Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SAOCN) Aaron kamath - India's Personal Data Protection Bill - an overview

525 views

Published on

India's Personal Data Protection Bill (PDPB) has been in the news for a while now. One of the most awaited legislations around the world, the bill has intoduced many new ideas which are different from other legislations like the EU GDPR,etc. The bill has also raised many controversies and debates both in India and globally. This session focuses on what the India PDPB is all about.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

(SAOCN) Aaron kamath - India's Personal Data Protection Bill - an overview

  1. 1. Mumbai | Silicon Valley | Bangalore | Singapore | Mumbai-BKC | New Delhi | Munich | New York © Nishith Desai Associates SACON 2020 India’s Proposed Privacy and Personal Data Protection Law - Aaron Kamath Leader - Technology & Privacy Law Practice February 22, 2020 Draft for discussion purposes only
  2. 2. Regulation as a Facilitator  Privacy • Control over data • Transfer to jurisdictions with less protection  Cybersecurity • In 2015, 70% of all internet traffic was passing through cloud data centers – how secure is that cloud?  Law enforcement • Government access • Data localization • Solutions – MLATs and data sharing agreements  Competition • Protect domestic companies from online competition  Equating digital and non-digital players • TSPs v. OTTs 2
  3. 3. Changing Landscape of Privacy and Data Protection in India  India, the largest consumer of mobile data in the world, is acknowledging the importance of data, its uses and security.  The Apex court declared the right to privacy as a fundamental right guaranteed under the Constitution.  In December 2019, the Indian Government introduced in the lower house of parliament the Personal Data Protection Bill, 2019.  The Bill on December 12, 2019 was referred to a Joint Parliamentary Committee (“JPC”) for further debate and examination.  Presently stakeholder recommendations are invited by the JPC until 25th February 2020.  JPC to submit its report to Parliament by mid-end March. 3
  4. 4. Existing Framework  The Information Technology Act, 2000  The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 • Protects ‘Sensitive Personal Data’ • Purpose, collection and storage limitation • Privacy Policy and disclosures • Consent requirements • Transfers • Reasonable security practices and procedures • Grievance officer  State of compliance  Sectoral requirements • Data localization– banking and payments, insurance, telecom 4
  5. 5. Overview of the Personal Data Protection Bill,2019  Applicability • Extra-territorial • Exemption for manual processing and outsourcing activities in certain cases  Wider categories of data protected • Personal data • Sensitive personal data – biometric, financial, religious, caste data included  Peculiarities in other categories of data • Critical personal data (no guidance) • Anonymized / non-personal data (Government requests)  Enhanced data controller obligations • Notice and consent requirements – for personal and sensitive data • Purpose, collection and storage limitations • Privacy by design • Transparency and security safeguards (CoPs) • Data breach notifications (to DPA)  Significant data fiduciary • Impact assessments • Maintenance of records and audits • Data protection officer • Social media intermediaries 5
  6. 6. Overview of the Personal Data Protection Bill,2019 (contd.)  Rights conferred on data subjects (flavors of GDPR) • Confirmation and access • Correction and erasure • Data portability (extends to data generated by fiduciary and profile data) • Right to be forgotten (limited right)  Special provisions on children’s data • Age-verification and parental consent • Guardian data fiduciary • Restrictions in profiling, tracking, monitoring, targeted advertising directed at children or other potentially harmful activities  Independent Data Protection Authority • Codes of Practice  Regulatory sandbox  Enhanced penalties linked to % of worldwide turnover in some grave cases 6
  7. 7. 7 Data Fiduciary Data Processor Data transfer (unless categorized as Critical Personal Data) Overseas INDIA Data Localization andCross-Border DataTransfers - Sensitive Personal Data Server / Data Centre Data Principal Explicit consent -- Data ProtectionAuthority approved contract or intra-group schemes, or - Transfer to Government notified countries or class of entities or international organizations; or - DPA approved transfer for a specific purpose Data copy stored (unless specifically exempted by the Central Government)
  8. 8. Thank You! nda@nishithdesai.com Mumbai | Silicon Valley | Bangalore | Singapore | Mumbai-BKC | New Delhi | Munich | New York © Nishith Desai Associates Aaron Kamath – aaron.kamath@nishithdesai.com

×