An Overview of Proposed Changes to India’s Personal Data Protection Bill
India’s Personal Data Protection Bill 2019 (PDPB) has been in the deliberation phase since December 11th, 2019. Two years later, on December 16th, 2021, India’s Joint Parliamentary Committee submitted its highly anticipated report to the Indian Parliament on the PDPB.
The recent report is expected to be the conclusive reflection containing specific privacy regulations that global data privacy watchdogs eagerly anticipate.
Timeline leading to the PDPB
2017 — The Supreme Court of India declares the right to privacy as a fundamental right protected under the Indian constitution and the appointment of a dedicated Data Protection Authority.
2018 — After deliberations with relevant stakeholders, the Joint Parliamentary Committee submits its initial report and draft legislation on personal data protection.
2019 — On December 11th, 2019, the Personal Data Protection Bill 2019 was tabled in the Indian Parliament by the Ministry of Electronics and Information Technology.
2020 — Revisions
2021 — The Joint Parliamentary Committee submits its report to the Indian Parliament.
Recommendations Made to the PDPB
The report submitted by the Joint Parliamentary Committee has made the following revisions:
Timelines for Implementation (Clause 1)
Existing version — The Personal Data Protection Bill 2019 did not define any time limit to implement its provisions.
Proposed version — The revised bill states that an “approximate period of 24 months may be provided for implementation of any and all the provisions of the Act so that the data fiduciaries and data processors have enough time to make the necessary changes to their policies, infrastructure, processes, etc. It is recommended the data protection authority commences its work within six months, registration of data fiduciaries is done within nine months, and the appellate tribunal commences its work within 12 months from the date of notification.”
Scope of Application (Clause 2)
Existing version — The bill is classified as the “Personal Data Protection Bill.”
Proposed version — The bill has been renamed from “Personal Data Protection Bill” to “Data Protection Bill.” The bill will now cover both personal and non-personal data, and the data regulator is expected to govern both personal and non-personal data. The reason given is that “it is impossible to distinguish between personal data and non-personal data when mass data is collected or transported.”
Definitions (Clause 3)
The report defines, integrates, or revises multiple vital terms, including:
- Consent manager,
- Data auditor,
- Data breach,
- Data fiduciary,
- Data processor,
- Data protection officer,
- Harm, and
- Non-personal data.
Processing of Personal Data Without Consent (Clauses 13 and 14)
Additions have been made to processing non-sensitive personal data for employment purposes. The revision allows the processing of non-sensitive personal data if “such processing is necessary or can reasonably be expected by the data principal and data fiduciary.”
Processing of Personal Data of Children (Clause 16)
Existing version — The earlier version stated that the personal data of children would be processed in the “best interests of the child.”
Proposed version — The revised version states that personal data of children would be processed to “protect the rights of the child.” Data fiduciaries that solely deal with children’s data must register themselves with the Data Protection Authority.
Data fiduciaries are required to take the child’s consent by informing the child three months in advance to them turning the age of majority. The data fiduciary is also required to continue providing the services to the child unless the child withdraws consent.
User Rights (Clauses 17, 19, and 23)
Casualty or Death
The proposed version empowers users/data principals to exercise their right over how their data should be handled in case of casualty or death. Data principals can now nominate a legal heir or a representative they trust to care for their personal information.
Under the proposed bill, trade secrets can no more be the reason for denying data portability. Data fiduciaries are also required to ensure the utmost transparency of processes and complete fairness of mechanisms when processing personal data.
Breach Reporting (Clause 25)
The proposed bill revamps breach reporting, where data breaches now comprise breaches of both personal and non-personal data. Data breach notification requirements have also been overhauled to become more accurate and tough on data fiduciaries.
Additionally, the bill requires organizations or data fiduciaries to issue a data breach notification within 72 hours of becoming aware of a breach. Also, the Data Protection Authority must facilitate data fiduciaries to take all urgent measures to lessen the threat of the breach and minimize any potential harm that may have been caused to the data principal.
Social Media Platforms (Clause 26)
The proposed bill treats all social media platforms, excluding intermediaries, as publishers and holds them accountable for material they host on their platform. The principle is that social media platforms can control access to all types of content posted on their platform.
The bill requires social media platforms to set up an office in India (if they haven’t already set up an office in India), designates a media regulatory authority to regulate content posted on the social media platform, and holds them accountable for any content posted on their platform from unverified accounts.
Data Protection Officer (Clause 30)
Previously, the appointment and responsibilities of the Data Protection Officer (DPO) were unclear. The proposed revision adds clarity regarding who can be a DPO. The DPO should be the states’ senior-level officer in the government’s case.
Whereas, in the case of a private company, the DPO should be any key managerial personnel, such as the company’s chief financial officer, chief executive officer, managing director, company secretary, or a whole-time director.
Data Transfer (Clause 34)
The proposed revisions further improve the requirements for sensitive and critical personal data transfers. The Data Protection Authority is now required to consult the government when authorizing a contract or intra group scheme to engage in cross-border data transfer.
However, suppose the contract or intra group scheme is against the best interests of the public or state policy. In that case, the bill suggests that the contract or intra group scheme authorizing the cross-border transfer of data should not be approved.
Additionally, unless the government of India approves of such, the data of the data principal can in no way be shared with any foreign government or agency.
Exemptions from the Regulation (Clause 35)
This clause enables agencies and multiple departments under the government’s belt exemption from any or all law provisions. Since this clause empowers independent agencies and their departments, it received growing criticism from the committee members.
The revised version puts this concern to ease by requiring the exemption procedure to be a “just, fair, reasonable and proportionate procedure.”
Sandbox Environment (Clause 40)
With cybersecurity being a top-notch priority, the government of India encourages startups and innovation culture by introducing the concept of privacy by design through setting up sandbox environments.
A sandbox environment would enable startups and young entrepreneurs to conduct the live testing of new software, hardware, technologies, etc., and comply with global data privacy regulations from the start.
Composition of the DPA (Clause 42)
The bill requires the arrangement of the Data Protection Authority to be:
- Robust, and
The Data Protection Authority should also contain members (no more than six) from:
- Academic fields, and
- Secretary-level officials.
The appointment of these officials will be undertaken by the government. The government will also appoint the attorney general of India as a member of the Data Protection Authority.
Testing and Certification of Hardware Devices (Clause 49)
Existing version — Currently, there is no coverage for hardware devices that collect and process the personal data of data principals.
Proposed version –The government of India is recommended to build dedicated hardware testing facilities and equip them with the relevant tools to issue formal certification of integrity, trustworthiness, and security of hardware and software. This initiative can encourage startups and give them a competitive edge over others.
The Data Protection Authority is also empowered to ensure that commercially available devices meet the specified standards of data security set by local and international data security experts.
Additionally, mechanisms should be devised where individuals can have their devices certified. If a device fails to meet the specified standards of data security, the individual can take it up to the Data Protection Authority, who must take action against the manufacturer.
The proposed clause of the bill suggests that the data of Indians stored in data centers abroad should be brought to India within a specified period. Also, the government must devise a comprehensive policy on data localization, meaning that the data of Indians stay in the country.
India’s Data Protection Bill has been in the pipeline for a long time and is expected to change India’s presently outdated and ineffective data protection system.
With little to no emphasis given towards the protection of personal data, the Data Protection Bill, once approved, is expected to be an advocate for the privacy rights of Indians.
India is the largest democracy globally, with a thriving digital ecosystem. It’s only wise that the Data Protection Bill is approved at the earliest to protect individuals and promote a sense of fair and transparent use of an individual’s data for multiple purposes.
The Data Protection Bill will increase awareness among the masses regarding user privacy and empower them of their esteemed contribution to the digital landscape. Additionally, the Data Protection Bill enforces accountability for data fiduciaries and data processors, setting boundaries for selling and excessive sharing of user data.