On whom the Bill will be applicable?
The Bill is applicable on processing of personal data by
- Companies either incorporated in India or foreign companies dealing with personal data of individuals in India.
- any citizen of India or any person or body of persons incorporated or created under Indian law
- data has been collected, disclosed, shared or otherwise processed within the territory of India
- data fiduciaries or data processors not present within the territory of India, if such processing is in connection to the either of the following activities within the territory of India:
- any business carried on in India,
- any systematic activity of offering goods or services to data principals
- profiling of data principals
- anonymised data- (S.91) "anonymisation" in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority
What are the authorities appointed under this Bill?
The Authority appoints the Adjudicating Officer. The Central Government prescribes manner and terms of appointment, jurisdiction of Adjudicating Officers etc.
- Appellate Tribunal:
Chairperson: present or former Judge of the Supreme Court or Chief Justice of a High Court
Member: has held the post of Secretary to the Government of India or any equivalent post in the Central Government for a period of not less than two years or a person who is well versed in this field of data protection
The Central Government prescribes manner and terms of appointment, removal of chairman or members of Appellate Tribunal.
- Data Protection Authority of India: a Chairperson and not more than six whole-time Members to be appointed by the Central Government for a term of five years or till they attain the age of sixty-five years, whichever is earlier, on the recommendation made by a selection committee consisting of
- the Cabinet Secretary - Chairperson of the selection committee
- the Secretary to the Government of India in the Ministry or Department dealing with the Legal Affairs;
- the Secretary to the Government of India in the Ministry or Departmentdealing with the Electronics and Information Technology
What is "personal data"?
- data about or relating to a natural person
- the natural person is directly or indirectly identifiable
- through any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features with any other information, including any inference drawn from such data for the purpose of profiling (any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a data principal;);
- whether online or offline,
What is "sensitive personal data"?
"Sensitive personal data" means such personal data, which may, reveal, be related to, or constitute— (i) financial data; (ii) health data; (iii) official identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe; (xi) religious or political belief or affiliation; or (xii) any other data categorised as sensitive personal data as notified by the Central Government after consultation with the Authority and the sectoral regulator concerned under S. 15 of the Bill.
What is "personal data breach"?
- Any unauthorised or accidental
- disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to, personal data
- that compromises the confidentiality, integrity or availability of personal data to a data principal (natural person to whom the personal data relates;);
Under what conditions the processing of data is allowed?
"Processing" in relation to personal data, means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
Data can be processed by:
- By any person: "person" includes— (i) an individual, (ii) a Hindu undivided family, (iii) a company, (iv) a firm, (v) an association of persons or a body of individuals, whether incorporated or not, (vi) the State, and (vii) every artificial juridical person, not falling within any of the preceding sub-clauses;
If data fiduciary is processing the data:
- give to the data principal a notice, at the time of collection of the personal data or as soon as reasonably practicable mentioning the the purposes, nature and categories of personal data, identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable; right of the data principal to withdraw his consent and procedures thereof if the personal data is intended to be processed on the basis of consent; and the other details as mentioned in S. 7() of the Bill.
There are further obligations on the data fiduciary.
- For specific, clear and lawful purpose.
- In a fair and reasonable manner
- Ensure the privacy of the data principal;
- purpose for which consented, incidental to or connected with such purpose,
- which the data principal would reasonably expect that such personal data shall be used for, having regard to the purpose, and in the context and circumstances in which the personal data was collected.
- Extent: to the extent necessary for the purposes of processing of such personal data.
- Exception: Under Section 12of the Bill, the personal data may be processed
- Under laws (made by Parliament or State Legislature) in force
- Medical emergency/ to data principal or any other individual
- Medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health
- Measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order.
- Exception: Under Section 13 of the Bill,, the personal data except sensitive personal data may be processed:
- Where the consent of the data principal is not appropriate having regard to the employment relationship between the data fiduciary and the data principal, or would involve a disproportionate effort on the part of the data fiduciary due to the nature of the processing under the said sub-section.
- The processing of data is necessary for:
- recruitment or termination of employment of a data principal by the data fiduciary;or
- provision of any service to, or benefit sought by, the data principal who is an employee of the data fiduciary; or
- verifying the attendance of the data principal who is an employee of the data fiduciary; or
- any other activity relating to the assessment of the performance of the data principal who is an employee of the data fiduciary.
- Exception: Under Section 14 of the Bill, the personal data may be processed:
- If such processing is necessary for such reasonable purposes like prevention and detection of any unlawful activity including fraud; whistle blowing; mergers and acquisitions; network and information security; credit scoring; recovery of debt; processing of publicly available personal data; and the operation of search engines.
- After taking into consideration of the interest of the
- data fiduciary: its interest in processing for that purpose; whether it can reasonably be expected to obtain the consent of the data principal;
- public interest in processing for that purpose;
- data principal: the effect of the processing activity on the rights of the data principal; and the reasonable expectations of the data principal having regard to the context of the processing.
What is the nature of consent?
- Free consent u/S. 14 of the Indian Contract Act, 1872;
- Informed consent u/S. 7 of Data Protection Bill
- Specific to determine the scope of consent for processing;
- Capable of being withdrawn with the similar ease with which consent may be given.
- There should not be any mandate with respect to the provisioning of any goods or services or the quality thereof, or the performance of any contract, or the enjoyment of any legal right or claim, to be made conditional on the consent to the processing of any personal data not necessary for that purpose.
- If it is in respect of processing of any sensitive personal data, then in addition to above mandates, then the consent of data principal shall be explicitly obtained
(a) after informing him the purpose of, or operation in, processing which is likely to cause significant harm to the data principal;
(b) in clear terms without recourse to inference from conduct in a context; and
(c) after giving him the choice of separately consenting to the purposes of, operations in, the use of different categories of, sensitive personal data relevant to processing.
On whom the burden of proof lies for valid consent?
Under Section 11(5) of the Bill, the data fiduciary has the burden of proof that the consent has been given by the data principal for processing of the personal data.
What are the special provisions for child?
Data fiduciary shall process personal data of a child :
- After verifying the age of child
- After obtaining the consent of child's parent or guardian
Exception: It is not applicable for the guardian data fiduciary providing exclusive counselling or child protection services to a child.
- in such manner that protects the rights of child
- is in the best interests of, the child
The Data Protection Authority of India shall, classify any data fiduciary, as guardian data fiduciary, who—
- Operate commercial websites or online services directed at children;
- Process large volumes of personal data of children.
There are added obligations of the guardian data fiduciary or of such modified form to the data fiduciary offering counselling or child protection services to a child, as the Authority may by regulations specify, are. It shall be barred from profiling, tracking or behaviouraly monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child.
What are the rights of data principal?
- To receive the following in a clear and concise manner that is easily comprehensible to a reasonable person:
- Status confirmation of the processing by data fiduciary
- List or summary of personal data being processed or that has been processed
- Summary of processing activities undertaken by the data fiduciary
- Correction of inaccurate or misleading personal data or updating of personal data that is out-of-date;
- Completion of incomplete personal data;
- Erasure of personal data which is no longer necessary for the purpose for which it was processed.
- Where the processing has been carried out through automated means then the data principal shall have the right to
(a) receive the following personal data in a structured, commonly used and machine-readable format of the personal data provided, the data which has been generated in the course of provision of services or use of goods by the data fiduciary; or the data which forms part of any profile on the data principal, or which the data fiduciary has otherwise obtained; and
(b) have such personal data as referred above transferred to any other data fiduciary in the format referred to in that clause.
Exception to (e): No such right if processing is necessary for functions of the State or in compliance of law or order of a court under section 12; or compliance with the such request would reveal a trade secret of any data fiduciary or would not be technically feasible.
- Right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary where such disclosure has served the purpose for which it was collected, the consent under section 11 is withdrawn, or was made contrary to the provisions of this Bill or any other law for the time being in force.
Pre-condition: Only after an order of the Adjudicating Officer made on an application filed by the data principal and unless it is shown that the right or interest of the data principal overrides the right to freedom of speech and expression and the right to information of any other citizen.
The data principal may apply for the review of that order to the Adjudicating Officer.
Any person aggrieved by an order made under this section by the Adjudicating Officer may prefer an appeal to the Appellate Tribunal.
If the data fiduciary agrees with (b), (c) or (d) then, the same shall be notified to all relevant entities or individuals to whom such personal data may have been disclosed by the data fiduciary.
If the data fiduciary does not agree with (b), (c) or (d), then it shall provide adequate justification in writing for rejecting the application. If the data principal is not satisfied with the justification it may require that the data fiduciary take reasonable steps to indicate, alongside the relevant personal data, that the same is disputed by the data principal.
What are the transparency and accountability measures for data fiduciary?
- Prepare a privacy by design policy containing provisions with reference to the managerial, organizational, business practices and technical systems, commercially accepted or certified technology, obligations of data fiduciaries; the interest of the data principal is accounted for at every stage of processing of personal data etc. The certified copy (by the Authority) of such privacy by design policy shall be published on the website of the data fiduciary and the Authority.
- Maintain transparency in processing personal data
- Implement necessary security safeguards of de-identification and encryption; for protection of the integrity of personal data; for prevention of misuse, unauthorized access to, modification, disclosure or destruction of personal data, according to nature of purpose and risks involved in individual cases.
- By notice inform the Authority about the breach of any personal data processed by the data fiduciary where such breach is likely to cause harm to any data principal, with details about the nature of personal data, number of data principals affected by the breach, possible consequences of the breach; and the action being taken by the data fiduciary to remedy the breach.
What are the safeguards provided for "social media intermediary"?
"Social media intermediary" is an intermediary who:
- primarily or solely
- enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services
- It shall not include intermediaries which primarily:
- enable commercial or business oriented transactions;
- provide access to the Internet in the nature of search-engines, on-line encyclopedias, e-mail services or online storage services.
The Central Government, in consultation with the Authority will notify as a 'significant data fiduciary' on basis of following parameters:
- users above such threshold as may be notified by the Central Government, in consultation with the Authority
- actions have, or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India
Impact of above notification: It shall now enable the users who register their service from India, or use their services in India, to voluntarily verify their accounts in such manner as may be prescribed.
What are "significant data fiduciary"?
The Authority on the basis of following factors notifies "significant data fiduciary":
- volume of personal data processed
- sensitivity of personal data processed
- turnover of the data fiduciary
- risk of harm by processing by the data fiduciary
- use of new technologies for processing
- any other factor causing harm from such processing
Added Obligations for "significant data fiduciary":
- Register itself with the Authority
- If intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data carrying a risk of significant harm to data principals, then data protection impact assessment has to be undertaken prior to it. It includes detailed description of nature of data, processes, purposes, potential harm, risk management measure. The assessment will be submitted to the Authority which can pass the cease order if it has reason to believe that the processing is likely to cause harm to the data principals.
- Personal data audit annually by an independent data auditor to evaluate the compliance of provisions of this Bill. The 'Data Auditor' shall be registered with the Authority.
- Appoint a data protection officer who is based in India
[The opinions expressed in this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of LiveLaw and LiveLaw does not assume any responsibility or liability for the same]