2. Regulation as a Facilitator
Privacy
• Control over data
• Transfer to jurisdictions with less protection
Cybersecurity
• In 2015, 70% of all internet traffic was passing through cloud data centers – how secure is
that cloud?
Law enforcement
• Government access
• Data localization
• Solutions – MLATs and data sharing agreements
Competition
• Protect domestic companies from online competition
Equating digital and non-digital players
• TSPs v. OTTs
2
3. Changing Landscape of Privacy and Data Protection
in India
India, the largest consumer of mobile data in the world, is acknowledging the importance of
data, its uses and security.
The Apex court declared the right to privacy as a fundamental right guaranteed under the
Constitution.
In December 2019, the Indian Government introduced in the lower house of parliament the
Personal Data Protection Bill, 2019.
The Bill on December 12, 2019 was referred to a Joint Parliamentary Committee (“JPC”) for
further debate and examination.
Presently stakeholder recommendations are invited by the JPC until 25th February 2020.
JPC to submit its report to Parliament by mid-end March.
3
4. Existing Framework
The Information Technology Act, 2000
The Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules, 2011
• Protects ‘Sensitive Personal Data’
• Purpose, collection and storage limitation
• Privacy Policy and disclosures
• Consent requirements
• Transfers
• Reasonable security practices and procedures
• Grievance officer
State of compliance
Sectoral requirements
• Data localization– banking and payments, insurance, telecom
4
5. Overview of the Personal Data Protection Bill,2019
Applicability
• Extra-territorial
• Exemption for manual processing and outsourcing activities in certain cases
Wider categories of data protected
• Personal data
• Sensitive personal data – biometric, financial, religious, caste data included
Peculiarities in other categories of data
• Critical personal data (no guidance)
• Anonymized / non-personal data (Government requests)
Enhanced data controller obligations
• Notice and consent requirements – for personal and sensitive data
• Purpose, collection and storage limitations
• Privacy by design
• Transparency and security safeguards (CoPs)
• Data breach notifications (to DPA)
Significant data fiduciary
• Impact assessments
• Maintenance of records and audits
• Data protection officer
• Social media intermediaries
5
6. Overview of the Personal Data Protection Bill,2019
(contd.)
Rights conferred on data subjects (flavors of GDPR)
• Confirmation and access
• Correction and erasure
• Data portability (extends to data generated by fiduciary and profile data)
• Right to be forgotten (limited right)
Special provisions on children’s data
• Age-verification and parental consent
• Guardian data fiduciary
• Restrictions in profiling, tracking, monitoring, targeted advertising directed at children or other
potentially harmful activities
Independent Data Protection Authority
• Codes of Practice
Regulatory sandbox
Enhanced penalties linked to % of worldwide turnover in some grave cases
6
7. 7
Data
Fiduciary
Data
Processor
Data
transfer
(unless
categorized
as Critical
Personal
Data)
Overseas
INDIA
Data Localization andCross-Border DataTransfers
- Sensitive Personal Data
Server /
Data
Centre
Data
Principal
Explicit consent
-- Data ProtectionAuthority approved
contract or intra-group schemes, or
- Transfer to Government notified
countries or class of entities or
international organizations; or
- DPA approved transfer for a specific
purpose
Data copy stored
(unless specifically
exempted by the
Central Government)