SlideShare a Scribd company logo
Feedback on Draft Personal Data Protection Bill
Ssubmitted to Meity
Nanda Mohan Shenoy D
CAIIB,DBM-Part I,, NSE Certified Market Professional Level-1 ,P G Diploma in IRPM, PG Diploma in
EDP and Computer Management, DIM,LA ISO 9001,LA ISO 27001 NISM empanelled CPE Trainer
Director
1
Definition Aadhaar (1)
(1) “Aadhaar number”shall have the
meaning assigned to it under clause (a) of
section 2 of the Aadhaar (Targeted
Delivery of Financial and Other Subsidies,
Benefits and Services) Act, 2016 (18 of
2016); and shall exclude the VID and UID
Definitions- Aadhaar Number(1)
• Gap :
– Exclusion of VID and UID token from the definition of
Aadhaar number
• Impact
– Avoid confusion for data fiduciaries
• Remedy
– Explicitly mention in the Act
• Logic
– The VID and UID token is deemed to be an Aadhaar as per gazette notification 245 dated
29th June (UIDAI circular no 08 of 2018)
– “4. Since Virtual ID and UID Token are different forms of Aadhaar number the Authority, in
exercise of its powers under Regulation 30 of the Aadhaar (Authentication) Regulations,
2016, hereby clarifies that Virtual ID and UID token may therefore be duly accepted by Local
AUAs/KUAs in lieu of Aadhaar number when so mandated by the Authority and will be
deemed as the Aadhaar number for the purposes of compliance of their respective
Regulations”
Definition Data Principal(14)
(14) “Data principal”means the natural person to
whom the personal data referred to in sub-
clause (28) relates
(28) “Person”means—
(i) an individual,
(ii) a Hindu undivided family,
(iii) a company,
(iv) a firm,
(v) an association of persons or a body of
individuals, whether incorporated or not,
(vi) the State, and
(vii) every artificial juridical person, not falling
within any of the preceding sub-clauses;
Definitions- Data Principal(14)
• Gap:
–Natural Person-What about Living or
Dead
• Impact
–Can lead to lot of litigation
• Remedy
–Definition of Natural Person to clarify the
same
• International examples
–See next slides
Gap-1
• Bulgaria, for instance, recognises that “in event of death of the natural
person his/her rights shall be exercised by his/her heirs”,[23] thus extending
the right of access to personal data not only to the natural person, but also
to his or her family. The Estonian Data Protection Act goes even further,
giving a considerable amount of freedom to an individual to decide on the
use of personal data in the event of processing personal data with the
consent of a data subject.[24] In s 12 it states: “The consent of a data
subject shall be valid during the life of the data subject and thirty years after
the death of the data subject, unless the data subject has decided
otherwise.” Furthermore, in s 13 it entitles certain family members to permit
processing of personal data after the death of the data subject, but again for
no more than thirty years after death.[25]
• Conversely, the Swedish Data Protection Act explicitly refers to personal
data of the living, defining personal data as “all kinds of information that
directly or indirectly may be referable to a natural person who is alive.”[26]
Similarly, the UK Data Protection Act defines personal data as “data which
relate to a living individual”.[27] Other member states also predominantly
use the term “natural person”; understood generally as a person having
legal capacity, starting with the birth and ending with her death.[28]
• Source:
https://script-ed.org/article/eu-data-protection-regime-protect-post-mortem-
privacy-potential-alternatives/#_ftn23
Gap-1 (Contd)
• Article 29 Working Party, discussing the concept of personal data,
maintains that: “Information relating to dead individuals is, therefore,
in principle, not to be considered as personal data, subject to the
rules of the Directive”.[29] However, it also notes that, in certain
cases, the deceased`s data could receive some kind of protection.
Thus, the controller or processor may not be able to ascertain
whether a person is alive or not; protection could be awarded
indirectly, since the data could be connected to those of a living
person; some legal rules other than data protection could protect the
deceased`s personal data (doctor-patient confidentiality, for
example). Finally, member states could extend the scope of the
national legislation implementing the provisions of Directive
95/46/EC, and include protection of some aspects of deceased`s
personal data.[30] The last option, as demonstrated above, has
been used by some member states.
https://script-ed.org/article/eu-data-protection-
regime-protect-post-mortem-privacy-potential-
alternatives/#_ftn23
Definition Data Principal
• Gap :
–Complicating the definition
• Impact
–Lead to interpretation
• Remedy
–Do not link to defintion 28
• Logic
–Of the seven categories mentioned in 28
only the first one is a natural person.
Definitions – Financial Data(19)
• Gap :
– Financial Status definition lacks clarity
• Impact
– Lead to interpretation
• Remedy
– Clarity required
• Logic
– If a loan is rejected does it come under the Financial
status?
– If the account turns NPA , is it Financial Status.
– Are Life Insurance Policy number Financial data as
it is issued by Financial Institution
– Are General Insurance policy number financial
data?
Definitions- Health Data (22)
• Gap :
– Exclusion of Blood Group needed in defintion
• Impact
– Lead to delay in medical emergencies
• Remedy
– Exclude the Blood Group from health data
• Logic
– Many companies have printed the Blood
group on the Employee Id cards. Huge rework
– Medical emergency
Definitions- Health Data (22)
• Gap :
–Post Mortem data not covered
• Impact
–Harm and press publicity
• Remedy
–Need Clarity or include
• Logic
–Post mortem reports are often published
in the newspapers which may or may
not cause harm
Definitions- Intra-group
schemes(24)
• Gap :
– Intra group
• Impact
– Clarity issues
• Remedy
– Need Clarity or include
• Logic
– Used in the context of Transborder .What
constitutes the Intra group is not know. If trans
border intra group is allowed why not
domestic Intra group
Definitions- Official identifier(27)
• Gap 5:Drafting
–Why the emphasis including aadhaar
number ? It is already covered by the
Act of Parliament
• Impact
–Unnecessary
• Remedy
–Exclude the word aadhaar number
• Logic
–clarity
Definitions- Official identifier
• Gap :
– List of Official identifier as schedule
• Impact
– Avoid confusion for data fiduciaries
• Remedy
– A separate schedule
• Example
– EPFO UIN is it Financial data or Official
identifier
– PRAN for NPS is it Financial data or Official
identifier
– Income TAX PAN
– GSTIN ?
Definitions- Sensitive Personal
Data(35)
• Gap :
– 4 definitions missing
• Impact
– Avoid confusion for data fiduciaries
• Remedy
– Define the same or give note ( has the same meaning as defined
in the xxxx Act)
• Details
(i)passwords;
(v) sex life;
(vi) sexual orientation;
(xi) caste or tribe;
Notice –Sec 8
• (d) the right of the data principal to withdraw such consent, and
the procedure for such withdrawal, if the personal data is
intended to be processed on the basis of consent
• Gap :
– Withdrawal notice
• Impact
– Avoid confusion for data fiduciaries
• Remedy
– Rephrase
• Explanation
– Not clear what is meant by withdrawal. What happens to the existing data or it
does not allow further processing
– “This clause is contradicting with Clause 10(2)- (2) Notwithstanding sub-section
(1), personal data may be retained for a longer period of time if such retention is
explicitly mandated, or necessary to comply with any obligation, under a law”.
– This clause should also be part of the Notice
– Right of the data fiduciary to store the data even if the service is not provided for
example a loan is rejected or an account opening is rejected , as per regulatory
requirement the data needs to be preserved for Audit purpose and the regulator
comes and checks that as well. This is not under any law.
Notice –Sec 8
• Gap :
– Elements of Notice missing
• Impact
– Avoid confusion for data fiduciaries
• Remedy
– Add the same in the Act
• Explanation
– The right of the data fiduciary for anonymising the data for
predictive analysis big data etc should be highlighted
– The methods of de-identification of data as to enhance the
transparency and trust ,wherever applicable should also be par t
of the notice
– In case of employees notice the Section 16 should be cross
referred as exemption the way 8 (1) (3) is drafted
– Section 28 should also form a part of the notice
Notice –Sec 8
• (2) The data fiduciary shall provide the information as required under this section to
the data principal in a clear and concise manner that is easily comprehensible to a
reasonable person and in multiple languages where necessary and practicable
• Gap :
– Ambiguous statement
• Impact
– Avoid confusion for data fiduciaries
• Remedy
– Clarity required
• Explanation
– Who decides necessary or practicable ?
“multiple languages where necessary and
practicable”
Sec-10- Data storage limitation
Data storage limitation.—
(1) The data fiduciary shall retain personal data only as long
as may be reasonably necessary to satisfy the purpose for
which it is processed.
(2) Notwithstanding sub-section (1), personal data may be
retained for a longer period of time if such retention is
explicitly mandated, or necessary to comply with any
obligation, under a law.
(3) The data fiduciary must undertake periodic review in order
to determine whether it is necessary to retain the personal
data in its possession.
Sec-10- Data storage limitation
• (4) Where it is not necessary for personal data to be retained by the data fiduciary under
sub-sections (1) and (2), then such personal data must be deleted in a manner as may be
specified
• Gap :
– Implementation hurdle
• Impact
– Penalties at future date for non compliance
• Remedy
– Clarity required in the Act
• Explanation
– Physical deletion or logical deletion?
– Physical deletion ruled out
– Logical deletion will give rise to referential integrity checks
– What about deletion from all the backups taken say over the last n years and archived.
How ill that be achieved .
– Everybody will be non complaint from day 1
– Right of the data fiduciary to store the data even if the service is not provided for
example a loan is rejected or an account opening is rejected , as per regulatory
requirement the data needs to be preserved for Audit purpose and the regulator comes
and checks that as well. This is not under any law
12. Consent -1 Personal Data
12. Processing of personal data on the basis of consent.—
(1) Personal data may be processed on the basis of the consent of the data principal, given no later
than at the commencement of the processing.
(2) For the consent of the data principal to be valid, it must be—
(a) free, having regard to whether it meets the standard under section 14 of the Indian Contract
Act, 1872 (9 of 1872);
(b) informed, having regard to whether the data principal has been provided with the information
required under section 8;
(c) specific, having regard to whether the data principal can determine the scope of consent in
respect of the purposes of processing;
(d) clear, having regard to whether it is indicated through an affirmative action that is meaningful
in a given context; and
(e) capable of being withdrawn, having regard to whether the ease of such withdrawal is
comparable to the ease with which consent may be given.
• (32) “Processing”in relation to personal data, means an operation
or set of operations performed on personal data, and may include
operations such as collection, recording,organisation, structuring,
storage, adaptation, alteration, retrieval, use, alignment or
combination, indexing, disclosure by transmission, dissemination or
otherwise making available, restriction, erasure or destruction
21
12. Consent -1 Personal Data
• Gap :
– Can any person authorised by the Data Principal give the
consent
• Impact
– Room for violation and litigation
• Remedy
– Clarity required in the Act
• Explanation
– In BFSI segment there is a concept of Power of Attorney
– No clarity whether the consent can be given by POA holder.
– In financial services industry there are two approaches
• 1.Banks open account with POA
• 2. Depository accounts cannot be opened with POA
– Absolute clarity required on the same
12. Consent -1 Personal Data
• Gap :
– processing includes ‘use’ of data which can lead to implementation hurdles
• Impact
– Room for violation and litigation
• Remedy
– Clarity required in the Act
• Explanation
– Four types of processing
1. Account opening (Non Financial Transaction)
2. Transaction (Financial Transaction –one time System generated/Fiduciary
induced )
3. Transaction (Financial Transaction – recurring System generated/Fiduciary
induced )
4. Transaction (Financial Transaction- Customer Induced)
– In case of 2 and 3 will consent be required every time for processing like
Recurring Deposits in Banks, SIP in Mutual Fund
– In case of 4 if the customer is signing a cheque and giving it to the bank ,
can it be construed as implied consent
– Similarly employees monthly salary and statutory payment processing
Sec 16- Employment related
• Gap :
– Clarity required
• Impact
– Room for violation and litigation
• Remedy
– Clarity required in the Act
• Explanation
– What is disproportionate effort
– Will monthly payroll processing require consent?
– Why specifically attendance record is mentioned?
– Whether one time consent is required from employees?
– The notice to employees we can make it clear that referral checks and
others do not need the consent as per this section. This section is also
part of the notice
– Does termination of an employee tantamount to withdrawal of consent
by default?
– What about Notice at the time of entering into contract. Is Notice
necessary for outsourcing activities like payroll processing to third
party?
– Will section 8 and 12 be applicable while the employee is on boarded
Sec 18-Consent-2 -SPD
• Gap :
– Explicit consent is misleading
• Impact
– Room for violation and litigation
• Remedy
– Rewording to additional consent
• Explanation
– The moment the word explicit is brought in it means
there is an implicit or implied consent.
– Clause b& c nothing different from Section 12
– Like Aadhaar Act alternatives to the SPD is also
required
– The appropriate protection given to the SPD also
should be there in the Notice
Sec 23-Parental Consent
• Gap :
– Parental consent clarity
• Impact
– Room for violation and litigation
• Remedy
• Explanation
– In case a child is doing ok
– What about opening the accounts of the child
by the parent what happens to such cases
– Does the website registration require parental
consent. If the parent/child by passes the
same
Sec 26-Right to data portability
• Gap :
– Authority to define the data portability
• Impact
– Room in technical terms for implementation
• Remedy
– Rewording to as defined by the authority
• Explanation
– UIDAI has done a lot of work on the standardisation
as far as demographic standards are concerned.
Refer
– http://uidai.gov.in/UID_PDF/Committees/UID_DDSVP
_Committee_Report_v1.0.pdf
– Even for consent Miety has come out with the
Electronic Consent framework
27. Right to Be Forgotten
27. Right to Be Forgotten. —
(1) The data principal shall have the right to restrict or prevent continuing
disclosure of personal data by a data fiduciaryrelated to the data
principalwhere such disclosure—
(a) has served the purpose for which it was made or is no longer necessary;
(b) was made on the basis of consent under section 12 and such consent has
since been withdrawn;or
(c) was made contrary to the provisions of this Act or any other law made by
Parliament or any State Legislature.
(2) Sub-section (1) shall only apply where the Adjudicating Officer under
section 68determines the applicability of clause (a), (b) or (c) of sub-section
(1) and that the rights and interests of the data principal in preventing or
restricting the continued disclosure of personal data override the right to
freedom of speech and expression and the right to information of any
citizen.
Clarity required. Is it only with the adjudicator?
26-Right to data portability
• Gap :
– In writing is totally absurd- there are three instances of in writing
• Sec 28(1)
• Sec 28(4)
• Sec 78(1)
• Impact
– Back tracking and leading to paperwork
• Remedy
• Rewording to request made electronically or in writing or explanation
• Explanation
IT Act 2000 Sec 4.” Legal Recognition of Electronic Records. -
Where any law provides that information or any other matter shall be in writing or in the typewritten or
printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to
have been satisfied if such information or matter is -
(a) Rendered or made available in an electronic form; and
(b) accessible so as to be usable for a subsequent reference “
Even after 18 years why are we talking about writing. The explanation of sec 4 of the IT Act may be given in
all the 3 instances to reduce the ambiguity
Sec 35. Data Audits
(1) The data fiduciary shall have its policies and the conduct of its
processing of personal data audited annually by an independent
data auditor under this Act.
(2) The data auditor will evaluate the compliance of the data fiduciary
with the provisions of this Act, including—
• Please make certification of DSCI as mandatory like the Capital
Market segment of NISM Examinations.
• NASSCOM can take a lead in the same on following line
• Eligibility Criteria for being an auditor:
• 1. CISA/DISA/CISSP/CGEIT/CRISK + Privacy Lead Auditor
certification of DSCI
• The word may leaves the room for doubt. Is there any other way the
Data Score can be arrived at .
• Whether there will be a standard checklist to arrive at the score or
for audit ?
Sec 36- DPO
36. Data Protection Officer. —
(1) The data fiduciary shall appoint a data protection officer
for carrying out the following functions—
(a) providing information and advice to the data fiduciary on
matters relating to fulfilling its obligations under this Act;
Need clarity as to the reporting structure of DPO.
Will it be Regulatory Compliance who in turn reports to the
CRO or will it be directly under compliance .
The CISO cannot be a DPO. Here alos qualifications of
DSCI has to be mandated by the regulator
Type of Penalties(Sec 69 Penalties)
• The fiduciary is categorized
– Significant
– Small Entity
– Guardian
– Normal (which does nit fall in the three categories )
• The Personal data is categorized
– Personal data
– Sensitive Personal data
– Critical Data
• This means that are 12 types of data
breaches (4 *3)
– The penalty should also be logically split into 12 categories and not one size fits
all
32
Transition provision
• Existing data and new data classification is
required
• The data collected prior to the act clarity to
be there.
• Data is already lying across backups and
paper forms in multiple godowns and
record keepers office.
nmds@bestfitsolutions.in
09820409261
ধন্যবাদ
നന്ദിநன் றி
धन्यवाद
www.bestfitsolutions.co.in

More Related Content

What's hot

Half day public-seminar_on_pdpa_2010_-_250711
Half day public-seminar_on_pdpa_2010_-_250711Half day public-seminar_on_pdpa_2010_-_250711
Half day public-seminar_on_pdpa_2010_-_250711
Quotient Consulting
 
Data Protection & Aadhaar Act
Data Protection & Aadhaar ActData Protection & Aadhaar Act
Data Protection & Aadhaar Act
Nanda Mohan Shenoy
 
GDPR and Analytics
GDPR and AnalyticsGDPR and Analytics
GDPR and Analytics
brunomase
 
DPOs in the public sector, May 2018, London
DPOs in the public sector, May 2018, LondonDPOs in the public sector, May 2018, London
DPOs in the public sector, May 2018, London
Browne Jacobson LLP
 
GDPR for public sector DPO's seminar, April 2018, Manchester
GDPR for public sector DPO's seminar, April 2018, ManchesterGDPR for public sector DPO's seminar, April 2018, Manchester
GDPR for public sector DPO's seminar, April 2018, Manchester
Browne Jacobson LLP
 
DPOs in the public sector, May 2018, Birmingham
DPOs in the public sector, May 2018, BirminghamDPOs in the public sector, May 2018, Birmingham
DPOs in the public sector, May 2018, Birmingham
Browne Jacobson LLP
 
GDPR for public sector DPO's, April 2018, Nottingham
GDPR for public sector DPO's, April 2018, NottinghamGDPR for public sector DPO's, April 2018, Nottingham
GDPR for public sector DPO's, April 2018, Nottingham
Browne Jacobson LLP
 
WB-2022-01-25-India's Data Protection Bill
WB-2022-01-25-India's Data Protection BillWB-2022-01-25-India's Data Protection Bill
WB-2022-01-25-India's Data Protection Bill
TrustArc
 
WB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection BillWB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection Bill
TrustArc
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
MSC Malaysia Cybercentre @ Bangsar South City
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
EFA Skillshare - Jitty van Doodewaerd
EFA Skillshare - Jitty van DoodewaerdEFA Skillshare - Jitty van Doodewaerd
EFA Skillshare - Jitty van Doodewaerd
Patrick Jordens
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
khenghoe
 
Feedback on Personal Data Protection Bill 2019
Feedback on Personal Data Protection Bill 2019Feedback on Personal Data Protection Bill 2019
Feedback on Personal Data Protection Bill 2019
Nanda Mohan Shenoy
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data Privacy
legalPadmin
 
高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...
高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...
高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...
mhmjapan
 
HOW TO PROCESS DATA IN VARIOUS GEO'S A COMPARATIVE ANALYSIS BY SANJEEV SINGH...
HOW TO PROCESS DATA IN VARIOUS GEO'S A  COMPARATIVE ANALYSIS BY SANJEEV SINGH...HOW TO PROCESS DATA IN VARIOUS GEO'S A  COMPARATIVE ANALYSIS BY SANJEEV SINGH...
HOW TO PROCESS DATA IN VARIOUS GEO'S A COMPARATIVE ANALYSIS BY SANJEEV SINGH...
Sanjeev Bharwan
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
Gdpr powerpoint 15.01.18
Gdpr powerpoint 15.01.18Gdpr powerpoint 15.01.18
Gdpr powerpoint 15.01.18
Jon Rathbone
 

What's hot (20)

Half day public-seminar_on_pdpa_2010_-_250711
Half day public-seminar_on_pdpa_2010_-_250711Half day public-seminar_on_pdpa_2010_-_250711
Half day public-seminar_on_pdpa_2010_-_250711
 
Data Protection & Aadhaar Act
Data Protection & Aadhaar ActData Protection & Aadhaar Act
Data Protection & Aadhaar Act
 
GDPR and Analytics
GDPR and AnalyticsGDPR and Analytics
GDPR and Analytics
 
DPOs in the public sector, May 2018, London
DPOs in the public sector, May 2018, LondonDPOs in the public sector, May 2018, London
DPOs in the public sector, May 2018, London
 
GDPR for public sector DPO's seminar, April 2018, Manchester
GDPR for public sector DPO's seminar, April 2018, ManchesterGDPR for public sector DPO's seminar, April 2018, Manchester
GDPR for public sector DPO's seminar, April 2018, Manchester
 
DPOs in the public sector, May 2018, Birmingham
DPOs in the public sector, May 2018, BirminghamDPOs in the public sector, May 2018, Birmingham
DPOs in the public sector, May 2018, Birmingham
 
GDPR for public sector DPO's, April 2018, Nottingham
GDPR for public sector DPO's, April 2018, NottinghamGDPR for public sector DPO's, April 2018, Nottingham
GDPR for public sector DPO's, April 2018, Nottingham
 
WB-2022-01-25-India's Data Protection Bill
WB-2022-01-25-India's Data Protection BillWB-2022-01-25-India's Data Protection Bill
WB-2022-01-25-India's Data Protection Bill
 
WB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection BillWB-2022-01-25-India Data Protection Bill
WB-2022-01-25-India Data Protection Bill
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
EFA Skillshare - Jitty van Doodewaerd
EFA Skillshare - Jitty van DoodewaerdEFA Skillshare - Jitty van Doodewaerd
EFA Skillshare - Jitty van Doodewaerd
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
 
Feedback on Personal Data Protection Bill 2019
Feedback on Personal Data Protection Bill 2019Feedback on Personal Data Protection Bill 2019
Feedback on Personal Data Protection Bill 2019
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data Privacy
 
高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...
高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...
高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...
 
HOW TO PROCESS DATA IN VARIOUS GEO'S A COMPARATIVE ANALYSIS BY SANJEEV SINGH...
HOW TO PROCESS DATA IN VARIOUS GEO'S A  COMPARATIVE ANALYSIS BY SANJEEV SINGH...HOW TO PROCESS DATA IN VARIOUS GEO'S A  COMPARATIVE ANALYSIS BY SANJEEV SINGH...
HOW TO PROCESS DATA IN VARIOUS GEO'S A COMPARATIVE ANALYSIS BY SANJEEV SINGH...
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
 
Gdpr powerpoint 15.01.18
Gdpr powerpoint 15.01.18Gdpr powerpoint 15.01.18
Gdpr powerpoint 15.01.18
 

Similar to Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY

GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)
Erik Vollebregt
 
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Constantine Karbaliotis
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business community
Emerson Bryan
 
Medical device data protection and security
Medical device data protection and security Medical device data protection and security
Medical device data protection and security
Erik Vollebregt
 
GDPR, Data Privacy.
GDPR, Data Privacy.GDPR, Data Privacy.
GDPR, Data Privacy.
Liviu Claudiu Cismaru
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
JakeAldrinDegala1
 
Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19
Niall Rooney
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
ssuser36d167
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services Sector
MSpadea
 
Controller-to-processor agreements
Controller-to-processor agreementsController-to-processor agreements
Controller-to-processor agreements
Tommy Vandepitte
 
20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements
Brussels Legal Hackers
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal Data
Renato Monteiro
 
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationThe U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
Cognizant
 
EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017
Cliff Ashcroft
 
Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?
Edouard Nguyen
 
ehealthandmhealthpresentation-130310142714-phpapp01.ppt
ehealthandmhealthpresentation-130310142714-phpapp01.pptehealthandmhealthpresentation-130310142714-phpapp01.ppt
ehealthandmhealthpresentation-130310142714-phpapp01.ppt
arifabrahim7
 
iSPIRT’s Response- White Paper on Data Protection Framework for India
iSPIRT’s Response- White Paper on Data Protection Framework for IndiaiSPIRT’s Response- White Paper on Data Protection Framework for India
iSPIRT’s Response- White Paper on Data Protection Framework for India
ProductNation/iSPIRT
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
dan hyde
 
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson LLP
 
Gdpr presentation-february-24t
Gdpr presentation-february-24tGdpr presentation-february-24t
Gdpr presentation-february-24t
Mark Drinkwater
 

Similar to Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY (20)

GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)
 
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business community
 
Medical device data protection and security
Medical device data protection and security Medical device data protection and security
Medical device data protection and security
 
GDPR, Data Privacy.
GDPR, Data Privacy.GDPR, Data Privacy.
GDPR, Data Privacy.
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
 
Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services SectorLegal And Regulatory Dp Challenges For The Financial Services Sector
Legal And Regulatory Dp Challenges For The Financial Services Sector
 
Controller-to-processor agreements
Controller-to-processor agreementsController-to-processor agreements
Controller-to-processor agreements
 
20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal Data
 
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationThe U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
 
EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017
 
Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?
 
ehealthandmhealthpresentation-130310142714-phpapp01.ppt
ehealthandmhealthpresentation-130310142714-phpapp01.pptehealthandmhealthpresentation-130310142714-phpapp01.ppt
ehealthandmhealthpresentation-130310142714-phpapp01.ppt
 
iSPIRT’s Response- White Paper on Data Protection Framework for India
iSPIRT’s Response- White Paper on Data Protection Framework for IndiaiSPIRT’s Response- White Paper on Data Protection Framework for India
iSPIRT’s Response- White Paper on Data Protection Framework for India
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
 
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017
 
Gdpr presentation-february-24t
Gdpr presentation-february-24tGdpr presentation-february-24t
Gdpr presentation-february-24t
 

More from Nanda Mohan Shenoy

Srimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdfSrimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdf
Nanda Mohan Shenoy
 
D07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdfD07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdfD06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdfD05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdfD04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdfD03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdfD02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
D01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdfD01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdf
Nanda Mohan Shenoy
 
09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx
Nanda Mohan Shenoy
 
03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf
Nanda Mohan Shenoy
 
02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf
Nanda Mohan Shenoy
 
CEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdfCEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdf
Nanda Mohan Shenoy
 
Digitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedbackDigitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedback
Nanda Mohan Shenoy
 
IS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptxIS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptx
Nanda Mohan Shenoy
 

More from Nanda Mohan Shenoy (20)

Srimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdfSrimadbhagavata_parayanam_v3.pdf
Srimadbhagavata_parayanam_v3.pdf
 
D07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdfD07_SVCMahatmyam_v1.pdf
D07_SVCMahatmyam_v1.pdf
 
D06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdfD06_SVCMahatmyam_v1.pdf
D06_SVCMahatmyam_v1.pdf
 
D05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdfD05_SVCMahatmyam_v1.pdf
D05_SVCMahatmyam_v1.pdf
 
D04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdfD04_SVCMahatmyam_v1.pdf
D04_SVCMahatmyam_v1.pdf
 
D03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdfD03_SVCMahatmyam_v1.pdf
D03_SVCMahatmyam_v1.pdf
 
D02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdfD02_SVCMahatmyam_v1.pdf
D02_SVCMahatmyam_v1.pdf
 
D01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdfD01_SVCMahatmyam_v1.pdf
D01_SVCMahatmyam_v1.pdf
 
09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf09_Sundara Kandam_v3.pdf
09_Sundara Kandam_v3.pdf
 
08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf08_Sundara Kandam_v3.pdf
08_Sundara Kandam_v3.pdf
 
07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf07_Sundara Kandam_v3.pdf
07_Sundara Kandam_v3.pdf
 
06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf06_Sundara Kandam_v3.pdf
06_Sundara Kandam_v3.pdf
 
05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf05_Sundara Kandam_v3.pdf
05_Sundara Kandam_v3.pdf
 
04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx04_Sundara Kandam_v3.pptx
04_Sundara Kandam_v3.pptx
 
03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf03_Sundara Kandam-v3.pdf
03_Sundara Kandam-v3.pdf
 
02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf02_Sundara Kandam_v3.pdf
02_Sundara Kandam_v3.pdf
 
01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf01_Sundara Kandam_v3.pdf
01_Sundara Kandam_v3.pdf
 
CEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdfCEPAR Conference _20230204.pdf
CEPAR Conference _20230204.pdf
 
Digitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedbackDigitial Personal Data Bill 2022 feedback
Digitial Personal Data Bill 2022 feedback
 
IS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptxIS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptx
 

Recently uploaded

Bayu triaswara : Whats is Federal Court of Australia, New South Wales Registr...
Bayu triaswara : Whats is Federal Court of Australia, New South Wales Registr...Bayu triaswara : Whats is Federal Court of Australia, New South Wales Registr...
Bayu triaswara : Whats is Federal Court of Australia, New South Wales Registr...
Bayu Triaswara
 
Westminster degree offer diploma Transcript
Westminster degree offer diploma TranscriptWestminster degree offer diploma Transcript
Westminster degree offer diploma Transcript
pehqgou
 
Bayu Triaswara - Whats is DEPUTY COMMISSIONER OF TAXATION and Parties Involve...
Bayu Triaswara - Whats is DEPUTY COMMISSIONER OF TAXATION and Parties Involve...Bayu Triaswara - Whats is DEPUTY COMMISSIONER OF TAXATION and Parties Involve...
Bayu Triaswara - Whats is DEPUTY COMMISSIONER OF TAXATION and Parties Involve...
Bayu Triaswara
 
Dallas Criminal Attorney | Frisco Criminal Attorney- Reggie London
Dallas Criminal Attorney | Frisco Criminal Attorney- Reggie LondonDallas Criminal Attorney | Frisco Criminal Attorney- Reggie London
Dallas Criminal Attorney | Frisco Criminal Attorney- Reggie London
ReggieLondon Lawyer
 
Bayu Triaswara - Federal Income Taxation (Concepts and Insights Series).pdf
Bayu Triaswara - Federal Income Taxation (Concepts and Insights Series).pdfBayu Triaswara - Federal Income Taxation (Concepts and Insights Series).pdf
Bayu Triaswara - Federal Income Taxation (Concepts and Insights Series).pdf
Bayu Triaswara
 
ansp-air selangor niosh safety passport.pptx
ansp-air selangor niosh safety passport.pptxansp-air selangor niosh safety passport.pptx
ansp-air selangor niosh safety passport.pptx
HarizManaf
 
BCU degree offer diploma Transcript
BCU degree offer diploma TranscriptBCU degree offer diploma Transcript
BCU degree offer diploma Transcript
pehqgou
 
Bindu Vethody is Committed to Protecting the Rights of Individuals and Ensuri...
Bindu Vethody is Committed to Protecting the Rights of Individuals and Ensuri...Bindu Vethody is Committed to Protecting the Rights of Individuals and Ensuri...
Bindu Vethody is Committed to Protecting the Rights of Individuals and Ensuri...
SunilVethody2
 
Bharatiya Nyaya Sanhita lawer (BNS).pptx
Bharatiya Nyaya Sanhita lawer (BNS).pptxBharatiya Nyaya Sanhita lawer (BNS).pptx
Bharatiya Nyaya Sanhita lawer (BNS).pptx
Ravi984037
 
PERSONAL INJURY LAW: EVERYTHING YOU NEED TO KNOW IN 2024
PERSONAL INJURY LAW: EVERYTHING YOU NEED TO KNOW IN 2024PERSONAL INJURY LAW: EVERYTHING YOU NEED TO KNOW IN 2024
PERSONAL INJURY LAW: EVERYTHING YOU NEED TO KNOW IN 2024
Paisley Law LLC
 
BIOFIN-EU project | IP & IPR Workshop.pptx
BIOFIN-EU project | IP & IPR Workshop.pptxBIOFIN-EU project | IP & IPR Workshop.pptx
BIOFIN-EU project | IP & IPR Workshop.pptx
BIOFIN-EU
 
SiebenCarey Sponsors First Social Justice On Tap Fundraiser for the Southern ...
SiebenCarey Sponsors First Social Justice On Tap Fundraiser for the Southern ...SiebenCarey Sponsors First Social Justice On Tap Fundraiser for the Southern ...
SiebenCarey Sponsors First Social Justice On Tap Fundraiser for the Southern ...
Knowyourright
 
Trademark Search & Filing LA Secure Brand
Trademark Search & Filing LA Secure BrandTrademark Search & Filing LA Secure Brand
Trademark Search & Filing LA Secure Brand
Trademark Quick
 
Md_Rahim_Ali_v_State_of_Assam_and_ors-1.pdf
Md_Rahim_Ali_v_State_of_Assam_and_ors-1.pdfMd_Rahim_Ali_v_State_of_Assam_and_ors-1.pdf
Md_Rahim_Ali_v_State_of_Assam_and_ors-1.pdf
bhavenpr
 
Untitled document criminal history page.pdf
Untitled document criminal history page.pdfUntitled document criminal history page.pdf
Untitled document criminal history page.pdf
braydenstoch777
 
Eiberger V Leonard Court Case 1:19-cv-01918-PAB-KLM
Eiberger V Leonard Court Case 1:19-cv-01918-PAB-KLMEiberger V Leonard Court Case 1:19-cv-01918-PAB-KLM
Eiberger V Leonard Court Case 1:19-cv-01918-PAB-KLM
amf989
 
UILA - Red Cross Webinar Series - Immigration - ENG.PPTX
UILA - Red Cross Webinar Series - Immigration - ENG.PPTXUILA - Red Cross Webinar Series - Immigration - ENG.PPTX
UILA - Red Cross Webinar Series - Immigration - ENG.PPTX
irishredcross1
 
Exploring Maternal and Child Welfare in accordance with Law Number 4 of 2024 ...
Exploring Maternal and Child Welfare in accordance with Law Number 4 of 2024 ...Exploring Maternal and Child Welfare in accordance with Law Number 4 of 2024 ...
Exploring Maternal and Child Welfare in accordance with Law Number 4 of 2024 ...
AHRP Law Firm
 
Here's the Latest Todd Rokita Grievance That was Filed
Here's the Latest Todd Rokita Grievance  That was FiledHere's the Latest Todd Rokita Grievance  That was Filed
Here's the Latest Todd Rokita Grievance That was Filed
Abdul-Hakim Shabazz
 
Boosting Client Retention with Ethical Debt Collection
Boosting Client Retention with Ethical Debt CollectionBoosting Client Retention with Ethical Debt Collection
Boosting Client Retention with Ethical Debt Collection
Williams Rush & Associates
 

Recently uploaded (20)

Bayu triaswara : Whats is Federal Court of Australia, New South Wales Registr...
Bayu triaswara : Whats is Federal Court of Australia, New South Wales Registr...Bayu triaswara : Whats is Federal Court of Australia, New South Wales Registr...
Bayu triaswara : Whats is Federal Court of Australia, New South Wales Registr...
 
Westminster degree offer diploma Transcript
Westminster degree offer diploma TranscriptWestminster degree offer diploma Transcript
Westminster degree offer diploma Transcript
 
Bayu Triaswara - Whats is DEPUTY COMMISSIONER OF TAXATION and Parties Involve...
Bayu Triaswara - Whats is DEPUTY COMMISSIONER OF TAXATION and Parties Involve...Bayu Triaswara - Whats is DEPUTY COMMISSIONER OF TAXATION and Parties Involve...
Bayu Triaswara - Whats is DEPUTY COMMISSIONER OF TAXATION and Parties Involve...
 
Dallas Criminal Attorney | Frisco Criminal Attorney- Reggie London
Dallas Criminal Attorney | Frisco Criminal Attorney- Reggie LondonDallas Criminal Attorney | Frisco Criminal Attorney- Reggie London
Dallas Criminal Attorney | Frisco Criminal Attorney- Reggie London
 
Bayu Triaswara - Federal Income Taxation (Concepts and Insights Series).pdf
Bayu Triaswara - Federal Income Taxation (Concepts and Insights Series).pdfBayu Triaswara - Federal Income Taxation (Concepts and Insights Series).pdf
Bayu Triaswara - Federal Income Taxation (Concepts and Insights Series).pdf
 
ansp-air selangor niosh safety passport.pptx
ansp-air selangor niosh safety passport.pptxansp-air selangor niosh safety passport.pptx
ansp-air selangor niosh safety passport.pptx
 
BCU degree offer diploma Transcript
BCU degree offer diploma TranscriptBCU degree offer diploma Transcript
BCU degree offer diploma Transcript
 
Bindu Vethody is Committed to Protecting the Rights of Individuals and Ensuri...
Bindu Vethody is Committed to Protecting the Rights of Individuals and Ensuri...Bindu Vethody is Committed to Protecting the Rights of Individuals and Ensuri...
Bindu Vethody is Committed to Protecting the Rights of Individuals and Ensuri...
 
Bharatiya Nyaya Sanhita lawer (BNS).pptx
Bharatiya Nyaya Sanhita lawer (BNS).pptxBharatiya Nyaya Sanhita lawer (BNS).pptx
Bharatiya Nyaya Sanhita lawer (BNS).pptx
 
PERSONAL INJURY LAW: EVERYTHING YOU NEED TO KNOW IN 2024
PERSONAL INJURY LAW: EVERYTHING YOU NEED TO KNOW IN 2024PERSONAL INJURY LAW: EVERYTHING YOU NEED TO KNOW IN 2024
PERSONAL INJURY LAW: EVERYTHING YOU NEED TO KNOW IN 2024
 
BIOFIN-EU project | IP & IPR Workshop.pptx
BIOFIN-EU project | IP & IPR Workshop.pptxBIOFIN-EU project | IP & IPR Workshop.pptx
BIOFIN-EU project | IP & IPR Workshop.pptx
 
SiebenCarey Sponsors First Social Justice On Tap Fundraiser for the Southern ...
SiebenCarey Sponsors First Social Justice On Tap Fundraiser for the Southern ...SiebenCarey Sponsors First Social Justice On Tap Fundraiser for the Southern ...
SiebenCarey Sponsors First Social Justice On Tap Fundraiser for the Southern ...
 
Trademark Search & Filing LA Secure Brand
Trademark Search & Filing LA Secure BrandTrademark Search & Filing LA Secure Brand
Trademark Search & Filing LA Secure Brand
 
Md_Rahim_Ali_v_State_of_Assam_and_ors-1.pdf
Md_Rahim_Ali_v_State_of_Assam_and_ors-1.pdfMd_Rahim_Ali_v_State_of_Assam_and_ors-1.pdf
Md_Rahim_Ali_v_State_of_Assam_and_ors-1.pdf
 
Untitled document criminal history page.pdf
Untitled document criminal history page.pdfUntitled document criminal history page.pdf
Untitled document criminal history page.pdf
 
Eiberger V Leonard Court Case 1:19-cv-01918-PAB-KLM
Eiberger V Leonard Court Case 1:19-cv-01918-PAB-KLMEiberger V Leonard Court Case 1:19-cv-01918-PAB-KLM
Eiberger V Leonard Court Case 1:19-cv-01918-PAB-KLM
 
UILA - Red Cross Webinar Series - Immigration - ENG.PPTX
UILA - Red Cross Webinar Series - Immigration - ENG.PPTXUILA - Red Cross Webinar Series - Immigration - ENG.PPTX
UILA - Red Cross Webinar Series - Immigration - ENG.PPTX
 
Exploring Maternal and Child Welfare in accordance with Law Number 4 of 2024 ...
Exploring Maternal and Child Welfare in accordance with Law Number 4 of 2024 ...Exploring Maternal and Child Welfare in accordance with Law Number 4 of 2024 ...
Exploring Maternal and Child Welfare in accordance with Law Number 4 of 2024 ...
 
Here's the Latest Todd Rokita Grievance That was Filed
Here's the Latest Todd Rokita Grievance  That was FiledHere's the Latest Todd Rokita Grievance  That was Filed
Here's the Latest Todd Rokita Grievance That was Filed
 
Boosting Client Retention with Ethical Debt Collection
Boosting Client Retention with Ethical Debt CollectionBoosting Client Retention with Ethical Debt Collection
Boosting Client Retention with Ethical Debt Collection
 

Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY

  • 1. Feedback on Draft Personal Data Protection Bill Ssubmitted to Meity Nanda Mohan Shenoy D CAIIB,DBM-Part I,, NSE Certified Market Professional Level-1 ,P G Diploma in IRPM, PG Diploma in EDP and Computer Management, DIM,LA ISO 9001,LA ISO 27001 NISM empanelled CPE Trainer Director 1
  • 2. Definition Aadhaar (1) (1) “Aadhaar number”shall have the meaning assigned to it under clause (a) of section 2 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016); and shall exclude the VID and UID
  • 3. Definitions- Aadhaar Number(1) • Gap : – Exclusion of VID and UID token from the definition of Aadhaar number • Impact – Avoid confusion for data fiduciaries • Remedy – Explicitly mention in the Act • Logic – The VID and UID token is deemed to be an Aadhaar as per gazette notification 245 dated 29th June (UIDAI circular no 08 of 2018) – “4. Since Virtual ID and UID Token are different forms of Aadhaar number the Authority, in exercise of its powers under Regulation 30 of the Aadhaar (Authentication) Regulations, 2016, hereby clarifies that Virtual ID and UID token may therefore be duly accepted by Local AUAs/KUAs in lieu of Aadhaar number when so mandated by the Authority and will be deemed as the Aadhaar number for the purposes of compliance of their respective Regulations”
  • 4. Definition Data Principal(14) (14) “Data principal”means the natural person to whom the personal data referred to in sub- clause (28) relates (28) “Person”means— (i) an individual, (ii) a Hindu undivided family, (iii) a company, (iv) a firm, (v) an association of persons or a body of individuals, whether incorporated or not, (vi) the State, and (vii) every artificial juridical person, not falling within any of the preceding sub-clauses;
  • 5. Definitions- Data Principal(14) • Gap: –Natural Person-What about Living or Dead • Impact –Can lead to lot of litigation • Remedy –Definition of Natural Person to clarify the same • International examples –See next slides
  • 6. Gap-1 • Bulgaria, for instance, recognises that “in event of death of the natural person his/her rights shall be exercised by his/her heirs”,[23] thus extending the right of access to personal data not only to the natural person, but also to his or her family. The Estonian Data Protection Act goes even further, giving a considerable amount of freedom to an individual to decide on the use of personal data in the event of processing personal data with the consent of a data subject.[24] In s 12 it states: “The consent of a data subject shall be valid during the life of the data subject and thirty years after the death of the data subject, unless the data subject has decided otherwise.” Furthermore, in s 13 it entitles certain family members to permit processing of personal data after the death of the data subject, but again for no more than thirty years after death.[25] • Conversely, the Swedish Data Protection Act explicitly refers to personal data of the living, defining personal data as “all kinds of information that directly or indirectly may be referable to a natural person who is alive.”[26] Similarly, the UK Data Protection Act defines personal data as “data which relate to a living individual”.[27] Other member states also predominantly use the term “natural person”; understood generally as a person having legal capacity, starting with the birth and ending with her death.[28] • Source: https://script-ed.org/article/eu-data-protection-regime-protect-post-mortem- privacy-potential-alternatives/#_ftn23
  • 7. Gap-1 (Contd) • Article 29 Working Party, discussing the concept of personal data, maintains that: “Information relating to dead individuals is, therefore, in principle, not to be considered as personal data, subject to the rules of the Directive”.[29] However, it also notes that, in certain cases, the deceased`s data could receive some kind of protection. Thus, the controller or processor may not be able to ascertain whether a person is alive or not; protection could be awarded indirectly, since the data could be connected to those of a living person; some legal rules other than data protection could protect the deceased`s personal data (doctor-patient confidentiality, for example). Finally, member states could extend the scope of the national legislation implementing the provisions of Directive 95/46/EC, and include protection of some aspects of deceased`s personal data.[30] The last option, as demonstrated above, has been used by some member states. https://script-ed.org/article/eu-data-protection- regime-protect-post-mortem-privacy-potential- alternatives/#_ftn23
  • 8. Definition Data Principal • Gap : –Complicating the definition • Impact –Lead to interpretation • Remedy –Do not link to defintion 28 • Logic –Of the seven categories mentioned in 28 only the first one is a natural person.
  • 9. Definitions – Financial Data(19) • Gap : – Financial Status definition lacks clarity • Impact – Lead to interpretation • Remedy – Clarity required • Logic – If a loan is rejected does it come under the Financial status? – If the account turns NPA , is it Financial Status. – Are Life Insurance Policy number Financial data as it is issued by Financial Institution – Are General Insurance policy number financial data?
  • 10. Definitions- Health Data (22) • Gap : – Exclusion of Blood Group needed in defintion • Impact – Lead to delay in medical emergencies • Remedy – Exclude the Blood Group from health data • Logic – Many companies have printed the Blood group on the Employee Id cards. Huge rework – Medical emergency
  • 11. Definitions- Health Data (22) • Gap : –Post Mortem data not covered • Impact –Harm and press publicity • Remedy –Need Clarity or include • Logic –Post mortem reports are often published in the newspapers which may or may not cause harm
  • 12. Definitions- Intra-group schemes(24) • Gap : – Intra group • Impact – Clarity issues • Remedy – Need Clarity or include • Logic – Used in the context of Transborder .What constitutes the Intra group is not know. If trans border intra group is allowed why not domestic Intra group
  • 13. Definitions- Official identifier(27) • Gap 5:Drafting –Why the emphasis including aadhaar number ? It is already covered by the Act of Parliament • Impact –Unnecessary • Remedy –Exclude the word aadhaar number • Logic –clarity
  • 14. Definitions- Official identifier • Gap : – List of Official identifier as schedule • Impact – Avoid confusion for data fiduciaries • Remedy – A separate schedule • Example – EPFO UIN is it Financial data or Official identifier – PRAN for NPS is it Financial data or Official identifier – Income TAX PAN – GSTIN ?
  • 15. Definitions- Sensitive Personal Data(35) • Gap : – 4 definitions missing • Impact – Avoid confusion for data fiduciaries • Remedy – Define the same or give note ( has the same meaning as defined in the xxxx Act) • Details (i)passwords; (v) sex life; (vi) sexual orientation; (xi) caste or tribe;
  • 16. Notice –Sec 8 • (d) the right of the data principal to withdraw such consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent • Gap : – Withdrawal notice • Impact – Avoid confusion for data fiduciaries • Remedy – Rephrase • Explanation – Not clear what is meant by withdrawal. What happens to the existing data or it does not allow further processing – “This clause is contradicting with Clause 10(2)- (2) Notwithstanding sub-section (1), personal data may be retained for a longer period of time if such retention is explicitly mandated, or necessary to comply with any obligation, under a law”. – This clause should also be part of the Notice – Right of the data fiduciary to store the data even if the service is not provided for example a loan is rejected or an account opening is rejected , as per regulatory requirement the data needs to be preserved for Audit purpose and the regulator comes and checks that as well. This is not under any law.
  • 17. Notice –Sec 8 • Gap : – Elements of Notice missing • Impact – Avoid confusion for data fiduciaries • Remedy – Add the same in the Act • Explanation – The right of the data fiduciary for anonymising the data for predictive analysis big data etc should be highlighted – The methods of de-identification of data as to enhance the transparency and trust ,wherever applicable should also be par t of the notice – In case of employees notice the Section 16 should be cross referred as exemption the way 8 (1) (3) is drafted – Section 28 should also form a part of the notice
  • 18. Notice –Sec 8 • (2) The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person and in multiple languages where necessary and practicable • Gap : – Ambiguous statement • Impact – Avoid confusion for data fiduciaries • Remedy – Clarity required • Explanation – Who decides necessary or practicable ? “multiple languages where necessary and practicable”
  • 19. Sec-10- Data storage limitation Data storage limitation.— (1) The data fiduciary shall retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed. (2) Notwithstanding sub-section (1), personal data may be retained for a longer period of time if such retention is explicitly mandated, or necessary to comply with any obligation, under a law. (3) The data fiduciary must undertake periodic review in order to determine whether it is necessary to retain the personal data in its possession.
  • 20. Sec-10- Data storage limitation • (4) Where it is not necessary for personal data to be retained by the data fiduciary under sub-sections (1) and (2), then such personal data must be deleted in a manner as may be specified • Gap : – Implementation hurdle • Impact – Penalties at future date for non compliance • Remedy – Clarity required in the Act • Explanation – Physical deletion or logical deletion? – Physical deletion ruled out – Logical deletion will give rise to referential integrity checks – What about deletion from all the backups taken say over the last n years and archived. How ill that be achieved . – Everybody will be non complaint from day 1 – Right of the data fiduciary to store the data even if the service is not provided for example a loan is rejected or an account opening is rejected , as per regulatory requirement the data needs to be preserved for Audit purpose and the regulator comes and checks that as well. This is not under any law
  • 21. 12. Consent -1 Personal Data 12. Processing of personal data on the basis of consent.— (1) Personal data may be processed on the basis of the consent of the data principal, given no later than at the commencement of the processing. (2) For the consent of the data principal to be valid, it must be— (a) free, having regard to whether it meets the standard under section 14 of the Indian Contract Act, 1872 (9 of 1872); (b) informed, having regard to whether the data principal has been provided with the information required under section 8; (c) specific, having regard to whether the data principal can determine the scope of consent in respect of the purposes of processing; (d) clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and (e) capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given. • (32) “Processing”in relation to personal data, means an operation or set of operations performed on personal data, and may include operations such as collection, recording,organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction 21
  • 22. 12. Consent -1 Personal Data • Gap : – Can any person authorised by the Data Principal give the consent • Impact – Room for violation and litigation • Remedy – Clarity required in the Act • Explanation – In BFSI segment there is a concept of Power of Attorney – No clarity whether the consent can be given by POA holder. – In financial services industry there are two approaches • 1.Banks open account with POA • 2. Depository accounts cannot be opened with POA – Absolute clarity required on the same
  • 23. 12. Consent -1 Personal Data • Gap : – processing includes ‘use’ of data which can lead to implementation hurdles • Impact – Room for violation and litigation • Remedy – Clarity required in the Act • Explanation – Four types of processing 1. Account opening (Non Financial Transaction) 2. Transaction (Financial Transaction –one time System generated/Fiduciary induced ) 3. Transaction (Financial Transaction – recurring System generated/Fiduciary induced ) 4. Transaction (Financial Transaction- Customer Induced) – In case of 2 and 3 will consent be required every time for processing like Recurring Deposits in Banks, SIP in Mutual Fund – In case of 4 if the customer is signing a cheque and giving it to the bank , can it be construed as implied consent – Similarly employees monthly salary and statutory payment processing
  • 24. Sec 16- Employment related • Gap : – Clarity required • Impact – Room for violation and litigation • Remedy – Clarity required in the Act • Explanation – What is disproportionate effort – Will monthly payroll processing require consent? – Why specifically attendance record is mentioned? – Whether one time consent is required from employees? – The notice to employees we can make it clear that referral checks and others do not need the consent as per this section. This section is also part of the notice – Does termination of an employee tantamount to withdrawal of consent by default? – What about Notice at the time of entering into contract. Is Notice necessary for outsourcing activities like payroll processing to third party? – Will section 8 and 12 be applicable while the employee is on boarded
  • 25. Sec 18-Consent-2 -SPD • Gap : – Explicit consent is misleading • Impact – Room for violation and litigation • Remedy – Rewording to additional consent • Explanation – The moment the word explicit is brought in it means there is an implicit or implied consent. – Clause b& c nothing different from Section 12 – Like Aadhaar Act alternatives to the SPD is also required – The appropriate protection given to the SPD also should be there in the Notice
  • 26. Sec 23-Parental Consent • Gap : – Parental consent clarity • Impact – Room for violation and litigation • Remedy • Explanation – In case a child is doing ok – What about opening the accounts of the child by the parent what happens to such cases – Does the website registration require parental consent. If the parent/child by passes the same
  • 27. Sec 26-Right to data portability • Gap : – Authority to define the data portability • Impact – Room in technical terms for implementation • Remedy – Rewording to as defined by the authority • Explanation – UIDAI has done a lot of work on the standardisation as far as demographic standards are concerned. Refer – http://uidai.gov.in/UID_PDF/Committees/UID_DDSVP _Committee_Report_v1.0.pdf – Even for consent Miety has come out with the Electronic Consent framework
  • 28. 27. Right to Be Forgotten 27. Right to Be Forgotten. — (1) The data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciaryrelated to the data principalwhere such disclosure— (a) has served the purpose for which it was made or is no longer necessary; (b) was made on the basis of consent under section 12 and such consent has since been withdrawn;or (c) was made contrary to the provisions of this Act or any other law made by Parliament or any State Legislature. (2) Sub-section (1) shall only apply where the Adjudicating Officer under section 68determines the applicability of clause (a), (b) or (c) of sub-section (1) and that the rights and interests of the data principal in preventing or restricting the continued disclosure of personal data override the right to freedom of speech and expression and the right to information of any citizen. Clarity required. Is it only with the adjudicator?
  • 29. 26-Right to data portability • Gap : – In writing is totally absurd- there are three instances of in writing • Sec 28(1) • Sec 28(4) • Sec 78(1) • Impact – Back tracking and leading to paperwork • Remedy • Rewording to request made electronically or in writing or explanation • Explanation IT Act 2000 Sec 4.” Legal Recognition of Electronic Records. - Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is - (a) Rendered or made available in an electronic form; and (b) accessible so as to be usable for a subsequent reference “ Even after 18 years why are we talking about writing. The explanation of sec 4 of the IT Act may be given in all the 3 instances to reduce the ambiguity
  • 30. Sec 35. Data Audits (1) The data fiduciary shall have its policies and the conduct of its processing of personal data audited annually by an independent data auditor under this Act. (2) The data auditor will evaluate the compliance of the data fiduciary with the provisions of this Act, including— • Please make certification of DSCI as mandatory like the Capital Market segment of NISM Examinations. • NASSCOM can take a lead in the same on following line • Eligibility Criteria for being an auditor: • 1. CISA/DISA/CISSP/CGEIT/CRISK + Privacy Lead Auditor certification of DSCI • The word may leaves the room for doubt. Is there any other way the Data Score can be arrived at . • Whether there will be a standard checklist to arrive at the score or for audit ?
  • 31. Sec 36- DPO 36. Data Protection Officer. — (1) The data fiduciary shall appoint a data protection officer for carrying out the following functions— (a) providing information and advice to the data fiduciary on matters relating to fulfilling its obligations under this Act; Need clarity as to the reporting structure of DPO. Will it be Regulatory Compliance who in turn reports to the CRO or will it be directly under compliance . The CISO cannot be a DPO. Here alos qualifications of DSCI has to be mandated by the regulator
  • 32. Type of Penalties(Sec 69 Penalties) • The fiduciary is categorized – Significant – Small Entity – Guardian – Normal (which does nit fall in the three categories ) • The Personal data is categorized – Personal data – Sensitive Personal data – Critical Data • This means that are 12 types of data breaches (4 *3) – The penalty should also be logically split into 12 categories and not one size fits all 32
  • 33. Transition provision • Existing data and new data classification is required • The data collected prior to the act clarity to be there. • Data is already lying across backups and paper forms in multiple godowns and record keepers office.