grasp. If the PDPB is enacted, organizations world-wide will face additional compliance challenges.
If you’re looking for a powerful and easy-to-use privacy management software, OneTrust is purpose-built to solve these challenges at scale – allowing marketers and organizations to simplify and strengthen their privacy program management. Schedule a demo today to learn more.