2 August 2018
The Ministry of Electronics and Information Technology (‘MeitY’) published, on 27 July 2018, the Personal Data Protection Bill, 2018 (‘the Bill’) and the Data Protection Committee Report, submitted by the Justice BN Srikrishna committee, which follows a white paper that was released for public consultation, on 27 November 2017, on the same. The Bill addresses how organisations would collect, process and store citizens’ data. Additionally, it contains definitions of key concepts such as biometric data, consent, data fiduciary, data processor, financial data, health data, personal data and sensitive personal data.
Mathew Chacko, Partner at Spice Route Legal, told DataGuidance, “The Bill reflects a quantum leap for India’s data protection law. Like most attempts, it will require refining which is a process that is in its early stage, with multiple reviews and debates. The Bill introduces significant changes to India’s data protection regime, including the concept of ‘data fiduciary’ similar to a data controller and ‘data principal’ similar to a data subject. This is a fairly complicated draft of the Bill that in many ways mirrors the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), which has been put forward after a detailed consultative effort and was probably the result of significant pressure from civil society, a directive from the Supreme Court and a general acceptance that the law, as it stands today, is inadequate.”
Companies will need to incorporate significant changes in relation to how they treat data and data principals
Chapter X of the Bill provides for the establishment of a Data Protection Authority (‘DPA’), which would monitor and enforce the provisions of the Bill, take appropriate action in response to data breaches, issue directions and relevant codes of practices, as well as specify circumstances where a Data Protection Impact Assessment (‘DPIA’) may be needed. In addition, Chapter XI outlines that any data fiduciary who contravenes the Bill’s provisions would be liable to a fine of INR 50,000,000 (approx. €620,000) or 2% of its turnover, whichever is higher.
Chacko added, “The lack of a DPA, and therefore the inability to impose effective damages is a deficiency in the present law. I am hopeful that a reasonable, considered DPA will foster a culture of respect for the principles underlying the Bill. However, companies will need to incorporate significant changes in relation to how they treat data and data principals.”
Moreover, the Bill contains provisions on appointing a data protection officer (‘DPO’), who, when appointed by the data fiduciary, would carry out functions such as monitoring personal data processing activities, providing advice on DPIA’s, assisting with the development of internal mechanisms, maintaining an inventory of all records and act as a point of contact for the DPA. Furthermore, the Bill outlines that a DPO must be an employee within the company and meet eligibility and qualification requirements. In addition, Chapter VII of the Bill highlights the restrictions and conditions for cross-border transfers of personal data, as well as localisation requirements.
Chacko concluded, “I expect that financial and health information will be subject to data localisation requirements as there is already a notification requirement of the Reserve Bank of India in place on financial information processing. Given that significant data may be stored in Indian servers, we may need a more detailed mandatory data breach notification requirement and an institutional mechanism to deal with data breaches.”
Claudia Strugnell Privacy Analyst