By Sandeep Gupta, Managing Director, Protiviti Member Firm for India
In the era of digitalization, data has become the bedrock of modern economies, propelling technological advancements and reshaping industries on a global scale. With its growing population and rapidly expanding digital infrastructure, India stands at the forefront of this data-driven revolution. However, as the country embraces the opportunities presented by data-driven technologies, addressing data privacy concerns has become paramount.
Data privacy represents a fundamental right of every individual, empowering them to retain control over their personal information and dictating how it is collected, stored, and utilized. In recent years, India has witnessed a surge in attention towards data privacy issues, driven by the exponential growth of internet users, e-commerce platforms, social media, and digital payment systems.
Taking proactive measures to tackle data privacy challenges, the government is on the correct path as it has approved the Digital Personal Data Protection Bill in the Union Cabinet. This legislation aims to establish a comprehensive framework for data protection, defining the rights of individuals and the responsibilities of data processors and controllers. Moreover, it endeavors to strike a delicate equilibrium between fostering innovation and safeguarding the privacy of citizens.
The bill will have significant impact on the ways of working across key sectors such as BFSI, Healthcare & Lifesciences, IT/ITES, Energy, Manufacturing, Consumer products, hospitality as well as Global capability centres (GCC). Further, the impact from a readiness perspective will be more on the SMB segment compared to MNCs which would have already been exposed to global privacy regulations such as GDPR, CCPA and others. Further, considering the adoption of emerging technologies such as AI/ML, Metaverse and IOT, there will be a need to carefully align to the requirements of the bill while ensuring that functionality and business results are not impacted.
Some key highlights to consider are as below:
Applicability and Scope: The scope of this legislation is limited to personal data that is either obtained within the borders of India through online channels or initially acquired offline and later digitized. Therefore, offline personal data, data that remains non-digitized, data processed for personal or domestic purposes, or data that has been in existence for over a century will be exempt from the provisions of this law. Additionally, the legislation will extend its scope to include the processing of digital personal data outside the territorial boundaries of India, but only if such processing is related to profiling or offering goods or services to individuals (Data Principals) residing within the territory of India.
Applicability to data: The bill takes an all-encompassing approach to safeguarding personal data, without making a distinction between regular personal data and sensitive personal data. It mandates explicit consent for data collection across the board.
Lawful Basis of Processing, Consent and Deemed Consent: Data Fiduciaries must furnish a comprehensive notice to the Data Principal, clearly enumerating the specific personal data they intend to collect and the purpose behind its processing. This information must be made available in either English or any language specified in the eighth schedule of the Constitution of India. Additionally, the contact details of the data protection officer or authorized personnel must be shared with the data principal to facilitate communication and the exercise of their rights.
The Data Principal holds the right to revoke consent at any time. Furthermore, the process of giving, managing, reviewing, and withdrawing consent can be carried out through a ‘consent manager,’ which is a data fiduciary offering an accessible, transparent, and interoperable platform for these actions.
In situations where the Data Principal voluntarily provides personal data, consent to its processing is implied. This applies to cases of medical emergencies, the performance of functions under the law for the benefit of the Data Principal, or compliance with legal requirements.
Data Protection Board: The Central Government is entrusted with the responsibility of setting up the Data Protection Board of India, an autonomous entity tasked with supervising compliance with the forthcoming data protection law. This board will possess the authority to impose penalties on data fiduciaries and Data Principals in cases of non-compliance.
Moreover, to empower individuals further, the law has identified various avenues for recourse. Alternate dispute resolution mechanisms have been put in place, and individuals have the option to appeal against the board’s decisions in high court.
Cross Border Data Transfer: The Central Government shall provide a list of countries to which cross border data transfer is allowed.
Appointment of a Data Protection officer and Data Auditor: The Central Government holds the authority to designate any Data Fiduciary or a specific category of Data Fiduciaries as “Significant Data Fiduciary” based on a thorough evaluation of relevant factors. These factors include the volume or sensitivity of personal data processed, potential harm to the Data Principal, impact on India’s sovereignty and integrity, risks to electoral democracy, security of the State, public order, and any other pertinent considerations deemed necessary. Once designated as Significant Data Fiduciaries, they will be obliged to appoint a Data Protection Officer, who will be accountable to the board of directors or significant governing body. Additionally, they will be required to hire a Data Auditor to assess and ensure compliance with data protection regulations. Furthermore, the law may prescribe various measures, such as periodic audits and Data Protection Impact Assessments, based on the specific needs and requirements of the act. These measures are designed to enhance the protection and security of personal data.
Rights of the Data Principal: Right to Information about personal data as well as right to correction and erasure. The Bill presents the right to grievance redressal, mandating that the Data Fiduciary must address the Data Principal’s concerns within a 7-day period or even shorter if prescribed. This proactive step is aimed at curtailing the time required for the Data Fiduciary to recognize and appropriately address the Data Principal’s grievance.
Breach notification: As per the Bill, in the event of a data breach, the Data Fiduciary and Processor must notify all affected Data Principals promptly. This crucial provision ensures that Data Principals, whose personal data might have been compromised receive timely information about any data breaches, irrespective of the level of risk involved.
Penalties: Non-compliance by Data Fiduciary: If there is a significant breach of compliance, the Board has the authority to levy a financial penalty of up to INR 500 Crore per instance, following a fair opportunity for the person to present their case. Non-compliance by Data Principal: The penalty for non-compliance by a Data Principal can amount to a maximum of INR 10,000.
Timeline for Compliance: While the bill doesn’t outline a specific implementation schedule, it requires organizations to take a more proactive stance in adhering to its provisions.
The draft bill strives to strike a harmonious equilibrium between the right to privacy and national security imperatives. It incorporates provisions permitting exemptions where processing personal data becomes essential to safeguard national security interests. By adopting this approach, the bill ensures the safeguarding of privacy rights while acknowledging the legitimate concerns of national security and harnessing data for beneficial purposes while respecting individual privacy. The draft bill represents a step in the right direction, laying the groundwork for enhanced data protection and bolstering India’s data protection system to become more robust and mature in the long term.