Securiti announces a $75M Series C Funding RoundView
Before analyzing the obligations brought forward by the Digital Personal Data Protection Bill 2022, let's understand the history of India's data privacy law landscape.
In December 2019, India introduced the Personal Data Protection Bill (“PDPB 2019”), following the example of many other significant data privacy laws being introduced worldwide. India was one the first South Asian region to introduce such a bill and inspired other countries in the region to work towards developing privacy regimes.
PDPB 2019 aimed to reform India's legal system and establish standards for cross-border transfers, the accountability of entities processing personal data, and remedies for unauthorized and harmful personal data processing.
PDPB 2019 faced significant criticisms, especially regarding the regulation of social media platforms and requirements of data localization, which raised concerns for potential violation of fundamental rights of the citizens of India as well as being non-friendly for businesses and platforms to operate in India. Therefore, significant amendments were proposed in 2021 that aimed to clarify and rework the criticized provisions.
Data Protection Bill 2021 (“DPB 2021”) made key revisions to the previous bill. This included the addition of personal as well as non-personal data and also imposing strict guidelines for reporting data breaches. DPB 2021 was thought to be passed and become an official part of India's legislature as the Data Protection Act 2021.
However, the bill was withdrawn altogether in August 2022 by the Indian government - after three years of discussion and 90 sittings - because it failed to meet international standards and upcoming challenges. After the much-awaited DPB 2021 was withdrawn, all eyes have been on the Indian government and Parliament for an update on the new bill.
On 18th November 2022, the Indian Government released a draft for the Digital Personal Data Protection Bill 2022 (“DPDP Bill ”), which is open for public comments and consultations until 02 January 2023. This Bill, once passed, will be called the Digital Personal Data Protection Act 2022.
The DPDP Bill's objective is to provide standards for handling digital personal data in a way that respects both people's rights to privacy protection and the need to handle personal data legally. It outlines the duty of data fiduciaries (data handlers/controllers), the rights of the principals (data subjects), and the consequences of non-compliance.
DPDP Bill applies to the processing of digital personal data in India, whether collected online or offline - which is then digitized. DPDP Bill does not apply to non-automated processing of personal data, offline personal data, or processing for personal or domestic purposes. In addition, any personal data about an individual contained in a record that has existed for at least 100 years will also not lie within the purview of the DPDP Bill.
As far as the territorial scope is concerned, DPDP Bill has extraterritorial application if the processing of digital personal data is in connection with any profiling of, or activity of offering goods or services to data principals within India.
DPDP Bill does not apply to the following type of processing:
DPDP Bill prescribes that the Central Government of India may exempt certain data fiduciaries or classes of data fiduciaries based on the volume and nature of personal data they process from the applicability of certain provisions of the DPDP Bill. Section 18 of the DPDP Bill provides a list of specific exemptions.
According to DPDP Bill, person means any of the following entities:
DPDP Bill refers to data controllers as “Data Fiduciaries.” A data fiduciary is any person or group of persons who determine the purposes and means of processing the personal data of individuals.
“Data Principals” are essentially data subjects to whom the personal data relates or belongs. If a data principal is a child (an individual under the age of 18 years), then the parents or lawful guardian of such a child becomes the data principal.
Pertains to any such information or data regarding an individual who becomes identifiable by virtue of that information.
Data fiduciary that provides an open, transparent, and interoperable platform, enabling the data principal to provide, maintain, evaluate, and withdraw her consent. These data fiduciaries will be registered with the Data Protection Board of India and will be accountable to the data principles.
Any data fiduciary or class of data fiduciaries may be designated by the Central Government as a “Significant Data Fiduciary” after taking into account the volume and sensitivity of personal data processed, risk of harm to the data principal or electoral democracy, impact on national sovereignty and security, and public order.
Board means the Data Protection Board of India established by the Central Government for the purposes of the DPDP Bill.
Digital personal data may only be processed for a lawful purpose for which the data principal has given or is deemed to have given his/her consent. Lawful purpose means any purpose that is not specifically and explicitly prohibited by law.
The processing of digital personal data should be done in accordance with requirements laid under DPDP Bill and any other applicable Rules or Regulations that would be enacted under DPDP Bill.
DPDP Bill requires consent to be freely given, explicit, informed, and unequivocal, which clearly indicates the data principal's intentions to the processing of her/his personal data for the specified purpose. Whenever a data fiduciary requests for the data principal’s consent, such a request must be made in clear, plain language and include the contact information of a data protection officer or the designated focal person. Any such person will be responsible for responding to any queries and concerns of the data principal regarding the exercise of their rights under the DPDP Bill.
Moreover, the data fiduciary must provide the data principal with the option of viewing the consent request in either English or any of the other languages listed in the Eighth Schedule of the Indian Constitution.
The data principal can withdraw their consent at any time and will be responsible for bearing the costs associated with such withdrawal. The data principal can grant, manage, evaluate, or revoke her consent to the Data Fiduciary via a Consent Manager.
Consent managers will be interoperable platforms required to be registered with the Data Protection Board of India. The consent manager will be accountable to the data subject.
DPDP Bill provides for situations where the data principal is deemed to have given consent for the processing of his/her personal data if such processing is necessary. These include:
A data fiduciary must provide a data principal with an itemized notice in clear and plain language on or before asking for the data subject's consent. The notice must include a description of the personal information the data fiduciary plans to collect as well as its intended use. The data fiduciary must provide an option to the data principal to access such information.
A data fiduciary must put in place the necessary organizational and technical safeguards to ensure compliance with the DPDP Bill. Each data fiduciary and data processor is required to take reasonable security precautions to secure any personal data that is in their possession or under their control to prevent any breach of the personal data of the data principal. In case of a data breach, the data fiduciary or data processor must inform the Board and each affected data principal.
Every data fiduciary is required to publish, in the way that may be prescribed under the DPDP Bill, the business contact information of a Data Protection Officer (DPO) or of a person who may respond to the data principal's inquiries about the processing of their personal data.
The data fiduciary may only engage, appoint, use, or involve a data processor to process personal data on its behalf. This should only be done when the data principal's consent has been acquired and the arrangement between the data processor and data fiduciary has been done under a legal contract.
Such a data processor may only engage, employ, use, or involve another data processor in processing personal data under a legitimate contract if permitted under its agreement with the data fiduciary.
Before any processing of personal data belonging to the children, the data fiduciary must first get verified parental consent or guardian’s consent. The data fiduciary must not process personal data in any way that could endanger children. Moreover, the data fiduciary is also not allowed to track children, monitor their behavior, or use them as targets for advertising.
Any data fiduciary or class of data fiduciaries may be designated by the Central Government of India as a ‘Significant Data Fiduciary’ based on an evaluation of cases it is important, such as:
A Significant Data Fiduciary is required to appoint a DPO who will be based in India and will represent the Significant Data Fiduciary. Along with this, the Significant Data Fiduciary is also responsible for designating an independent data auditor who will assess whether the Significant Data Fiduciary complies with the DPDP Bill's requirements and implement additional safeguards, such as conducting Data Protection Impact Assessments (DPIA) and periodic audits.
DPDP Bill does not expressly prohibit cross-border data transfers or prescribe any specific compliance requirements (like obliging with standard contractual clauses, transfer impact assessments, etc.) for the transfer of personal data outside India.
However, the Central Government of India may specify the nations or territories outside of India to which a data fiduciary may transmit personal data under the terms and conditions it deems appropriate.
The data subjects, or data principals, as they're referred to under India’s DPDP Bill 2022, have the following rights:
The data principal has the right to ask the data fiduciary for information. This entails finding out whether the data fiduciary is or has processed the data principal's personal information, a list of the personal information being or that has been processed, the names of all data fiduciaries with whom the personal information has been shared, as well as the categories of personal information shared.
A data principal shall have the right to correction and erasure of their personal data. Upon receiving a request for such correction of the personal data from a data principal, a data fiduciary is required to correct any inaccuracies, complete any incomplete information and update a data principal's personal data in the systems accordingly.
In addition, unless retention is mandated by law, the data fiduciary is expected to delete any personal information that is no longer needed for the original reason it was obtained and processed.
A data principal has the right to lodge a grievance with a data fiduciary. The data principal may file a complaint with the Data Protection Board in the manner that may be necessary if a data fiduciary's response to a grievance is unsatisfactory or if no response is received after seven days or another shorter time period that may be required.
In the event of the data principal's death or incapacity, the data principal shall have the right to choose another person in the manner that may be prescribed to act on the data principal's behalf in accordance with the provisions of this Act.
A data principal is required to abide by all other laws whilst exercising any rights under the DPDP Bill. The DPDP Bill also prohibits data principals from registering any false or frivolous grievance or complaint with a data fiduciary or the Board or furnishing any false particulars or suppressing any material information, or impersonating another person.
It is the duty of the data principal to furnish verifiably authentic information whilst exercising the right to correction or erasure under the DPDP Bill.
To implement the provisions of the DPDP Bill, the regulatory authority will be the Data Protection Board of India. The Board will be responsible for ensuring compliance and imposing penalties in case of any violation of the DPDP Bill. The Board may also direct data fiduciaries to adopt any urgent measures - in the event of a data breach - to remedy such personal data breach or mitigate any harm caused to data principals.
Under the DPDP Bill, if a data fiduciary or data processor fails to take reasonable security safeguards to prevent a personal data breach, they would be liable to a fine of 2,500,000,000 Indian Rupiah. In addition, any failure to notify the Board and the data principal regarding the data breach and non-fulfillment of any obligations for processing of children's data would attract a fine of 2,00,00,00,000 Indian Rupiah.
If a data principal fails to comply with his /her duties, he/she will be liable to a fine of 10,000 Indian Rupees. In any case, a financial penalty imposed would not exceed Rs. 500 crores per instance, and the person would be given a fair opportunity to respond.
Few steps that organizations can undertake to operationalize the DPDP Bill into practice:
India's Digital Personal Data Protection Bill 2022 is a welcome endeavor in the legislative privacy landscape, especially in light of recent technological advancements and the need for a comprehensive data privacy framework in India.
In the modern digital economy, it is past time for businesses to acknowledge data privacy as a human right, not just a consumer right, and to make sure their data processing procedures comply with all applicable data privacy requirements.
To operationalize compliance and avoid falling behind in a constantly evolving technology and data privacy landscape, businesses must use robotic automation to expedite compliance. Securiti uses the PrivacyOps architecture to provide end-to-end business automation, combining reliability, intelligence, and simplicity.
Securiti can assist you in complying with India's Digital Personal Data Protection Bill 2022 and other privacy and security standards worldwide.
Examine how it functions. Request a demo right now.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap