10 Key Points of the Data Protection Bill to Enhance Privacy and Security

Sandeep Gupta, the Managing Director of Protiviti Member Firm for India, offers his perspective on the news.

In the age of digitization, data has become the bedrock of modern economies, driving technological development and shaping industries worldwide. With its growing population and rapidly growing digital infrastructure, India is at the forefront of this data-driven revolution. However, as the country takes advantage of the opportunities offered by data-driven technologies, addressing privacy concerns has become paramount.

Data protection is a fundamental right of every individual, which allows them to control their personal data and dictate how it is collected, stored and used. In recent years, India has seen an explosion in attention to privacy issues due to the explosive growth of internet users, e-commerce platforms, social media and digital payment systems.

The government has taken proactive steps to address data protection challenges and is on the right track as it has passed the Digital Personal Data Protection Act in the Union Government. This legislation aims to create a comprehensive data protection framework that defines the rights of individuals and the responsibilities of data processors and data controllers. In addition, it strives to find a delicate balance between promoting innovation and protecting citizens’ privacy.

The bill has a significant impact on working methods in key sectors such as BFSI, Healthcare & Lifesciences, IT/ITES, Energy, Manufacturing, Consumer products, Hospitality and Global Capability Centers (GCC). Also, the impact from a preparedness perspective will be more in the SME segment than MNCs who would have already been exposed to global data protection regulations like GDPR, CCPA and others. Additionally, given the introduction of new technologies such as AI/ML, Metaverse and IOT, it is necessary to carefully adapt to the bill’s requirements while ensuring that functionality and business results are not affected.

Some important things to consider are the following:

Scope and Scope: The scope of this legislation is limited to personal data either obtained within the borders of India through online channels or initially acquired offline and subsequently digitized. Therefore, offline personal data, non-digitized data, data processed for personal or domestic purposes or data that has existed for more than a century are exempted from the provisions of this law. In addition, the scope of the law is extended to the processing of digital personal data outside the territorial borders of India, but only if such processing is related to profiling or the provision of goods or services to persons residing in India (Data Principals).

Applicability to data: The draft law takes into account the protection of personal data in an all-encompassing way, without making a distinction between ordinary personal data and sensitive personal data. It mandates express consent to data collection everywhere.

Legal basis for processing, consent and deemed basis for consent: Data trustees must provide the data protection officer with a comprehensive notice that clearly lists the exact personal data they intend to collect and the purpose of their processing. This information shall be made available either in English or in any language mentioned in the Eighth Schedule of the Constitution of India. In addition, the contact information of the data protection officer or authorized personnel must be shared with the data protection officer in order to facilitate communication and the exercise of their rights.

The controller has the right to withdraw consent at any time. In addition, the process of granting, managing, reviewing and revoking consent can be carried out through a “consent manager”, a data fiduciary that provides an accessible, open and interoperable platform for these activities.

In situations where the Controller hands over personal data voluntarily, consent to their processing is required. This applies to medical emergencies, performing legal functions for the Data Controller or complying with statutory requirements.

Data Protection Board: The Central Government has been entrusted with the responsibility of setting up the Data Protection Board of India. It is an independent unit whose task is to monitor compliance with the future data protection law. This board has the authority to impose sanctions on data trustees and data controllers if the rules are not followed.

In addition, the law has identified several means by which individuals’ opportunities for influence can be strengthened. Alternative dispute resolution mechanisms have been introduced, and individuals have the opportunity to appeal government decisions to the Supreme Court.

Cross-border data transfer: The Government provides a list of countries to which cross-border data transfer is permitted.

Appointment of data protection officer and data inspector: The central government has the authority to designate any data trustee or a certain category of data trustees as “significant data security persons” based on a thorough assessment of relevant factors. These factors include the amount or sensitivity of the personal data being processed, potential harm to the Data Controller, impact on India’s sovereignty and integrity, electoral democracy, risks to national security, public order and any other relevant considerations deemed necessary. Once designated as significant data security officers, they must appoint a data protection officer who is accountable to the government or a significant governing body. In addition, they must hire a Data Auditor to assess and ensure compliance with data protection regulations. In addition, the law may prescribe various measures, such as periodic inspections and data protection impact assessments based on the specific needs and requirements of the law. These measures are designed to improve the protection and security of personal data.

The rights of the controller: The right to receive information about personal data and the right to correction and deletion. The bill presents the right to rectification of the complaint and obligates information security to handle the data protection officer’s concerns within 7 days, or even in a shorter period of time, if so ordered. The purpose of this proactive measure is to shorten the time that the Data Trustee recognizes the Data Controller’s complaint and processes it appropriately.

Notification of a breach: According to the bill, in the event of a data security breach, the Data Security Manager and the Processor must immediately notify all data decision makers affected by the matter. This important regulation ensures that data protection officers whose personal data may have been compromised receive timely information about all data security breaches, regardless of the level of risk.

Penalties: Non-Compliance by Data Trustee: In case of significant non-compliance, the Board is empowered to impose a financial penalty of up to INR 500 per case, after the person has been given a fair opportunity to present his case. Non-Compliance by the Data Controller: Penalty imposed for non-compliance by the Data Controller may not exceed INR 10,000.

Implementation schedule: Although the bill does not outline a specific implementation schedule, it requires organizations to take a more proactive approach to comply with its provisions.

The bill seeks to find a harmonious balance between privacy protection and national security. It contains provisions that allow exceptions in cases where the processing of personal data becomes necessary to safeguard national security interests. By adopting this approach, the bill ensures that privacy rights are protected while recognizing legitimate national security concerns and harnessing data for useful purposes while respecting the privacy of individuals. The Bill is a step in the right direction as it lays the groundwork for enhanced data protection and strengthens India’s data protection system to make it more sustainable and mature in the long run.