Personal Data Protection Bill: The Responsibilities Companies Face In Collecting And Processing Data

(This is first in the series of BloombergQuint’s coverage on Personal Data Protection Bill, 2019.)

India has released a copy of its first data protection law, Personal Data Protection Bill, 2019, which aims at protecting the privacy of personal data of individuals and lays down guidelines for processing of data by the state, company or any such individuals referred to as Data Fiduciary in the bill.

The bill is based on the draft law submitted by a committee headed by Justice BN Sri Krishna last year and is likely to be introduced in the current session of the Parliament.

The bill lays down obligations and accountability standards for such data fiduciaries, which include:

Inform Users About Data Collection

The proposed law bars the collection of data by anyone without a “specific, clear and lawful purpose”. Data fiduciaries processing user data will have to ensure that it’s done only for purposes consented by the users after they have been supplied with relevant information to take a decision on granting consent.

Section 7 of the bill lays down information which must be provided to the users before their consent is sought for the collection and processing of their data. Some of the information that must be supplied to the users includes:

• Purposes for which the personal data is to be processed.
• Nature and categories of personal data being collected.
• The right of the users to withdraw consent, and the procedure for such withdrawal, if the personal data is intended to be processed based on consent.
• The source of such collection, if the personal data isn’t collected from the individual.
• The individuals or entities, including other data fiduciaries or data processors, with whom such personal data may be shared.
• Information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out.
• The procedure for grievance redressal.
• The existence of a right to file complaints to the authority.

The data fiduciaries must ensure that they ask users only for data which is required for achieving the purpose that they have conveyed to them. Once the stated purpose for collection of data has expired, companies will have to delete the user data.

Consent Of Users Mandatory

Section 11 of the Personal Data Protection Bill mandates that the consent of users must be sought by companies seeking to use their personal data.

The bill lays down conditions which will have to be mandatory fulfilled for user consent to be considered valid under the law. The consent by a user will considered valid only when it’s free, informed (based on information supplied to him/her under Section 7), specific, clear and capable of being withdrawn.

The consent requirements are stricter for using sensitive data of an individual which includes data relating to their finances, health, official, sexual orientation, sex life, biometric, genetic, caste etc.

In such cases, consent of the users (data principal) can be obtained only:

• After informing them the purpose of, or operation in, processing which is likely to cause significant harm.
• In clear terms without recourse to inference from conduct in a context.
• After giving him the choice of separately consenting to the purposes of, operations in, the use of different categories of, sensitive personal data relevant to processing.

During A Data Breach…

Every organisation which is processing user data will have to inform the Data Protection Authority of India when any breach of personal data takes place, and which may result in harm to the users whose data has been breached.

The companies will have to tell the authority the nature of such a breach, the number of people affected by it, possible consequences and the action taken by them to rectify the situation.

Depending on the severity of the harm, the data authority has been tasked with deciding that whether the news of data breach should be conveyed to the user who is affected or direct the companies to take action to mitigate the harm from the data breach.

Data Protection Officer

Every company/authority which is processing personal data must appoint a data protection officer based in India who will be considered as their representative in the country. This officer must ensure that his/her organisation is fulfilling its obligations mandated by the bill.

The Data Protection Officer will also be the point person for redressing the grievance of users whose data is being processed. Any complaint which comes in front of the data protection officer must be solved within 30 days of it being filed. If a user isn’t satisfied with the resolution of his/her complaint, they may approach the Data Protection Authority to file a complaint.

The Union Cabinet approved the draft of the bill at a meeting on Dec. 6. The bill is likely to be introduced in the Parliament in the ongoing session, which ends on Dec. 13. The exact date for the introduction of the bill in the Lok Sabha isn’t yet known.