The Beginning of PDPB
In August 2017, a nine-judge bench of the Supreme Court of India upheld the right to privacy as a fundamental right of the citizens of India saying that, “The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.”
What is India Personal Data Protection Bill (PDPB)?
As Indians leave a greater digital footprint, it is vital to extend the protections of the rights of the citizens offered in the physical world to the digital world. It is with this objective that the Government of India has drafted the Personal Data Protection Bill (PDPB) of 2018. This places a responsibility on every business that collects data to take steps to secure the data that they collect.
PDPB and GDPR
Inspired by the European Union (EU) General Data Protection Regulations (GDPR), it is aimed at protecting the rights of the citizens, or in PDPB terminology: ‘Data Principals’.
Another similarity between the PDPB Bill and the EU GDPR is that both place a great deal of emphasis on obtaining consent for the processing of data before processing of the same by the Data Fiduciary (any entity that collects data from a natural person) from the Data Principal; or in EU GDPR terminology, by the Data Controller from the Data Subject.
Personal Data and PDPB
The PDPB identifies a subset of personal data called sensitive personal data like passwords, financial data, health data and places greater restrictions on the processing of such data, like the necessity for the Data Fiduciary to be informed with regards to the purpose of usage.
The Four rights to the Data Principals in PDPB
- Right to Confirmation and Access
- Right to Correction
- Right to Data Portability
- Right to be Forgotten
- Right to Confirmation and Access – Gives the Data principal the right to inquire with the Data Fiduciary whether the Data Fiduciary has processed or is processing any personal data of the Data Principal. If so, then they are to seek a brief summary of the personal data that is being processed and the processing activities to be performed on the data.
- Right to Correction – Gives the Data Principal the right to ask the Data Fiduciary to perform any of the following operations:
- Correction of misleading or inaccurate personal data
- Completion of incorrect personal data
- Updation of personal data that is out of date
- Right to Data Portability – gives the Data Principal the right to receive from the Data Fiduciary any data that had been provided to the Data Fiduciary. Data generated by the Data Fiduciary while providing goods or services, or any profile, or any similar data that the Data Fiduciary has obtained from another source in a structured, commonly used machine-readable format. The Data Principal shall also have the right to transfer this data to another Data Fiduciary.
- Right to be Forgotten – Gives the Data Principal the right to restrict or prevent continuing disclosure of personal data held by the Data Fiduciary related to the Data Principal where the data has served the purpose for which it was made, is no longer necessary, or for which consent was withdrawn.
The responsibility for securing these rights of the Data Principals lies with the Data Fiduciary regarding the personal data of the Data Principal present with them.
Data Accountability in PDPB
The Indian PDPB places a great deal of emphasis on accountability of the Data Fiduciaries toward data protection, and it holds the Data Principal accountable for complying with all obligations in the Bill on the Data Fiduciary for any processing carried out by it or on its behalf by a Data Processor.
The Bill requires the Data Fiduciary to have adequate measures for Data Governance like appointing a Data Protection Officer or a person who plays this role and sensitizing the team that handles personal data towards respecting the rights of the Data Principals.
The PDPB places restrictions on cross-border transfer of personal data like requiring the Data Fiduciary to store their data on servers, or data centers located within India, or store at least one copy in India.
The Government of India from time to time shall identify data as critical data which should be stored and processed within the country and shall not be transferred outside the country unless an exemption is received from a responsible authority and/or the Government.
The PDPB also places on the Data Fiduciary the obligation to store data only as long as may be reasonably required to satisfy the process for which it is processed unless required by law to hold the data for longer periods.
The Bill demands that Data Fiduciary to undertake periodic reviews of the personal data in their custody and determine whether it should be retained.
If the data is not to be retained, the data fiduciary must take steps to securely dispose of the data.
The PDPB places on the Data Fiduciary the responsibility of designing privacy into their processes and ensuring that privacy is offered by default to the Data Principals.
To achieve this Data Fiduciaries will require to carry out an assessment of the current state of their security and privacy posture vis-a-vis their IT architecture, systems and applications that capture personal data and establish controls and safeguards like encryption and anonymization of personally identifiable information to deal with the risks identified by the assessment.
The PDPB also holds the Data Fiduciary responsible for reporting breaches to the Data Protection Authority of India as well as to the Data Principals whose personal data has been compromised and informing them of the nature of personal data that has been compromised. In the event of the data breach, the Data Fiduciary is responsible for identifying the consequences of the breach and taking remedial steps.
At a broad level, the introduction of the PDPB is a positive step towards protecting the personal data of Indian citizens, however, it places an obligation on entities that collect personal data to protect this data which should be accepted as a cost of doing business in today’s digital world.
Companies should take steps to assess and improve their privacy and security posture as the cost of non-compliance far outweighs the cost of compliance in terms of both financial and business factors.