The Personal Data Protection Bill, India

Right to privacy is a fundamental right and is granted protection under Article 21 of the Constitution. The Personal Data Protection Bill 2019 govern rules for processing, storing & disseminating personal data, and lists individual’s rights with respect to their personal information. It also proposes to create an independent new Indian regulatory authority, the Data Protection Authority (DPA), to regulate this law. All business entities and organisations dealing with personal data will have to meet the bill’s conditions.

The bill aims to strengthen India’s data protection scheme which is presently governed by the Information Technology Act, 2000. It proposes to regulate the processing of personal data of individuals which is processed by the Government, Companies registered in India and Foreign Companies. There are provisions which regulate the personal data of individuals.

Personal Data under the bill is defined as the data relating to a natural person with regard to the characteristic, trait, attribute or any other feature which helps in the identification of that person. The bill also distinguishes between Sensitive Personal Data and Critical Personal Data. Where in Sensitive personal data includes financial data, health data, sex life, sexual orientation, biometric data, transgender status, caste or tribe, religious and political affiliations etc. and Critical personal data means any such data which will be notified by the Central Government as critical personal data.

There are also certain obligations relating to the Data fiduciary, Data fiduciary means any entity or any individual which determines the purpose and means of processing personal data.

  1. Personal Data should be processed only for clear and lawful purposes.
  2. The privacy of Data Principal i.e. the person to whom the data belongs, should be confirmed.
  3. The Data Fiduciary is required to furnish a notice to the Data Principal for the purposes of collecting personal data.
  4. The bill imposes restriction on the Data Fiduciary with respect to the retention of the personal data collected.
  5. The Data Fiduciary is also made accountable to comply with the provisions of the bill in relation to the processing of data.

The bill stipulates provisions for processing of data after consent is obtained from the Data Principal, however data can also be processed without consent in the following circumstances –

  1. For performance of any function of the state authorised by law.
  2. For compliance with any order or the judgement of the court.
  3. For employment or related purposes.
  4. For any other reasonable purposes, the reasonable purposes include whistle blowing, prevention and detection of any unlawful activity, mergers and acquisition, credit scoring, recovery of debt etc.

The bill provides for rights that can be exercised by a data principal such as the right to seek information regarding the manner or processing activities undertaken by the data fiduciary with respect of the personal data. The bill also gives an opportunity to the data principal to correct and erasure any personal data.

The bill defines Social Media intermediaries as intermediaries which allow 2 or more users to share, upload, disseminate, create information using its services. This will allow the government to notify them as data fiduciary subjecting them to comply with the provisions of the Bill.

The bill provides for the establishment of a Data Protection Authority to protect the interest of data principal, prevent misuse of personal data, ensure compliance and promote awareness regarding data protection. The authority will have the power to maintain a database on its website containing names of significant data fiduciaries with a rating in the form of a data trust score which will indicate the compliance to the provisions of the bill.

The bill imposes certain restrictions on the transfer of sensitive and critical personal data outside India. Sensitive personal data may be transferred outside India based on certain conditions such as –

  1. The transfer is made pursuant to a contract or intra-group scheme which should be approved by the Data Protection Authority (Authority) .
  2. The transfer is allowed by Central Government after consultation with the Authority.

The data protection authority will be required to create a sandbox to promote and encourage artificial intelligence, machine learning or any other such emerging technology. The entities which will be included under the sandbox will be excluded from complying to the provisions of the Bill.

For FREE CONSULTATION from our trusted & experienced professionals (requiring upto 1 hour of their time & efforts), write to us on or alternatively fill the contact form on Contact Us page.

#BusinessConsultingFirmsInIndia #ManagementConsultingFirmsInIndia #BusinessConsultantIndia #ManagementConsultantsIndia #StrategyConsultantsinIndia #BusinessDevelopmentinIndia #IndianImporters #SourcingConsultantsinIndia #TaxConsultantsIndia #FinancialAdvisoryServices #IndiaMarketEntry #InvestInIndia #ForeignInvestment #DoingBusinessInIndia #IndiaExpansion #IndiaBusinessOpportunities #MarketResearchIndia #IndiaEntryStrategy #IndiaBusinessConsulting #FDIIndia #ForeignDirectInvestment #IndiaMarketAnalysis #IndiaBusinessEnvironment #IndiaEntryBarrier #IndiaBusinessLaws #IndiaBusinessPartnerships #IndiaBusinessCulture #IndiaBusinessRegulations #IndiaBusinessConsultant #IndiaBusinessAdvisory #IndiaBusinessDevelopment #ANSLegalandBusinessServicesLLP #ANS #ANSSERV #ANSLABS

Comments are closed.