The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019. The Bill seeks to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same.
After the tough European GDPR privacy protection standards, the Indian version called the Personal Data Protection Bill 2019 is set to be passed soon. Controversy has surrounded this bill since its inception with the current bill has been modified significantly since its initial draft.
The term ‘data fiduciaries’ will have to enter everyone’s lexicon. It basically means those that are legally responsible for handling and processing user/customer data.
Here are some of the points that might directly impact online businesses and website owners. Please note that this list is by no means exhaustive and a proper reading of the bill should be done by all in the data management business. *
Prohibition of processing of personal data - Clause 4 seeks to prohibit processing of personal data without any specific, clear and lawful purpose.
Online businesses must have a valid and verifiable purpose to collecting the information. This means that we have to be very careful about what information we collect on our sites and how we plan to use it. If queried proper justification must be given.
Restriction on retention of personal data - Clause 9 of the Draft Bill prescribes that the data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it was processed and shall delete the personal data at the end of processing. The personal data may be retained for a longer period only after the data fiduciary gets consent from the data principal.
This means that period for which the data is to be held and what it can be used for has narrowed significantly. Companies have to be wary carrying of personal data beyond the immediate requirement. If the data is to be stored for longer periods than the customers consent is essential. Online businesses will have to create systems to get periodic consent from their customers.
Grounds for processing of personal data without consent in certain cases - Clause 12 of the Draft Bill lists out certain cases which provides for processing of personal data without consent.
The term ‘certain cases‘ refers to medical emergencies, State requirements and legal proceedings. Most data collected by businesses will not fall under these particular cases so care has to be taken to ensure that processing without consent is not done.
Processing of personal data for other reasonable purposes - Clause 14 seeks to provide for other reasonable purposes for which personal data may be processed. One such newly introduced purpose is the operation of search engines. This is a new insertion and was not present in the previous bill.
Again ‘reasonable’ can have many different interpretations. It is best to be on the side of caution when making decisions regarding the processing of personal data.
Right to correction and erasure - As part of chapter V on the Rights of Data Principal, under Clause 18, the data principal has been provided the right to erasure of personal data which is no longer necessary for the purpose for which it was processed. This has been added in the Draft Bill over and above the other data principal rights, such as the right to correction of inaccurate data, completion of incomplete personal data and right to updating of personal data that is out of date.
It will be incumbent on the businesses to provide mechanisms for customers to update their data when it is inaccurate or outdated. Customers will also have to be given a mechanism to request removal of their data if they are no longer using your services or products.
Privacy by design policy - Clause 22 seeks to list out the constituents of privacy by design policy. Privacy by Design is a framework encouraging the proactive embedding of privacy into the design specifications of information technologies, network infrastructure and business practices, thereby achieving the strongest privacy protections possible.
Resources on ‘Privacy by design policy’ are abundant and can be researched and implemented.
Ref. https://en.wikipedia.org/wiki/Privacy_by_design
Transparency in processing of personal data - Clause 23 seeks to bring in transparency in the processing of personal data by requiring the fiduciary to inform the data principal and make information available. This clause introduces a new term − ‘consent manager’ − which is defined as a data fiduciary through which a data principal can give, withdraw, review and manage his/her consent through an accessible platform.
It will be incumbent on the businesses to provide mechanisms for customers to update their data when it is inaccurate or outdated. Customers will also have to be given a mechanism to request removal of their data if they are no longer using your services or products.
Data protection officer (DPO) - Clause 40 of the Draft Bill states that Every significant data fiduciary shall appoint a data protection officer possessing such qualifications and experience as may be specified by the regulations, for carrying out certain functions.
Each business will have to appoint someone to oversee and supervise the data privacy system and ensure compliance. This will be applicable for larger companies with significant data responsibilities as per the classification of data fiduciaries
Prohibition on processing of sensitive personal data and critical personal data outside India - Clause 33 seeks to prohibit processing of sensitive personal data and critical personal data outside India.
Those dealing with foreign entities will have to careful that Indian data is not transferred without consent outside of India. And data must also be stored on Indian servers. Certain personal data notified as critical personal data by the government can only be processed in India.
The raft of privacy protection legislation the world over has emerged after the very cavalier attitude of many large companies towards customer data and privacy. Profiteering and greed have exposed personal data to unscrupulous marketing agencies which in turn have sold it to others. This has forced various governments to step in and enforce strict laws with severe penalties.
While in the short term it will be a major challenge for businesses to get into compliance and a great opportunity for software companies to create compliance systems. In the long term it will benefit everyone by reducing risk and increasing trust by respecting the customer privacy.
* References
http://prsindia.org/billtrack/personal-data-protection-bill-2019