Sunday, April 17, 2022

 India's Personal Data Protection Bill 2021 - Chapter-wise Summary for Techies



The Government of India(GoI) is in the process of framing comprehensive and specific legislation to protect personal data of its citizens. The Joint Parliamentary Committee(JPC) was formed in 2019 to study and constitute Personal Data Protection(PDP) bill for India. After two years, the report was tabled in Indian parliament by the committee with its recommendation to protect personal data of Indian citizens. 


Many countries already framed protection laws to safeguard the privacy of its citizens. Although, PDP is similar to other countries especially with GDPR (The General Data Protection Regulation by European Union), it is critical to understand the nitty-gritty of the bill to remain compliant while doing business in India. Global IT companies complying with various countries privacy laws can extend their implementation with minimal effort to comply with PDP once it is enacted and provides transition period. 


My intention in this blog is to highlight key recommendations of the JPC going through each chapters. I'm keeping it concise to help developers, designers, architects, and product owners to get quick summary of this bill. For more details, one can start referring the appropriate section from the PDP bill report link that I shared in the references section below. I'm referring the section numbers along side the clauses to help readers quickly refer them in the original JPC report. There are fourteen chapters in this bill explaining public policy on data protection and I'm only listing the key aspects that are important for IT professionals.



Chapter 1: Preliminary

This section contains official definitions, meanings, terms and scopes that subsequent chapters would be referencing. It is critical to go through this section without miss to understand the definitions. Important key words are:

Personal data, non personal data, sensitive data classification, data fiduciary(processor), authorities, data profiling and etc. One key highlight is that the provision of this bill applies to both personal and non personal data. Processing of Personal data includes collecting, storing, disclosing, sharing within the territory of India and also to those not present in the territory of India but carrying out business in India. 


Section-15 describes the definition of person as per this report. Having clarity on who all come under the definition of Person is a must. As per the report, Person can be individual, a Hindu undivided family, a company, a firm, an association of persons or a body of individuals, the state, and every artificial judicial person. 

 

Section-41 in this chapter lists what constitute sensitive personal data and it is important to remember while designing applications. The list includes : Financial data, Health data, sex life, Sexual orientation, biometric data, genetic data, transgender status, intersex status, caste/tribe, and religious belief.  


Note the various actors and their roles in this chapter. It has definitions for Data principal, Adjudicating officer, Consent Manager, Data Auditor, Data Fiduciary, Data Protection Officer, and Data Protection Authority of India.



Chapter 2: Obligation of Data Processor


These sections in the chapter states the methods for processor or fiduciary to get consent from data principal before collecting this data. It mandates disclosing of the purpose, extent, nature, categories, and storing period to collect data. 

The highlights in this section are that it enables data processor to share, and transfer the personal data as part of business transaction with below clauses: 

  • Disclose with whom the data will be shared. 
  • Provide contact details of data processor and data protection officer 
  • Right of data principal(person) to withdraw consent 



Chapter 3: Grounds for processing of personal data without consent


State allowed itself to collect and process personal data without consent for provisioning services, security, court order and treatment during medical emergencies. This is critical information for e-governance applications development team to optimize their data privacy design. 


One key highlight here is that it allows storing personal data if it is not sensitive in cases of employment by data processor. HR applications which usually required to store employee data could still continue to do that without employee consent. 

The section mentions other “reasonable purpose” which excludes consent are : prevention or detection of fraud, security, credit scoring, M&A, search engines and publicly available personal data.



Chapter 4: Personal data of children


Child right protection being the objective in this chapter mandates policy for parent/guardian consent. Profiling, tracking, behavioural monitoring, targeted advertising  or any other type of potential harm to the child due to violation of informational privacy is disallowed. Registration with the Data Protection Authority is a must for data fiduciaries collecting children's data.  



Chapter 5: Rights of Data Principal


This chapter talks about the rights of the data principal on his data mandating for Processor to provide information in clear and concise manner. 

It is important to understand how data principal can exercise his rights. Data processor can:

  • Ask Identities of data processor, categories of personal data 
  • Requesting Right to be forgotten
  • Nominate legal heir
  • Request appends to agreement terms
  • Right to correction and erasure 
  • Restrict or discontinue disclosure in case the purpose is no more served(20(1))

On the other hand the act allows data processor to provide justifications in case the request cannot be considered or it is not technically feasible(19 (2)b). It also lists that Data processor can charge fee to data principal for providing the information back to the requestor(21(2)).



Chapter 6: Transparency and accountability measures


Interesting chapter for IT fraternity where they can find more IT level details here. This chapter mandates processor to prepare published “privacy by design” policy to contain:

  •  Business and technical systems design and process
  •  Obligations
  •  Approaches to transparency in data processing   

This sections recommends Processor to have defined strategy for:

  • Encryption and de-identification process
  • Protect integrity of personal data
  • Prevent misuse
  • Notification and alert mechanism when data breach happens. Mandates notification issue within 72 hours of becoming aware of such breach

The bill in this chapter mandates data protection impact assessment 27(1) which should contain Appointment of data protection officer and lists the responsibilities of such role.  Bill expects continuously updated detailed documentation of privacy by design policy published in processor's websites. The documentation should contain:

  • Categories 
  • Purpose
  • Exceptional situations
  • Procedure for exercise of rights by Principal with contact detail and escalation process
  • Info on cross border transfers

It calls for data protection impact assessment 27(1) which should contain:

  • Detailed description of proposed processing operation
  • Assessment of the potential harm that may be caused to the data principal

As per the bill, this gets validated by Data Auditor who assigns a rating in the form of data trust score. 



Chapter 7: Restriction on transfer of personal Data outside India


Sensitive data may be transferred outside India but such data continue to be stored in India (33(1)). This brings huge impact to the IT side of the business where they have to ensure the data centre inside India is setup to store a copy of the data before it is transferred outside the country. 


Another highlight is that central govt approval is required for sharing the sensitive personal data with foreign government or agency (34(1.3)).



Chapter 8: Exemptions


This chapter lists the exemptions from this act when Authority is satisfied that the application is for research, archiving and statistical purpose (38). Allowing sandbox environment for data processing in research and innovation is highlight in this chapter. 


To help startups, exemptions are provided with clauses like turnover of the small entity being low, carried out for a very brief period like just one day in a given year and innovative solutions in AI, ML or any other emerging technologies. Allowing exemption to sandbox environment for innovation would immensely help the research oriented organizations.


Below chapters in the bill provide details on the regulation and enforcement framework mainly. 


Chapter 9: Data protection authority of India


This section manly talks about the GOI intention to setup the authority and provides details on structure, duty,  of such authority. The framework setup information in this chapter is mainly for public service authorities than IT companies.



Chapter 10: Penalties and compensation


Important section for business houses to understand the seriousness of this bill. There are different types of penalties and fines listed for not being compliant with the law in this chapter. 



Chapter 11: Appellate tribunal


This chapter incorporates instruction for Government of India to establish Tribunal to hear out the cases and conflicts arising out of data protection issues. 



Chapter 12: Finance, Account and Audit


This chapter includes data protection authority fund allocation by government. Provides detailed instruction to public policy implementors within government. 



Chapter 13: Offences


This chapter discusses different types of penalties in the context of data protection law that include imprisonment and fines. This chapter is of paramount importance to legal department within data processors to understand the context and spread awareness among responsible executives. 



Chapter 14: Miscellaneous


The last chapter covers miscellaneous activities of authority and procedures to be followed in various scenarios around enactment of the data protection policy.



My View


This act is absolute essential for protecting individual data privacy and supporting digital economy growth. With growing digital products and services in the country, importance of data protection has taken centerstage. I strongly believe that the well implemented data protection act would enforce the citizens fundamental right on their privacy. This act is supposed to build user trust and confidence on the digital business carried out in this land. The bill has good intentions and objectives. Bill addresses most basic features like simple consent forms, data minimization, data corrections, data porting, breach notifications, restricted automated decisions with personal data, and most importantly citizen awareness.  


Some of the clauses in this bill are opposed and committee is reviewing them. I'm hopeful that this law once enacted would reduce misuse of personal data, ensures compliance, and promote data privacy awareness in India.




References:


JPC Report:

http://164.100.47.193/lsscommittee/Joint

%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_

Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf


at No comments:
Labels: , , , , , , , , , , ,
Subscribe to: Posts (Atom)