Preparing for India’s Data Protection Bill

1. 1
1
© 2022 TrustArc Inc. Proprietary and Confidential Information.
Preparing For India’s Data Protection Bill
January 25th, 2022

2. 2
2
Speakers
K Royal, Ph.D.
Associate General Counsel,
Privacy Intel
TrustArc
Meaghan McCluskey
Associate General Counsel,
Research
TrustArc

3. 3
3
Agenda
• The key components of the India’s Data Protection Bill
• The PDPB’s implications to your business
• The similarities and differences with the other global regulations (GDPR, PIPL, LGPD)

4. 4
4
Key Components - Application
The bill applies to:
• Personal data collected, stored, disclosed, shared or
otherwise processed within India;
• Processing of personal data by any person under Indian law;
• Foreign data fiduciaries or data processors, if such
processing is in connection with:
○ any business carried on in India;
○ any systematic activity of offering goods or services to
data principals within India; or
○ any activity which involves profiling of data principals
within India.
• Processing of non-personal data including anonymised personal data.

5. 5
5
Key Components - Definitions
Personal Data means data about or relating to a natural person who is directly or indirectly
identifiable, having regard to any characteristic, trait, attribute or any other feature of the
identity of such natural person, whether online or offline, or any combination of such
features with any other information, and shall include any inference drawn from such data
for the purpose of profiling;
Entities deciding the purposes and means of processing: Data Fiduciaries
Natural persons whose personal data is being processed: Data Principals
Sensitive Personal Data includes GDPR categories (except trade union membership) and
adds official identifiers, financial data, transgender and intersex status, caste or tribe.

6. 6
6
Key Components - Obligations for All
• Fair and reasonable processing
• Purpose specification
• Data minimization
• Limited retention
• Transparency (notice in multiple languages,
• fairness of algorithms, data trust scores)
• Data quality (heightened accuracy for
decision-making and disclosures)
• Accountability
Data Privacy Principles

7. 7
7
Key Components - Obligations for All
• Consent:
○ Free, informed, specific, clear, and capable of being withdrawn.
○ Explicitly obtained for sensitive data (cannot infer consent by conduct or context).
• If necessary under any law;
• For compliance with any judgment or order of any court, quasi-judicial authority or
Tribunal in India;
• For employment:
○ recruitment or termination, provision of benefits;
○ verify attendance, and performance assessment.
• Processing is necessary for “reasonable purposes” set out in Regs:
○ Examples: fraud detection, whistleblowing, mergers & acquisitions, credit scoring, network
and information security, debt collection, publicly available data, and search engines.
Legal Grounds for Processing (a selection…)

8. 8
8
Key Components - Obligations for All
• Children & Minors:
○ Age verification - parental consent required for <18;
○ No profiling, tracking, behavioural monitoring or targeted advertising to children;
○ No processing of personal data that can cause “significant harm” to the child.
○ Explicitly obtained for sensitive data (cannot infer consent by conduct or context).
• Privacy by Design:
○ Policy required; can get certified.
• Security Safeguards
• Breach Notification:
○ Notify the DPA within 72 hours, DPA decides whether to notify data principals.
○ DPA shall take other necessary steps in case of breach of non-personal data.

9. 9
9
Key Components - Obligations for All
• Data processors:
○ Contract necessary.
○ Data processors cannot involve a subprocessor w/o data fiduciary authorisation.
○ Only process personal data in accordance with instructions and treat as confidential.
• Grievance redressal mechanism:
○ DPO or other designated individual must resolve complaints within 30 days.
• Data Localization:
○ Must keep a copy of sensitive personal data in India (even if transferring abroad).
○ Critical personal data shall only be processed in India (to be defined).
• Cross Border Transfers:
○ Sensitive personal data transferred only with explicit consent and approved contract or
intra-group scheme, adequacy determination, otherwise allowed for a specific purpose.

10. 10
10
Key Components - Data Principals’ Rights
• Confirmation & Access:
○ In a manner that is easily comprehensible to a
reasonable individual in a similar context;
○ Identify the identities of data fiduciaries with whom
personal data has been shared.
• Correction & Rectification
• Data Portability (unless not technically feasible)
• Right to be Forgotten & Restriction (only on order
of an Adjudicating Officer)

11. 11
11
Key Components - Obligations for Some… Significant Fiduciaries
• Register with the DPA.
• Appoint a DPO.
• DPIAs (DPOs to review and submit to DPA):
○ New tech, Large scale processing, Sensitive personal data;
○ Any processing that carries a risk of significant harm to
data principals.
• Maintain Records:
○ Important operations in the data life cycle;
○ Periodic reviews of security safeguards;
○ DPIAs.
• Annual Independent Audits.

12. 12
12
Key Components - Others
• Social Media Platforms:
○ To be treated as significant data fiduciaries if they
have a certain number of users and their actions have
or are likely to have a significant impact on the
sovereignty and integrity of India, electoral
democracy, security of the State or public order.
○ Enable persons who register for their services to
voluntarily verify their account.
• Government Agencies & Data Processors:
○ May be exempted from the Act.

13. 13
13
Key Components - Penalties & Fines
• DPA can:
○ Order suspension or discontinuation of processing activities;
○ Vary, suspend or cancel any granted registrations.
• Penalties to be set out in regulations, but where not
specified, subject to a maximum of ~$135,000 USD
in case of significant data fiduciaries and ~$33,500 in
other cases.
• Representative actions may be filed with the DPA on
behalf of a group of data principals.

14. 14
14
PDPB’s Implications

15. 15
15
Comparison against other Global Laws
Definition of
Personal Information
CCPA / CPRA GDPR PIPL PDPB
information that identifies,
relates to, describes, is
capable of being
associated with, or could
reasonably be linked,
directly or indirectly, with a
particular consumer or
household (followed by
specifics)
information relating to an
identified or identifiable
natural person (ʻdata
subjectʼ); an identifiable
natural person is one who
can be identified, directly
or indirectly, in particular
by reference to an identifier
such as a name, an
identification number,
location data, an online
identifier or to one or more
factors specific to the
physical, physiological,
genetic, mental, economic,
cultural or social identity of
that natural person;
all kinds of information,
recorded by electronic or
other means, related to
identified or identifiable
natural persons, not
including information after
anonymization handling
Personal data is data
about or relating to a
natural person who is
directly or indirectly
identifiable, having regard
to any characteristic, trait,
attribute or any other
feature of the identity of
such natural person,
whether online or
offline, or any
combination of such
features with any
other information, and
shall include any
inference drawn
from such data for the
purpose of profiling

16. 16
16
Sensitive Data CCPA / CPRA GDPR PIPL PDPB
Racial or ethnic origin X X i X (adds caste & tribe)
Religious & Philosophical Belief X X i X
Political opinions X i X
Union membership X X
Mental or physical health X X X X
Sexual orientation or sex life X X i X (adds intersex &
transgender status)
Citizenship or immigration i
Genetic or biometric data X X X X
Precise geolocation X X
Govt-issued ID numbers X i X
Account access credentials X i X (financial accounts)
Financial Accounts /
Information
X X

17. 17
17
CCPA / CPRA GDPR PIPL PDPB
Sensitive Data Consent No / CPRA - may limit Yes, explicit consent Yes, separate consent Yes, Explicit Consent
Minors, Age <13, 13-15 <16 (member states cannot
go <13)
<14 <18
Applies B2B No (CCPA moratorium) Yes Yes Yes
Applies to Employees No (CCPA moratorium) Yes Yes Yes
Sale / Sharing Data Expansive Expansive Expansive Expansive
Opt-outs Sell / CPRA Share Right to object Sensitive data, transfers,
ads
Right to Withdraw Consent
Vendor Contract
Requirements
Yes Yes Yes Yes
Security Audits No / CPRA Yes No No Yes
DPIA / PIAs Yes (CPRA) Yes Yes Yes
(significant data fiduciaries)

18. 18
18
Legal Basis for
Processing
CCPA / CPRA GDPR PIPL PDPB
Consent Opt-in for minors
If financial incentives
X X X
Contract (as party) X X
Legal obligation X X X
HR purposes X X
Vital interests X X (incl. property)
Public interest X X X
Legitimate interests X X (reasonable purposes)
Lawfully disclosed X X (within rules) X
Other under law X (member states) X X

19. 19
19
Individual Rights CCPA / CPRA GDPR PIPL PDPB
Know
(transparency, notice,
confirm)
X X X X
Access X X X X
Rectification X X X X
Erasure X X X X (only on order by
Adjudicating Officer)
Restriction X X (if cannot delete) X (only on order by
Adjudicating Officer)
Portability O X X X
Objection X (minors, sell / share) X X
Automated Decision-Making X X X
Non-discrimination X X X

20. 20
20
Thank You!
See http://www.trustarc.com/insightseries for the
2021 Privacy Insight Series and past webinar recordings.
If you would like to learn more about how TrustArc can support you with
compliance, please reach out to sales@trustarc.com for a free demo.