Understanding The New India Personal Data Protection Laws And Implications

Understanding The New India Data Protection Laws And Their Implications For Businesses

India is set to introduce new data protection laws that will impact businesses in the country. The Personal Data Protection Bill of 2019 bill to regulate the use, processing, and storage of personal data in India. The Bill has been inspired by the European Union’s General Data Protection Regulation (GDPR) and aims to provide Indian citizens with greater control over their data. This article will explore the new Indian data protection laws and their implications for businesses.

An Overview of the Personal Data Protection Bill, 2019

The Bill of Personal Data Protection,2019 is a landmark legislation introduced by the Indian government to regulate the collection, processing, and storage of personal data in India. The Bill was modeled after the European Union’s General Data Protection Regulation (GDPR) and aimed to safeguard individuals’ privacy by setting out a framework for data protection and privacy in India.

The Bill defines personal data as any information relating to the identification or unidentidication of a natural person, including but not limited to name, address, email address, phone number, financial information, health information, and biometric data. The Bill also includes provisions for sensitive personal data, such as information about a person’s religion, caste, political affiliation, sexual orientation, and genetic data.

The Personal Data Protection Bill 2019 applies to both Indian and foreign entities that collect, process, or store the personal data of individuals in India. This means that businesses operating in India, whether domestic or foreign, will have to comply with the provisions of the Bill.

The Bill also establishes a data protection authority, the Data Protection Authority of India (DPAI), to regulate data protection and oversee the implementation of the provisions of the Bill. The DPAI will have the power to investigate violations of the Bill, issue guidelines and codes of practice, and impose penalties for non-compliance.

In summary, the Personal Data Protection Bill 2019 is a comprehensive legislation that aims to protect the privacy of individuals and regulate the collection, processing, and storage of personal data in India. The Bill applies to Indian and foreign entities and establishes a data protection authority to oversee its implementation.

Why Was The Bill Withdrawn?

In 2018, a panel led by retired Supreme Court judge, Justice Srikrishna, drafted a data protection Bill for India. The Joint Committee of Parliament (JCP) reviewed the draft and proposed 81 amendments and 12 recommendations for a comprehensive legal framework on the digital ecosystem. However, the Bill was withdrawn due to a need for a more comprehensive legal framework, according to Union IT Minister Ashwini Vaishnaw. A new Bill is being developed to address this. The original Bill was criticized by startups for being too compliance-intensive. Government sources have stated that the new Bill will be easier to comply with, particularly for startups.

Personal Data Protection Bill 2022, Compliance Requirements

Under the Personal Data Protection Bill 2019, businesses must comply with specific requirements to legally collect, process, and store personal data. These requirements include:

Requirements for Personal Data Protection under the Bill
– Specifying the purpose for which personal data is being collected and ensuring that it is used only for that purpose
– Limiting the collection of personal data to what is necessary for the stated purpose
– Providing individuals with notice of the collection and use of their data
– Providing individuals with the right to access, correct, or delete their data
– Ensuring that personal data is not shared with third parties without obtaining the individual’s explicit consent
– Not retaining personal data for longer than necessary for the stated purpose

Businesses that fail to comply with these requirements may face fines and imprisonment.

Appropriate Measures to Protect Personal Data

The Personal Data Protection Bill 2019 requires businesses to take appropriate measures and steps to protect personal data from unsafe access, disclosure, or destruction. This includes implementing technical and organizational measures to make sure the security and confidentiality of personal data. Businesses must also conduct regular audits and risk assessments to identify and address potential security vulnerabilities.

Obtaining Consent from Individuals

The Bill mandates that businesses obtain the individual’s consent before collecting, processing, or storing their data. Consent must be obtained clearly and unambiguously, and the individual must be informed of the purpose for which their internal or personal data is being collected. Businesses must also give individuals the right to withdraw their consent.

Ensuring Secure Collection, Processing, and Storage of Personal Data

The Personal Data Protection Bill 2019 requires businesses to ensure that the piece of personal data is collected, processed, and stored securely. This includes implementing technical and organizational measures to protect personal data against unauthorized access, disclosure, or destruction. Businesses must also ensure that personal data is not transferred outside of India without the individual’s explicit consent or the approval of the DPAI.

In summary, the Personal Data Protection Bill 2019 places several compliance requirements on businesses in India to collect, process, and store personal data lawfully. Companies must take appropriate measures to protect personal data and obtain consent from individuals before collecting their personal data. Businesses must also ensure that personal data is collected, processed, and stored securely.

Cross-Border Data Transfer

The Bill requires that any transfer of personal data outside of India be subject to the individual’s explicit consent or the approval of the Data Protection Authority of India (DPAI). This ensures that personal data is kept from jurisdictions with weaker data protection laws.

Data Protection Officer

Businesses that process a large amount of personal data or are engaged in sensitive personal data processing must appoint a Data Protection Officer (DPO). The DPO is responsible for ensuring compliance with the Personal Data Protection Bill 2019 and acts as a point of contact between the business and the DPAI.

Penalties for Non-Compliance

The Personal Data Protection Bill 2019 imposes significant penalties and fines for non-compliance, including fines of up to 4% of the business’s global turnover or INR 150 crore (whichever is higher). The Bill also includes provisions for imprisonment for certain offenses.

Implications for Businesses

ImplicationExplanation
Appointment of a Data Protection Officer (DPO)Businesses will be required to appoint a DPO who will be responsible for ensuring compliance with the provisions of the Bill. The DPO will be the primary point of contact for individuals and the Data Protection Authority.
Consent requirementsBusinesses will need to obtain explicit and informed consent from individuals before collecting, processing or transferring their personal data. Consent must be freely given, specific and informed, and individuals have the right to withdraw their consent at any time.
Data subject rightsThe Bill grants individuals several rights over their personal data, such as the right to access, correct, erase, restrict or object to the processing of their data. Businesses must be prepared to fulfill these requests in a timely manner.
Data localizationThe Bill requires businesses to store a copy of all personal data collected or processed in India, unless an exemption is granted. This will require businesses to make significant changes to their data storage and processing systems.
Data breach notificationBusinesses will be required to report any data Cyber Crime Online Complaint to the Data Protection Authority and affected individuals within a specified time frame. Failure to report a breach can result in significant fines and penalties.
Data protection impact assessment (DPIA)Businesses must conduct a DPIA before undertaking any processing activities that pose a high risk to the privacy of individuals. The DPIA will identify potential risks and provide recommendations to mitigate them.
Cross-border data transferBusinesses must obtain explicit consent from individuals before transferring their personal data outside of India. Additionally, businesses must ensure that the recipient country provides a level of protection that is comparable to India’s data protection laws.

Steps Businesses Should Take to Comply with the Personal Data Protection Bill, 2022

  • Conduct a Data Audit: Businesses should conduct a thorough data audit to understand what personal data they collect, process, and store and where it is stored. This will help businesses identify risk areas and ensure they comply with Bill’s requirements.
  • Implement Appropriate Security Measures: Businesses should implement appropriate security measures and steps to protect personal data from unauthorized access, disclosure, or destruction. This may include encryption, access controls, and regular security audits.
  • Obtain Consent from Individuals: Businesses should obtain explicit consent from individuals for collecting, processing, and storing their personal data. This consent should be freely given, specific, and informed.
  • Appoint a Data Protection Officer: Businesses that process a large amount of personal data or engage in sensitive personal data processing should appoint a to ensure compliance with the Personal Data Protection Bill, 2019 and act as a point of contact between the business and the DPAI.
  • Develop Policies and Procedures: Businesses should develop and implement policies and procedures for collecting, processing and storing personal data. These policies should be reviewed regularly and updated to ensure compliance with the Personal Data Protection Bill 2019.
  • Conduct Employee Training: Businesses should provide regular training on the importance of data protection and the requirements of the Personal Data Protection Bill, 2019. This will help employees understand their responsibilities and comply with Bill’s provisions.
  • Implement a Data Breach Response Plan: Businesses should develop and implementation of a data breach response plan to make sure that they can respond quickly and effectively during a data breach. This may include identifying and containing the breach, notifying individuals whose data has been compromised, and reporting the violation to the DPAI.

Journey of the Draft Bills

Stage of JourneyDescription
Establishment of Justice Srikrishna panelIn 2017, a panel led by Justice Srikrishna was established following a Supreme Court verdict that recognized privacy as a fundamental right and directed the government to create a data protection framework. The panel released a white paper that year, outlining its areas of focus.
Submission of draft Bill to Ministry of Electronics and ITIn July 2018, the committee submitted a draft data protection Bill to the Ministry of Electronics and IT. However, the ministry decided to draft a fresh Bill, drawing from the ideas presented in the Srikrishna Committee’s draft.
Referral of Bill to Joint Committee of ParliamentThe Bill was referred to the Joint Committee of Parliament (JCP) in December 2019. The committee, led by BJP’s Meenakshi Lekhi at the time, conducted a clause-by-clause analysis of the Bill and requested extensions for presenting its report in September 2020 and March 2021.
Change in JCP leadership and extensionIn July 2021, BJP MP PP Chaudhary replaced Lekhi as the chairperson of the JCP, and the committee received another extension to submit its report.
Tabled report in ParliamentFinally, in December 2021, the JCP tabled its report in Parliament, which Justice Srikrishna criticized as being heavily in favor of the government. He expressed concerns that the Bill could lead to an Orwellian state in India.

Conclusion

India’s new digital data protection laws represent a significant shift in how personal data is regulated. Businesses operating in India must comply with the law, including implementing appropriate data protection measures and providing individuals with greater control over their data. Failure to comply with the existing law can result in significant penalties, and businesses should take steps to ensure that they comply.

What is the Personal Data Protection Bill 2019?

The Personal Data Protection Bill of 2019 can be explained as a proposed law in India that regulates personal data processing, storage, and transfer. It aims to give individuals greater control over their data and establish a framework for protecting personal data.

Does the Personal Data Protection Bill 2019 apply?

The Personal Data Protection Bill 2019 applies to Indian and foreign entities that process personal data in India. It applies to all organizations, including government agencies, non-profits, and private companies.

What is considered personal data under the Personal Data Protection Bill, 2019?

Personal data is defined broadly under the Personal Data Protection Bill, 2019 and includes any data that relates to an individual who can be identified from that existing data, either directly or indirectly.

What are the compliance requirements under the Personal Data Protection Bill 2019?

The Personal Data Protection Bill 2019 requires businesses to implement appropriate security actions to protect personal data, obtain explicit consent from individuals for collecting, processing, and storing their personal data, and appoint an officer concerning Data Protection to ensure compliance with the law. Businesses must also develop and implement policies and procedures for collecting, processing, and storing or saving personal data and provide regular training to employees on data protection.

What are the implications of non-compliance with the Personal Data Protection Bill 2019?

Non-compliance with the Personal Data Protection Bill 2019 may result in significant penalties, including fines and imprisonment. Businesses may also suffer reputational damage and loss of customer trust during a data breach.

Leave a Comment

Your email address will not be published. Required fields are marked *