After the government dropped its Personal Data Protection Bill earlier this year, India’s parliament published the Digital Personal Data Protection Bill in late November as a second attempt at a comprehensive data privacy law for the region. Despite having many of the same elements as the other bill, the present draft is more succinct, focused on core privacy principles, consumer rights, and business obligations.

This latest iteration outlines explicit consent requirements, proposes penalties, addresses cross-border data transfers, and more.

With low applicability thresholds for the multitude of companies that have business operations of all types in India, this has significant potential ramifications. We believe this version has sufficient backing and support to pass in late Spring or early Summer next year, making it a very important legislation to watch.

Let’s review the compliance requirements and elements released thus far.

Scope

Covers all digital data, including digitized documents, for any entity processing the personal data of principals in India.

Notice & Consent

In likeness to the previously proposed bill, the Digital Personal Data Protection Bill outlines how organizations, called Data Fiduciaries, must present a clear, itemized notice to obtain consent from consumers when processing data that adequately describe processing purposes and offer the option to withdraw consent.

Notice will have to be provided and consent will have to be given again once the act passes, even if consent was received in the past. Fair and reasonable expectations and purposes for data collection are noted in line with GDPR’s ‘legitimate interest’, and employment data is now within scope mirroring CPRA.

Data Collection & Accuracy

Data collection must be executed only for specific needs and purposes, encouraging entities to practice data collection minimization with an emphasis on data accuracy. Options must be given to Data Principals for the collection of additional data outside of what is necessary for the business purpose.

Use & Storage Limitation

Entities can only use the data collected for the purpose consented to by the Data Principal and retained for only as long as required before being deleted or anonymized.

Third-Party Data Disclosure

Data Principal information can only be shared with third parties with explicit consent.

Data Security

Data Fiduciaries must employ adequate security safeguards and precautions.

Accountability

Data Fiduciaries will always be held accountable, indicating that businesses must include ‘demonstrability of responsibility’ into daily privacy operations, a trend we are now seeing internationally. This fiduciary accountability can be a significant liability to an organization, the extent of which is not yet well established.

Data Principal Rights

• Right to confirmation
  • Must disclose whether or not a Data Fiduciary has or is processing personal data.
• Right to access
  • Transparency of what data is held and how it is used.
• Right to know
  • Must disclose all Data Fiduciaries with which data has been shared and which types.
• Right to correction
• Right to erasure
• Right of grievance redressal
  • Data Fiduciaries have a 7-day response window before the Data Principal can file a complaint with the Data Protection Board.
• Right to nominate
  • Gives Data Principal rights to an acting entity should the DP suffer death or incapacitation.

Data Principal Duties

Interestingly, the DPDPB outlines a duty for Data Principals to share accurate information, with penalties of 10k should the DP provide fraudulent information.

Breach Notification

Data breaches are required to be reported to the Data Protection Board and the Data Principal, and failure to notify can result in penalties.

Children’s Data

Data Fiduciaries must:

• Obtain verifiable parental consent
• Not processing data that could cause harm
• Not tracking and behavior monitoring
• Avoid targeted advertising

Data Fiduciary Categories

Significant Data Fiduciary (SDF)

• The SDF category has not been specifically defined by the Bill. It’s anticipated that notification will come later to define more clearly who would be in scope. It is anticipated that this policy would apply to pretty much everyone who performs data processing that could be deemed risky. Once this is outlined, SDFs will have to:
  • Appoint a Data Protection Officer
  • Appoint a Data Auditor
  • Complete DPIAs and audits in accordance with the law

Cross Border Data Transfer

The Indian government will notate regions with which personal data transfer is permitted. The potential for cross-border transfers is a win for large and tech-based companies while also giving the federal government the allowance to make exemptions in the interest of national security.

Exemptions

A source within the Ministry of Electronics and Information Technology said a potential exemption may be available for newly established start-up companies to enable time to develop privacy solutions, alleviating compliance burdens. Based on the quantity and type of Personal Data processed, some Data Fiduciaries may be exempt from certain regulations. However, the fundamental guidelines of only processing data for uses that the Data Principal has consented will be required of all Data Fiduciaries.

Penalties

The Indian Data Protection Board can issue penalties up to upto Rs.500 cr for complaints and other non-compliance penalties can be levied. While there was initial concern with other versions of the privacy legislation in Inda being ripe for overuse, this seems a more measured approach, again indicating likely passage.

The draft bill is under public consultation through December 17^th. Truyo will be closely monitoring any further information released about the Digital Personal Data Protection Bill as it becomes available.