Demystifying the India Data Protection Bill, 2018: Part 1 of 3

0
[ This article was originally published here ]


As seen in our earlier post, India is soon slated to introduce a stringent, GDPR-like data protection law to safeguard its citizens’ personal data.

Based on the recommendations of the Justice BN Srikrishna Committee, a draft of the ‘Personal Data Protection Bill, 2018’ was released by the Indian Government for public feedback in August last year and the bill is expected to be brought to the parliament soon for approval.

Built on the edifice that ‘Right To Privacy’ is a fundamental right of Indian citizens, the Personal Data Protection Bill, 2018 (the bill) is expected to completely transform the way organisations collect, store, share and process the personal data of Indian citizens.

Below are the 9 stated objectives of the bill:

  1. To protect the autonomy of individuals in relation with their personal data
  2. To specify where the flow and usage of personal data is appropriate
  3. To create a relationship of trust between persons and entities processing their personal data
  4. To specify the rights of individuals whose personal data is processed
  5. To create a framework for implementing organisational and technical measures in processing personal data
  6. To lay down norms for cross-border transfer of personal data
  7. To ensure the accountability of entities processing personal data
  8. To provide remedies for unauthorised and harmful processing of personal data, and
  9. To establish a Data Protection Authority for overseeing processing activities.

From these stated objectives, it is evident that the bill is far more holistic in scope than any other data protection law prevalent in the country today.

In this three-part series, we will deep dive on the various aspects of the bill and what Indian organisations need to do to adhere to its stringent guidelines.

Before we get started, let’s first understand what ‘personal data’ exactly is and the parameters that classify it as ‘sensitive personal data’.

Personal Data

The bill defines ‘personal data’ as “any data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information.”

In a nutshell, the bill defines ‘personal data’ as any data that directly or indirectly identifies an individual. For e.g. Phone Number, Residential Address, etc.

Sensitive Personal Data

The bill defines ‘sensitive personal data’ as “any personal data revealing, related to, or constituting:

1. Passwords (if they are stored online or offline)
2. Financial Data (e.g. Bank Account Number, Credit Score, etc.)
3. Health Data (e.g. Diabetic, Bipolar, etc.)
4. Official Identifier (e.g. Aadhaar Number, PAN Number, etc.)
5. Sex Life
6. Sexual Orientation
7. Biometric Data (e.g. IRIS records, Fingerprints data, etc.)
8. Genetic Data (data related to the inherited or acquired genetic characteristics of an individual that gives unique information about the behavioural characteristics, physiology or the health of that individual)
9. Transgender Status
10. Intersex Status
11. Caste or Tribe
12. Religious or Political belief or Affiliation or
13. Any other category of data specified by the Authority under section 22.”

In a nutshell, the bill classifies ‘sensitive personal data’ as any additional information that directly or indirectly identifies an individual.

This is perhaps the first time that any data protection law has gone to such great lengths to cohesively define what ‘personal data’ actually means thereby leaving no scope for any ambiguity whatsoever.

Now that we know how the bill classifies data as ‘personal data’ and ‘sensitive personal data’, lets look at the other important components of the bill:

1. Applicability

Leaving no scope for any ambiguities, the bill clearly identifies the parties that will be responsible for protecting their users’ personal data:

(1) Any individual or entity that processes personal data where such data has been collected, disclosed, shared or processed in India

(2) Any State / Central Government official or entity, any Indian company, any Indian citizen or any individual or body of individuals incorporated or created under the Indian law

(3) Any individual or entity that is not present within the territory of India but processes the personal data:

  • a) In connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
  • b) In connection with any activity that involves profiling of data principals within the territory of India.

2. Compliance

The bill mandates that individuals or entities that process personal data have to appoint a dedicated Data Protection Officer to ensure adherence to the data protection measures enshrined in the bill.

Further, the bill has proposed setting up a nodal body – in the form of a Data Protection Authority of India, to oversee execution of the bill’s data protection guidelines, ensure compliance from entities (individuals or organisations dealing with personal data) and enforce penalties to those who do not adhere to the bill’s guidelines.

3. Penalties

The bill broadly classifies entities (individuals or organisations involved in processing of personal data) in two types – Type 1 and Type 2, and recommends stringent penalties for non-adherence to the bill’s data protection regulations:

(1) For entities classified as Type 1, the penalty may extend upto Rs. 5 crores or 2% of its total worldwide turnover of the preceding financial year, whichever is higher.

(2) For entities classified as Type 2, the penalty may extend upto Rs. 15 crores or 4% of its total worldwide turnover of the preceding financial year, whichever is higher.

To Sum It Up

When converted into an Act, the Data Protection Bill 2018 will completely transform the way organisations manage their users’ personal data. With the passage of the bill, organisations can no longer afford to take their users’ personal data lightly and will have to implement the mandated data protection measures to avoid the hefty penalties recommended in the bill.

In the next part of this series, we will cover in detail the other key elements of the bill like User Consent, De-identification, Anonymisation, Tokenization, Encryption, Data Fiduciaries and their classification as Type 1 and Type 2 for penalty provisions, etc. that organisations need to keep in mind to ensure compliance to the bill.

Learn more about India’s upcoming data protection law on earlier post, “Are you ready for India’s NEW Personal Data Protection Law?