SlideShare a Scribd company logo

PERSONAL-DATA-PROTECTION-BILL-2018.pptx

Download as PPTX, PDF
S
ssuser36d167

Data Protection

Law
1 of 23
PERSONAL DATA PROTECTION BILL, 2018
Why The Bill?  The data protection grew out of public concern about personal privacy in the face of rapidly developing computer technology.  It works in two ways : i. Gives certain rights to individual. ii. Obligate those who record and use personal information, to be open about that use. In JusticeK. S. Puttaswamy (Retd.)& Anr. v. Unionof India& Ors. (W.P. (Civil) No. 494 of 2012)  The SC has recognized right to privacy as a fundamental under Article 21 of the constitution.  Appointed Justice BN Srikrishna committee, which submitted the draft of Personal Data Protection Bill, 2018 (“the bill”) to Meity on 27 July 2018 along with the Committee Report (“the report”).
Personal Data Protection Bill, 2018 Three broad perspective to data protection are:  Laissez faire followed in US (constitutional understanding of liberty and freedom )  GDPR in EU (upholding dignity of an individual)  Data protection averting national security risks articulated by China (privileges of the collective over the individual) Important Terms  “Personal Data” shall mean all data relating to a natural person including data from which an individual may be identified or identifiable, either directly or indirectly.  ‘Processing’ is defined broadly as the performance of operations on Personal Data and will include, inter alia, collection, storage, retrieval, usage, disclosure, transfer, structuring, alignment or combination, indexation, and erasure.
Continued…  Sensitive Personal Data shall include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual,  The DPA will be given the residuary power to notify further categories in accordance with the criteria set by law.  Data fiduciary: any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data;  Data principal: the natural person to whom the personal data belongs to (an individual, a Hindu undivided family, a company, firm, state, juridical person).  Data processor: any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary.
Applicability The law will cover processing of personal data by both public and private entities. The bill administers all processing of personal data: i. within India. ii. by state, non-state or foreign entities, within India. iii. by data fiduciaries or data processors not present within India but having connection with any business in India. Exception: The bill is not applicable to anonymized data, this exclusion will not extend to mere de- identification, a potentially reversible process where identifiers have been removed, masked, or replaced with unique codes.
1. Personal information must be fairly and lawfully processed. 2. Personal information must be processed for limited purposes. 3. Information regarding data processing must be notified to Data principle. 4. Such Notification must be easily comprehensible and in multiple languages where necessary. 5.Personal information must be adequate, relevant and not misleading. It mostly incorporates obligation of Data fiduciary, much like GDPR:
6. Personal information must be accurate and up to date. 7. Personal information data must not be kept longer than is necessary. 8. Personal information data can be transferred to other countries only when authorized by the state. 9. Personal data processing should be in compliance with the Bill. Continued…
Section7: Lawful processing •Free, having regard to whether it meets the standard under section 14 of the Indian Contract Act, 1872 •Informed, having regard to whether the data principal has notified of his/her data that is being processed •Specific, having regard to whether the data principal can determine the scope of consent in respect of the purposes of processing •Clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context CONSENT Section 12 •Explicit consent is a must in case of collection or processing of sensitive personal data •Compliance of section 12 and •Informed and draws attention of Data principle to the purpose of processing data •Clear, having regard to whether it is meaningful without recourse to inference from conduct in a context •Specific, weather data principles given a choice to separately providing consent to data processing EXPLICIT CONSENT Section 18
Section7: Lawful processing Chapter 3: Grounds for Processing Of Personal Data The Bill allows processing of data by fiduciaries if consent is provided. However, in certain circumstances, processing of data may be permitted without consent of the individual. These grounds include: i. if necessary for any function of Parliament or state legislature, or if required by the state for providing benefits to the individual, ii. if required under law or for the compliance of any court judgment, iii. to respond to a medical emergency, threat to public health or breakdown of public order, or, iv. for reasonable purposes specified by the Authority, related to activities such as fraud detection, debt recovery, and whistle blowing.
Section7: Lawful processing Chapter 4: Grounds For Processing Of Sensitive Personal Data With explicit consent by data principle and Allows for processing data in following grounds without any consent in cases : a. which require 'explicit consent of the principal, as explained under section 12 of the bill’. b. necessary for any function of Parliament or state legislature, or, if required by the state for providing benefits to the individual, or c. required under law or for the compliance of any court judgment. d. for prompt action during medical emergency, incident of public threat or any breakdown of any public order.
Personal Data And Sensitive Personal Data Of Children  Section 23 Data Fiduciaries are required to implement appropriate mechanisms for age verification and parental consent before Processing Personal Data of Children (persons below the age of 18 years) based on volume, proportion and possibility of harm to children arising out of processing of personal data.  Data fiduciaries who operate commercial websites or online services or who process large volumes of personal data of children are classified as Guardian Data Fiduciaries.  They shall be barred from profiling, tracking, or behavioral monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child. EXCEPTION: Guardian data fiduciary are providing counseling or child protection services to a child.
Data Principal Rights  Right to confirmation and access for every data that is being processed. (Section 24)  Right to correction: Principals may request the fiduciaries for any correction, completion or up-gradation of data, if required, denial of which has to be substantiated with reasonable justification. The fiduciary has to update the third party of the correction/up-gradation of personal data. (Section 25)  Right to Data Portability (Section 26) : Receive the personal data in a structured, commonly used and machine-readable format: i. Which such data principal has provided to the data fiduciary; ii. which has been generated in the course of provision of services or use of goods by the data fiduciary; or iii. which forms part of any profile on the data principal, or which the data fiduciary has otherwise obtained. Exception: (a) processing is necessary for functions of the State; (b) processing is in compliance of law; or (c) such compliance would reveal a trade secret of any data fiduciary or would not be technically feasible.
 Right to be forgotten (Section 28): The data principal may restrict or prevent continuing disclosure of personal data, in cases where the a) Applicability is determined by Adjudicating officer. (Section 68) b) Restriction of disclosure of personal data overrides the right to freedom of speech and expression and the right to information of any citizen. Continued…
Transparency And Accountability Measures  Transparency (Section 29): Data Fiduciary is obligated to implement policies and measures to anticipate, identify and avoid harm to Data Principal. Data Fiduciary must comply with the following (Section 29): 1. categories of collecting and the manner of collection of personal data. 2. the purposes for which personal data is generally processed. 3. any exceptional purpose of processing data that creates risk of significant harm. 4. the existence of and procedure for the exercise of data principal rights. 5. the existence of a right to file complaints to the Authority.
6. where applicable, any rating in the form of a data trust score that may be accorded to the data fiduciary under section 35; 7. where applicable, information regarding cross-border transfers of personal data that the data fiduciary generally carries out;  Security Safeguards to be taken by Data fiduciaries as well as data principles.  Personal Data Breach The data fiduciary shall notify the Authority of any personal data breach relating to any personal data processed by the data fiduciary where such breach is likely to cause harm to any data principal.  The notification to Data principle shall be sent only on directions given by DPA.  This shifts the burden of deciding the materiality of breaches from the Data Fiduciaries to DPA. Continued…
 Data Protection impact Assessment - A data protection impact assessment has to be undertaken if the data fiduciary intends to undertake any new processing technologies or large scale profiling or use sensitive PD or other processing which carries a risk of significant harm to data principals.  The authority shall, after the assessment, direct the fiduciary accordingly to cease or continue the processing.  Record Keeping and Audits - Accurate and up-to-date records of important operations in the data life-cycle have to be maintained by the data fiduciary.  The data fiduciary has to conduct an annual audit of its policies and processing of PD by an independent data auditor, who will evaluate the compliance of the data fiduciary with the bill.  Significant Data Fiduciaries – The DPA shall notify certain data fiduciaries as significant fiduciaries based on the volume and sensitivity of Personal Data Processed.  They are subject to enhanced obligations such as impact assessment, registration, audit, and appointment of a Data Protection Officer (DPO).  Foreign Data Fiduciaries carrying out any processing must appoint an India based DPO.  In any event, every Data Fiduciary must have a Grievance Redressal Officer. Continued…
 Significant Data Fiduciaries – The DPA shall notify certain data fiduciaries as significant fiduciaries based on the volume and sensitivity of Personal Data Processed.  They are subject to enhanced obligations such as impact assessment, registration, audit, and appointment of a Data Protection Officer (DPO).  Foreign Data Fiduciaries carrying out any processing must appoint an India based DPO.  In any event, every Data Fiduciary must have a Grievance Redressal Officer. Continued…
 Critical Personal Data - Critical Personal Data as categorized by DPA, can be stored only on Indian servers. [Section 40(2)]  Cross-Border Transfer – Personal data (except sensitive personal data) may be transferred outside India under certain conditions. These include: (i) where the central government has prescribed that transfers to a particular country are permissible, or (ii) where the Authority approves the transfer in a situation of necessity. [Section 41]  Exemptions – The Bill provides exemptions from compliance with its provisions, for certain reasons including: i. state security, ii. prevention, investigation, or prosecution of any offence, or iii. personal, domestic, or journalistic purposes. Chapter IX of the Bill Transfer Of Personal Data Outside India
 Independent body called the Data Protection Authority of India.  Establishment of Independent Appellate Tribunals.  Wide range of duties of DPA such as identifying additional categories of SPD and grounds for Processing Personal Data; mandating breach notifications to Data Principals; prescribing various codes of practice including for notice, transparency, security standards, de-identification and anonymization, contractual clauses and inter-group schemes for cross-border transfer;  Powers of DPA: a) calling for information; b) conducting inquiries; c) issuing codes of practice; and d) issuing directions to Data Fiduciaries or data processors. These directions may range from restricting operations to prohibiting cross-border data flows. The DPA is also conferred search and seizure powers and powers of attachment of property to recover penalties. RegulatoryAuthorities
 Civil Penalties: For violation of provisions under transparency , monetary penalty shall 5-15 crore rupees or 2% -4% of the total worldwide turnover of the Data Fiduciary in its preceding financial year, whichever is higher, depending on the severity of the case.  Criminal Penalties: Imprisonment (ranging from 3 to 5 years) is prescribed for persons who knowingly, intentionally, or recklessly obtain, disclose, transfer or sell Personal Data (or SPD) provided that such acts result in harm to a Data Principal.  A new offense has been proposed for knowingly reversing de-identification  Compensation – The Bill also provides for any data principal who has suffered harm as a result of any violation of any provision under this Act, by a data fiduciary or a data processor, shall have the right to seek compensation from the data fiduciary or the data processor. (Section 74) Offences And Penalties
 The Bill proposes amendments in certain laws:  omission of 43A and Section 87 of the Information Technology Act, 2000, and amendment in Section 8 of the IT Act, 2000 and the Census Act, 1948.  Bill provides minimum data protection standards for all data processing in the country. In the event of inconsistency, the standards set in the data privacy law will apply to the processing of data.  The Committee recommended amendments to the Aadhaar Act, 2016 to bolster its data protection framework Section 111 and 112 of the Bill AmendmentsTo Other Laws
 Sought extensive changes in the mechanism of existing data protection regime in India.  Personal data has been treated as a trust and not as a property.  The Act has provided wider discretion to the Data Protection Authority.  Since the law does not have retrospective effect, it is unclear as to how the processing of personal data collected before the law comes into force, will be governed.  Localization Of Data: To meet this expectation, companies would need to spend huge amounts on setting up local servers, among other things.  How the Right to be forgotten, Right to access, and other rights being extended to data principals will be exercised. has not be dealt Observations
THANK YOU

Recommended

Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityEmerson Bryan
 
India's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road AheadIndia's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road AheadEquiCorp Associates
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill Mathew Chacko
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfJakeAldrinDegala1
 
Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfDaviesParker
 
General Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRGeneral Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRNupur Samaddar
 
China-PIPL.pdf
China-PIPL.pdfChina-PIPL.pdf
China-PIPL.pdfDaviesParker
 
Digital Personal Data Protection Bill 2023 PPT.pptx
Digital Personal Data Protection Bill 2023 PPT.pptxDigital Personal Data Protection Bill 2023 PPT.pptx
Digital Personal Data Protection Bill 2023 PPT.pptxRohanTyagi57
 

Recommended

Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityEmerson Bryan
 
India's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road AheadIndia's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road AheadEquiCorp Associates
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill Mathew Chacko
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfJakeAldrinDegala1
 
Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfDaviesParker
 
General Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRGeneral Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRNupur Samaddar
 
China-PIPL.pdf
China-PIPL.pdfChina-PIPL.pdf
China-PIPL.pdfDaviesParker
 
Digital Personal Data Protection Bill 2023 PPT.pptx
Digital Personal Data Protection Bill 2023 PPT.pptxDigital Personal Data Protection Bill 2023 PPT.pptx
Digital Personal Data Protection Bill 2023 PPT.pptxRohanTyagi57
 
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDaviesParker
 
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptxDIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptxVijay Dalmia
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in MalaysiaMSC Malaysia Cybercentre @ Bangsar South City
 
Digital personal data protection BILL.docx
Digital personal data protection BILL.docxDigital personal data protection BILL.docx
Digital personal data protection BILL.docxgabbarsk3
 
Asia Counsel Insights May 2023
Asia Counsel Insights May 2023Asia Counsel Insights May 2023
Asia Counsel Insights May 2023Minh Duong
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...Dr. Oliver Massmann
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataRenato Monteiro
 
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfIndonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfAHRP Law Firm
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfDaviesParker
 
Managing Data Protection guide powerpoint presentation
Managing Data Protection guide powerpoint presentationManaging Data Protection guide powerpoint presentation
Managing Data Protection guide powerpoint presentationsilvereyez11
 
Feedback on Personal Data Protection Bill 2019
Feedback on Personal Data Protection Bill 2019Feedback on Personal Data Protection Bill 2019
Feedback on Personal Data Protection Bill 2019Nanda Mohan Shenoy
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdfPriyanka Aash
 
Freedom of Information and Data Protection
Freedom of Information and Data ProtectionFreedom of Information and Data Protection
Freedom of Information and Data ProtectionEquiGov Institute
 
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfOverview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfEconomic Laws Practice
 
DR. OLIVER MASSMANN - PRIVACY LAWS IN ASIA
DR. OLIVER MASSMANN - PRIVACY LAWS IN ASIADR. OLIVER MASSMANN - PRIVACY LAWS IN ASIA
DR. OLIVER MASSMANN - PRIVACY LAWS IN ASIADr. Oliver Massmann
 
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdfBipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdfInternet Law Center
 
HOW TO PROCESS DATA IN VARIOUS GEO'S A COMPARATIVE ANALYSIS BY SANJEEV SINGH...
HOW TO PROCESS DATA IN VARIOUS GEO'S A COMPARATIVE ANALYSIS BY SANJEEV SINGH...HOW TO PROCESS DATA IN VARIOUS GEO'S A COMPARATIVE ANALYSIS BY SANJEEV SINGH...
HOW TO PROCESS DATA IN VARIOUS GEO'S A COMPARATIVE ANALYSIS BY SANJEEV SINGH...Sanjeev Bharwan
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝soniya singh
 
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书Fs Las
 

More Related Content

Similar to PERSONAL-DATA-PROTECTION-BILL-2018.pptx

DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDaviesParker
 
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptxDIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptxVijay Dalmia
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Digital personal data protection BILL.docx
Digital personal data protection BILL.docxDigital personal data protection BILL.docx
Digital personal data protection BILL.docxgabbarsk3
 
Asia Counsel Insights May 2023
Asia Counsel Insights May 2023Asia Counsel Insights May 2023
Asia Counsel Insights May 2023Minh Duong
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...Dr. Oliver Massmann
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataRenato Monteiro
 
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfIndonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfAHRP Law Firm
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfDaviesParker
 
Managing Data Protection guide powerpoint presentation
Managing Data Protection guide powerpoint presentationManaging Data Protection guide powerpoint presentation
Managing Data Protection guide powerpoint presentationsilvereyez11
 
Feedback on Personal Data Protection Bill 2019
Feedback on Personal Data Protection Bill 2019Feedback on Personal Data Protection Bill 2019
Feedback on Personal Data Protection Bill 2019Nanda Mohan Shenoy
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
Freedom of Information and Data Protection
Freedom of Information and Data ProtectionFreedom of Information and Data Protection
Freedom of Information and Data ProtectionEquiGov Institute
 
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfOverview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfEconomic Laws Practice
 
DR. OLIVER MASSMANN - PRIVACY LAWS IN ASIA
DR. OLIVER MASSMANN - PRIVACY LAWS IN ASIADR. OLIVER MASSMANN - PRIVACY LAWS IN ASIA
DR. OLIVER MASSMANN - PRIVACY LAWS IN ASIADr. Oliver Massmann
 
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdfBipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdfInternet Law Center
 
HOW TO PROCESS DATA IN VARIOUS GEO'S A COMPARATIVE ANALYSIS BY SANJEEV SINGH...
HOW TO PROCESS DATA IN VARIOUS GEO'S A COMPARATIVE ANALYSIS BY SANJEEV SINGH...HOW TO PROCESS DATA IN VARIOUS GEO'S A COMPARATIVE ANALYSIS BY SANJEEV SINGH...
HOW TO PROCESS DATA IN VARIOUS GEO'S A COMPARATIVE ANALYSIS BY SANJEEV SINGH...Sanjeev Bharwan
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 

Similar to PERSONAL-DATA-PROTECTION-BILL-2018.pptx (20)

DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
 
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptxDIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
 
Digital personal data protection BILL.docx
Digital personal data protection BILL.docxDigital personal data protection BILL.docx
Digital personal data protection BILL.docx
 
Asia Counsel Insights May 2023
Asia Counsel Insights May 2023Asia Counsel Insights May 2023
Asia Counsel Insights May 2023
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal Data
 
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfIndonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdf
 
Managing Data Protection guide powerpoint presentation
Managing Data Protection guide powerpoint presentationManaging Data Protection guide powerpoint presentation
Managing Data Protection guide powerpoint presentation
 
Feedback on Personal Data Protection Bill 2019
Feedback on Personal Data Protection Bill 2019Feedback on Personal Data Protection Bill 2019
Feedback on Personal Data Protection Bill 2019
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Freedom of Information and Data Protection
Freedom of Information and Data ProtectionFreedom of Information and Data Protection
Freedom of Information and Data Protection
 
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfOverview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
 
DR. OLIVER MASSMANN - PRIVACY LAWS IN ASIA
DR. OLIVER MASSMANN - PRIVACY LAWS IN ASIADR. OLIVER MASSMANN - PRIVACY LAWS IN ASIA
DR. OLIVER MASSMANN - PRIVACY LAWS IN ASIA
 
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdfBipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
 
HOW TO PROCESS DATA IN VARIOUS GEO'S A COMPARATIVE ANALYSIS BY SANJEEV SINGH...
HOW TO PROCESS DATA IN VARIOUS GEO'S A COMPARATIVE ANALYSIS BY SANJEEV SINGH...HOW TO PROCESS DATA IN VARIOUS GEO'S A COMPARATIVE ANALYSIS BY SANJEEV SINGH...
HOW TO PROCESS DATA IN VARIOUS GEO'S A COMPARATIVE ANALYSIS BY SANJEEV SINGH...
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislation
 

Recently uploaded

Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝soniya singh
 
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书Fs Las
 
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书FS LS
 
如何办理美国波士顿大学(BU)毕业证学位证书
如何办理美国波士顿大学(BU)毕业证学位证书如何办理美国波士顿大学(BU)毕业证学位证书
如何办理美国波士顿大学(BU)毕业证学位证书Fir L
 
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书如何办理(Lincoln文凭证书)林肯大学毕业证学位证书
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书Fs Las
 
如何办理澳洲南澳大学(UniSA)毕业证学位证书
如何办理澳洲南澳大学(UniSA)毕业证学位证书如何办理澳洲南澳大学(UniSA)毕业证学位证书
如何办理澳洲南澳大学(UniSA)毕业证学位证书Fir L
 
Key Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesKey Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesHome Tax Saver
 
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书SD DS
 
POLICE ACT, 1861 the details about police system.pptx
POLICE ACT, 1861 the details about police system.pptxPOLICE ACT, 1861 the details about police system.pptx
POLICE ACT, 1861 the details about police system.pptxAbhishekchatterjee248859
 
如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书Fir L
 
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...Dr. Oliver Massmann
 
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSVIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSDr. Oliver Massmann
 
John Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix
 
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书SD DS
 
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书Fir L
 
A Short-ppt on new gst laws in india.pptx
A Short-ppt on new gst laws in india.pptxA Short-ppt on new gst laws in india.pptx
A Short-ppt on new gst laws in india.pptxPKrishna18
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书Fir sss
 

Recently uploaded (20)

Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
 
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
 
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
 
Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...
Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...
Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...
 
如何办理美国波士顿大学(BU)毕业证学位证书
如何办理美国波士顿大学(BU)毕业证学位证书如何办理美国波士顿大学(BU)毕业证学位证书
如何办理美国波士顿大学(BU)毕业证学位证书
 
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书如何办理(Lincoln文凭证书)林肯大学毕业证学位证书
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书
 
如何办理澳洲南澳大学(UniSA)毕业证学位证书
如何办理澳洲南澳大学(UniSA)毕业证学位证书如何办理澳洲南澳大学(UniSA)毕业证学位证书
如何办理澳洲南澳大学(UniSA)毕业证学位证书
 
Key Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesKey Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax Rates
 
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
 
POLICE ACT, 1861 the details about police system.pptx
POLICE ACT, 1861 the details about police system.pptxPOLICE ACT, 1861 the details about police system.pptx
POLICE ACT, 1861 the details about police system.pptx
 
如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书
 
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
 
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...
Legal Alert - Vietnam - First draft Decree on mechanisms and policies to enco...
 
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSVIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
 
John Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A History
 
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
 
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
 
A Short-ppt on new gst laws in india.pptx
A Short-ppt on new gst laws in india.pptxA Short-ppt on new gst laws in india.pptx
A Short-ppt on new gst laws in india.pptx
 
Old Income Tax Regime Vs New Income Tax Regime
Old Income Tax Regime Vs New Income Tax RegimeOld Income Tax Regime Vs New Income Tax Regime
Old Income Tax Regime Vs New Income Tax Regime
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书
 

PERSONAL-DATA-PROTECTION-BILL-2018.pptx

  • 2. Why The Bill?  The data protection grew out of public concern about personal privacy in the face of rapidly developing computer technology.  It works in two ways : i. Gives certain rights to individual. ii. Obligate those who record and use personal information, to be open about that use. In JusticeK. S. Puttaswamy (Retd.)& Anr. v. Unionof India& Ors. (W.P. (Civil) No. 494 of 2012)  The SC has recognized right to privacy as a fundamental under Article 21 of the constitution.  Appointed Justice BN Srikrishna committee, which submitted the draft of Personal Data Protection Bill, 2018 (“the bill”) to Meity on 27 July 2018 along with the Committee Report (“the report”).
  • 3. Personal Data Protection Bill, 2018 Three broad perspective to data protection are:  Laissez faire followed in US (constitutional understanding of liberty and freedom )  GDPR in EU (upholding dignity of an individual)  Data protection averting national security risks articulated by China (privileges of the collective over the individual) Important Terms  “Personal Data” shall mean all data relating to a natural person including data from which an individual may be identified or identifiable, either directly or indirectly.  ‘Processing’ is defined broadly as the performance of operations on Personal Data and will include, inter alia, collection, storage, retrieval, usage, disclosure, transfer, structuring, alignment or combination, indexation, and erasure.
  • 4. Continued…  Sensitive Personal Data shall include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual,  The DPA will be given the residuary power to notify further categories in accordance with the criteria set by law.  Data fiduciary: any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data;  Data principal: the natural person to whom the personal data belongs to (an individual, a Hindu undivided family, a company, firm, state, juridical person).  Data processor: any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary.
  • 5. Applicability The law will cover processing of personal data by both public and private entities. The bill administers all processing of personal data: i. within India. ii. by state, non-state or foreign entities, within India. iii. by data fiduciaries or data processors not present within India but having connection with any business in India. Exception: The bill is not applicable to anonymized data, this exclusion will not extend to mere de- identification, a potentially reversible process where identifiers have been removed, masked, or replaced with unique codes.
  • 6. 1. Personal information must be fairly and lawfully processed. 2. Personal information must be processed for limited purposes. 3. Information regarding data processing must be notified to Data principle. 4. Such Notification must be easily comprehensible and in multiple languages where necessary. 5.Personal information must be adequate, relevant and not misleading. It mostly incorporates obligation of Data fiduciary, much like GDPR:
  • 7. 6. Personal information must be accurate and up to date. 7. Personal information data must not be kept longer than is necessary. 8. Personal information data can be transferred to other countries only when authorized by the state. 9. Personal data processing should be in compliance with the Bill. Continued…
  • 8. Section7: Lawful processing •Free, having regard to whether it meets the standard under section 14 of the Indian Contract Act, 1872 •Informed, having regard to whether the data principal has notified of his/her data that is being processed •Specific, having regard to whether the data principal can determine the scope of consent in respect of the purposes of processing •Clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context CONSENT Section 12 •Explicit consent is a must in case of collection or processing of sensitive personal data •Compliance of section 12 and •Informed and draws attention of Data principle to the purpose of processing data •Clear, having regard to whether it is meaningful without recourse to inference from conduct in a context •Specific, weather data principles given a choice to separately providing consent to data processing EXPLICIT CONSENT Section 18
  • 9. Section7: Lawful processing Chapter 3: Grounds for Processing Of Personal Data The Bill allows processing of data by fiduciaries if consent is provided. However, in certain circumstances, processing of data may be permitted without consent of the individual. These grounds include: i. if necessary for any function of Parliament or state legislature, or if required by the state for providing benefits to the individual, ii. if required under law or for the compliance of any court judgment, iii. to respond to a medical emergency, threat to public health or breakdown of public order, or, iv. for reasonable purposes specified by the Authority, related to activities such as fraud detection, debt recovery, and whistle blowing.
  • 10. Section7: Lawful processing Chapter 4: Grounds For Processing Of Sensitive Personal Data With explicit consent by data principle and Allows for processing data in following grounds without any consent in cases : a. which require 'explicit consent of the principal, as explained under section 12 of the bill’. b. necessary for any function of Parliament or state legislature, or, if required by the state for providing benefits to the individual, or c. required under law or for the compliance of any court judgment. d. for prompt action during medical emergency, incident of public threat or any breakdown of any public order.
  • 11. Personal Data And Sensitive Personal Data Of Children  Section 23 Data Fiduciaries are required to implement appropriate mechanisms for age verification and parental consent before Processing Personal Data of Children (persons below the age of 18 years) based on volume, proportion and possibility of harm to children arising out of processing of personal data.  Data fiduciaries who operate commercial websites or online services or who process large volumes of personal data of children are classified as Guardian Data Fiduciaries.  They shall be barred from profiling, tracking, or behavioral monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child. EXCEPTION: Guardian data fiduciary are providing counseling or child protection services to a child.
  • 12. Data Principal Rights  Right to confirmation and access for every data that is being processed. (Section 24)  Right to correction: Principals may request the fiduciaries for any correction, completion or up-gradation of data, if required, denial of which has to be substantiated with reasonable justification. The fiduciary has to update the third party of the correction/up-gradation of personal data. (Section 25)  Right to Data Portability (Section 26) : Receive the personal data in a structured, commonly used and machine-readable format: i. Which such data principal has provided to the data fiduciary; ii. which has been generated in the course of provision of services or use of goods by the data fiduciary; or iii. which forms part of any profile on the data principal, or which the data fiduciary has otherwise obtained. Exception: (a) processing is necessary for functions of the State; (b) processing is in compliance of law; or (c) such compliance would reveal a trade secret of any data fiduciary or would not be technically feasible.
  • 13.  Right to be forgotten (Section 28): The data principal may restrict or prevent continuing disclosure of personal data, in cases where the a) Applicability is determined by Adjudicating officer. (Section 68) b) Restriction of disclosure of personal data overrides the right to freedom of speech and expression and the right to information of any citizen. Continued…
  • 14. Transparency And Accountability Measures  Transparency (Section 29): Data Fiduciary is obligated to implement policies and measures to anticipate, identify and avoid harm to Data Principal. Data Fiduciary must comply with the following (Section 29): 1. categories of collecting and the manner of collection of personal data. 2. the purposes for which personal data is generally processed. 3. any exceptional purpose of processing data that creates risk of significant harm. 4. the existence of and procedure for the exercise of data principal rights. 5. the existence of a right to file complaints to the Authority.
  • 15. 6. where applicable, any rating in the form of a data trust score that may be accorded to the data fiduciary under section 35; 7. where applicable, information regarding cross-border transfers of personal data that the data fiduciary generally carries out;  Security Safeguards to be taken by Data fiduciaries as well as data principles.  Personal Data Breach The data fiduciary shall notify the Authority of any personal data breach relating to any personal data processed by the data fiduciary where such breach is likely to cause harm to any data principal.  The notification to Data principle shall be sent only on directions given by DPA.  This shifts the burden of deciding the materiality of breaches from the Data Fiduciaries to DPA. Continued…
  • 16.  Data Protection impact Assessment - A data protection impact assessment has to be undertaken if the data fiduciary intends to undertake any new processing technologies or large scale profiling or use sensitive PD or other processing which carries a risk of significant harm to data principals.  The authority shall, after the assessment, direct the fiduciary accordingly to cease or continue the processing.  Record Keeping and Audits - Accurate and up-to-date records of important operations in the data life-cycle have to be maintained by the data fiduciary.  The data fiduciary has to conduct an annual audit of its policies and processing of PD by an independent data auditor, who will evaluate the compliance of the data fiduciary with the bill.  Significant Data Fiduciaries – The DPA shall notify certain data fiduciaries as significant fiduciaries based on the volume and sensitivity of Personal Data Processed.  They are subject to enhanced obligations such as impact assessment, registration, audit, and appointment of a Data Protection Officer (DPO).  Foreign Data Fiduciaries carrying out any processing must appoint an India based DPO.  In any event, every Data Fiduciary must have a Grievance Redressal Officer. Continued…
  • 17.  Significant Data Fiduciaries – The DPA shall notify certain data fiduciaries as significant fiduciaries based on the volume and sensitivity of Personal Data Processed.  They are subject to enhanced obligations such as impact assessment, registration, audit, and appointment of a Data Protection Officer (DPO).  Foreign Data Fiduciaries carrying out any processing must appoint an India based DPO.  In any event, every Data Fiduciary must have a Grievance Redressal Officer. Continued…
  • 18.  Critical Personal Data - Critical Personal Data as categorized by DPA, can be stored only on Indian servers. [Section 40(2)]  Cross-Border Transfer – Personal data (except sensitive personal data) may be transferred outside India under certain conditions. These include: (i) where the central government has prescribed that transfers to a particular country are permissible, or (ii) where the Authority approves the transfer in a situation of necessity. [Section 41]  Exemptions – The Bill provides exemptions from compliance with its provisions, for certain reasons including: i. state security, ii. prevention, investigation, or prosecution of any offence, or iii. personal, domestic, or journalistic purposes. Chapter IX of the Bill Transfer Of Personal Data Outside India
  • 19.  Independent body called the Data Protection Authority of India.  Establishment of Independent Appellate Tribunals.  Wide range of duties of DPA such as identifying additional categories of SPD and grounds for Processing Personal Data; mandating breach notifications to Data Principals; prescribing various codes of practice including for notice, transparency, security standards, de-identification and anonymization, contractual clauses and inter-group schemes for cross-border transfer;  Powers of DPA: a) calling for information; b) conducting inquiries; c) issuing codes of practice; and d) issuing directions to Data Fiduciaries or data processors. These directions may range from restricting operations to prohibiting cross-border data flows. The DPA is also conferred search and seizure powers and powers of attachment of property to recover penalties. RegulatoryAuthorities
  • 20.  Civil Penalties: For violation of provisions under transparency , monetary penalty shall 5-15 crore rupees or 2% -4% of the total worldwide turnover of the Data Fiduciary in its preceding financial year, whichever is higher, depending on the severity of the case.  Criminal Penalties: Imprisonment (ranging from 3 to 5 years) is prescribed for persons who knowingly, intentionally, or recklessly obtain, disclose, transfer or sell Personal Data (or SPD) provided that such acts result in harm to a Data Principal.  A new offense has been proposed for knowingly reversing de-identification  Compensation – The Bill also provides for any data principal who has suffered harm as a result of any violation of any provision under this Act, by a data fiduciary or a data processor, shall have the right to seek compensation from the data fiduciary or the data processor. (Section 74) Offences And Penalties
  • 21.  The Bill proposes amendments in certain laws:  omission of 43A and Section 87 of the Information Technology Act, 2000, and amendment in Section 8 of the IT Act, 2000 and the Census Act, 1948.  Bill provides minimum data protection standards for all data processing in the country. In the event of inconsistency, the standards set in the data privacy law will apply to the processing of data.  The Committee recommended amendments to the Aadhaar Act, 2016 to bolster its data protection framework Section 111 and 112 of the Bill AmendmentsTo Other Laws
  • 22.  Sought extensive changes in the mechanism of existing data protection regime in India.  Personal data has been treated as a trust and not as a property.  The Act has provided wider discretion to the Data Protection Authority.  Since the law does not have retrospective effect, it is unclear as to how the processing of personal data collected before the law comes into force, will be governed.  Localization Of Data: To meet this expectation, companies would need to spend huge amounts on setting up local servers, among other things.  How the Right to be forgotten, Right to access, and other rights being extended to data principals will be exercised. has not be dealt Observations