Personal Data Protection Bill, India
The justice B. N. Srikrishna committee appointed by the Indian Government has submitted a draft Personal Data Protection bill to Parliament on 27-July-2018.
This blog provides major highlights of the bill primarily from a view of users whose personal data is covered under Act, and Providers who are capturing user’s personal data for providing him some product / service.
For keeping discussion simple, let’s understand the various entities that are addressed in the bill.
Data Principal refers to the person (I’m simply refer to him as User in my blogs for simplicity sake) whose personal data (referred as Personal Information or PI) is the focus area of bill.
Data Fiduciary refers to the organization that is capturing User’s personal data for providing him some service or product. For simplicity sake, I’m going to refer Data Fiduciary as Provider or Service Provider or Organization. The PI is possibly also used for other purposes like offering him other relevant services / products (read marketing), or providing desired information to Government Authorities as required by law. The present bill covers both Private and Government entities.
Service provider’s that have significant level of dealing with PI or sensitive PI need to appoint a Data Protection Officer (DPO), who plays a pivotal role of handling the privacy related matters, and has related authority within the organization.
Data Protection Authority is the regulating authority for users’ PI data, deliberating and regulating service providers, and helping user’s stay in control of their PI, while ensuring that sufficient freedom is provided to organizations for developing business use cases (and giving impetus to Digital Economy). Adjudicating Officer is the authority in-charge and interface to Service Provider’s and users.
Data ownership: Paradigm shift
The proposed bill intends to bring a paradigm shift with respect to user’s data (PI). Organizations capturing user data no longer own data, but they are reflected as custodian of this data as per bill (hence the Data Fiduciary that reflects relationship of trust and trustee.
Users have been provided several rights to ensure that they stay in control of their data. User can now:
- Ask service provider whether it has captured his data and what are contents of data
- Get their data corrected in case it is incorrect / incomplete. They can further get it marked as disputed in case Data Fiduciary doesn’t accept their request for correction / updation
- In select cases, they can request service provider to discard / delete their data.
- Request service provider to provide data in portable form (for cases like Health Data, Financial Data etc). An appropriate fee may be charged by service provider in this case.
- File complaints about service provider with Data Protection Authority (DPA)
Service provider needs to provide all relevant information in form of a Notice that is provided in simple and unambiguous language before collecting user’s PI. This includes:
- What type of data is being collected
- Purpose of collecting data
- The procedure for withdrawing consent (for continued usage of data) should be specified
- The period for retention of data should be specified and in case not possible, the criteria for determining for such a period should be specified.
- It should be specified whether the data is going to be shared outside India.
- Complete detail of organization contact, and DPO (if applicable)
- Procedure for grievance redressal should be specified.
- In case applicable, rating of given by DPA should be shared
- Service provider needs to ensure that personal data is complete, accurate, not misleading, and updated.
Service provider will have responsibility to ensure that personal data captured is correct, complete and updated. In case gap is detected and updates are captured, they need to be intimated to third parties with whom data was shared earlier.
Service provider can retain the PI data till it serves the purpose that was conveyed to user when it was being captured. It has to be discarded appropriately once the purpose is served.
Service providers are accountable for the PI data, and need to have an institutionalized mechanism for full life cycle of data, and having organizational structure, framework, policies and processes to handle data as laid out by Act.
Audits / Impact Assessments
Service provider needs to get regular audit done for showcasing compliance with the Act requirements. For any major change in system, a formal PIA (Privacy Impact Assessment) needs to be done to ensure all possible measure are thought of and taken up in any new implementation/ major modification in existing system. PIA for major prjoects have become norm across several nations to address Privacy concerns.
Service provider’s need to appoint a DPO that helps service provider on matters related to fulfilling its obligation under Act. Organizations that deal with significant level of PI or sensitive PI data must appoint a DPO.
Breach, Offences and Penalties
In case of any data breach or privacy incident, Service provider must notify authority with relevant information specified in the Act. In case of failure, DPA can penalize provider upto Rs 5 Crore or 2% of its total world wide turnover (whichever is higher)
In case of violation of norms, DPA can penalize the provider upto Rs 15 Crore or 4% of its world wide turnover (whichever is higher)
In case of deliberate act of obtaining, transferring or selling of personal data contrary to the Regulation Act, that impacts users, DPA can punish person / group of person with imprisonment of upto 5 years and/or a fine upto Rs 3 Lakhs.
The offence under the act will be cognizable and non-bailable.