Personal Data Protection in India: An Overview

25 May 2020

Why is Data important for business?

Data is becoming increasingly important in the current business landscape. Regulators, policy makers and business houses alike are concerned with how privacy and data security impact the economy. According to a 2016 report by McKinsey, all types of data flows acting together have raised world GDP by 10.1 percent over what would have resulted in a world without any cross-border flows of data. The importance and utility of data is no longer limited to the information technology sector. Data has become an empowering tool for business leaders across industries. By using data effectively, a company is able to establish more meaningful correlations, and hence is able to provide targeted services to appropriate customers. Such insights further refine any business strategy and offers immense potential for a successful business.

Why is Data Privacy Important?

In recent times, businesses are paying more attention to how their data is collected, stored, processed, and distributed. Specific caution is required when collecting data from a wide range of consumers and distributing it to a third party, even with the express consent of the consumer.

When data is not protected by a firm, and adequate measures are not taken at the time of information distribution, a firm can find itself facing a data security breach. A data security breach is legally defined as a subset of situations where there is evidence of unauthorized acquisition of or access to certain types of sensitive personal information that trigger a legal obligation of an organization to investigate the situation and to notify consumers, regulators or business partners. Such acquisition by an unauthorized party creates the possibility that a consumer may be harmed by the distribution or usage of this data.

What are the objectives of the Personal Data Protection Bill, 2019 (PDP Bill)?

When the ‘Right to Privacy’ was recognized as a fundamental right under the Constitution of India by the Hon’ble Supreme Court of India, it was noted that there is a requirement to have a legislation in place to protect the informational privacy of persons in India. Such a legislation would necessarily have to strike a balance between individual interests and the legitimate concerns of the state as well as that of organization who sought to use data for providing digital services.

Keeping in mind the outline provided by the Hon’ble Supreme Court of India, the PDP Bill seeks to provide a legislative mechanism where:

  • Individuals, referred to as ‘Data Principals’, are empowered with bundle of rights. These rights enable the Data Principals to exercise control over the manner in which their personal data may be processed by any entity (even the State) who are referred to as the ‘Data Fiduciaries’
  • Obligations are prescribed for Data Fiduciaries to regulate the manner in which personal data is processed by them
  • A new regulatory mechanism is sought to established to oversee the implementation of the obligations under the Bill
  • Heavy fiscal penalties are prescribed for data

What is considered as Personal Data under the PDP Bill?

Personal data is any information, online or offine, that can be used directly or indirectly to identify an individual. Such information may relate to any characteristic, trait, attribute or any other feature of the identity of a natural person and also includes a combination of such features.

Besides such information, personal data also includes any inference drawn from such data for the purpose of profiling. The inclusion of ‘inferences drawn from profiling’ is a deviation from how personally data is defined and understood in international regulations, such as the EU GDPR. This deviation, which further expands the scope of personal data, may have severe implications in the manner in which the rights and obligations under the Bill would be enforced and managed.

Who is a Data Fiduciary and what are its obligations?

Data Fiduciary is any person, who alone or in conjunction with another person, determines the means of processing of personal data. In other words, a Data Fiduciary controls and dictates the manner in which the personal data is to be processed.

A data fiduciary, thus, retains decisional control over the processing of personal data. Processing is a widely defined term under the PDP Bill and includes all activities performed on personal data from the point of collection to the point of destruction

It is also pertinent to note that a Data Fiduciary may not be single entity. Two or more entities who collectively exercise decisional control over the processing of personal data would be Joint Data Fiduciaries, and hence would be subject to the obligations defined in the Bill

It is not necessary for a data fiduciary to be located in India. Any entity processing personal data for providing goods and services within the territory of India or carrying our profiling activities of persons in India would be Data Fiduciaries under the PDP Bill. This, in effect, provides the extra-territorial reach to the legislation.

What are the rights of a Data Principal?

The PDP Bill creates a bundle of rights for the Data Principal. These rights are complimented by the obligations of the Data Fiduciary under the Bill. The various rights of a Data Principals and the obligations of a Data Fiduciary, when such rights are exercised, are as follows:

  • Right to confirmation and access
  • Right to correction and erasure
  • Right to data portability
  • Right to be forgotten

Who is a Data Processor? What are its liabilities?

A data processor is any person, including the state, who processes personal data on behalf of a data fiduciary. To put it plainly, a data processor is any person who is granted access to personal data for some or all part of the processing by the Data Fiduciary. In certain situations, it is possible that the data processing is carried out by the Data Fiduciary itself, in which case the data fiduciary is a data processor as well. The PDP Bill mandates the relationship between the data fiduciary and data processor to be governed by a contract which sets out the following outlines:

  • Control appointment of any third party to handle any part of processing in relation to the personal data.
  • Perform only such tasks as determined by the Data Fiduciary and process personal data as per the instructions provided by the Data Fiduciary
  • Treat personal data provided by the data fiduciary in a confidential manner