India: The Personal Data Protection Bill, 2018

Last Updated: 10 August 2018
Article by Trilegal .

The draft Personal Data Protection Bill seeks to introduce a data protection regime that can strike the appropriate balance between protecting the interests of individuals and the legitimate use of data by the State and private businesses.

1. Introduction

The Ministry of Electronics and Information Technology (MeitY) set up a nine-member committee of experts headed by Justice B.N. Srikrishna Committee (Committee) in July 2017, to study issues relating to data protection in India, and to draft a comprehensive data protection bill. The objective of setting up this committee was to "ensure growth of the digital economy while keeping personal data of citizens secure and protected. "

Shortly thereafter, the Supreme Court of India upheld the Right to Privacy of individuals in the landmark case of Justice K.S. Puttaswamy and Anr. v. Union of India and Ors. (Judgement). The Judgement recommended that the Central Government put in place a robust regime for data protection which would take into account the interests of individuals as well as the legitimate concerns of the state, while fostering an environment for entrepreneurship which is attractive to companies across the world.

The Committee released a white paper (Paper) in November 2017 seeking public comments. Thereafter, on 27 July 2018, the Committee submitted its recommendations to the MeitY (Report) along with a Personal Data Protection Bill (Draft Bill).

This Draft Bill, if enacted in its current form, would introduce a sea change in the way data is processed in the country and require corporates and individuals that process personal data to implement certain processes in order to fulfil their obligations under this bill.

This update provides a snapshot of these compliances and is a good starting point to interpret the Draft Bill.

2. Definitions

Setting the premise for the applicability of its provisions, Section 3 of the Draft Bill lays down several important definitions.

(a) Personal Data and Sensitive Personal Data

The Draft Bill treats both, "personal data" (PD) and "sensitive personal data", (SPD) separately and specifies different obligations in relation to them. The definitions of these two classes of data are central to the operation of the Draft Bill.

PD is defined as data about or relating to a natural person who is directly or indirectly identifiable, having regard to a feature of identity or a combination of such features. The natural person whose PD is collected is referred to as the "data principal" and the entity that determines the purpose or means of processing this data is referred to as the "data fiduciary". Data fiduciaries include the State, corporate entities and individuals. Processing is defined broadly, to encompass most operations on data including storage, adaptation, retrieval, dissemination, and erasure or destruction.

SPD is PD that reveals, is related to, or constitutes passwords, financial data, health data, official identifiers (like the PAN or the Aadhaar) sex life and sexual orientation, biometric data, genetic data, transgender status, intersex status, and caste or tribe, religious, political belief or affiliation, and any other category as may be notified by the Data Protection Authority (DPA).

(b) Financial Data

The term "financial data" is defined narrowly in the Draft Bill. Section 3(19) defines financial data as any number or other PD that is:

(a) used to identify:

(i) an account opened by a data fiduciary; or

(ii) a card or payment instrument issued by a financial institution. or

(b) PD regarding the relationship between a financial institution and a data principal, including financial status and credit status.

Notably absent are classes of data like account statements, data relating to other financial products, investment information etc.

(c) Anonymisation

"Anonymisation" is defined as an irreversible process of transforming or converting PD to a form in which the data principal cannot be identified, and meeting standards laid down by the DPA. The practical applicability of this definition is uncertain as there appears to be no process which can ensure that a data principal is irreversibly unidentifiable. Since anonymisation techniques that meet the standards set out in the Draft Bill remain unclear, it would be difficult to classify any data as anonymised data. Given that anonymised data is exempt from the requirements of the Draft Bill, the classes of data that would be exempt from the applicability of this Draft Bill remain unclear too.

Big Data processing relies on the exemption for anonymised data to obtain and process data without having to rely on any grounds for lawful processing. This uncertainty would make it difficult to design technical processes in compliance with the standards for anonymisation and would render the legality of Big Data processing uncertain.

(d) Harm

Under section 3(21) of the Draft Bill, "harm" is defined to inter alia include any denial or withdrawal of a service, benefit or good resulting from an evaluative decision about the data principal. What constitutes an "evaluative decision" has not been clarified under the Draft Bill. However, it would likely include predictive decisions based on data-processing that determine whether a data subject should be provided with certain entitlements such as credit, employment, Government subsidies, etc.

The definition of "harm" does not make a distinction between evaluative decisions that are prejudicial to or discriminatory against the data principal and evaluative decisions that are otherwise justifiable. Hence, the mere act of denying a data principal certain goods, services, or benefits based on an evaluative decision would constitute a harm against the data principal.

While data principals can only claim compensation for a harm suffered as a result of any violation of any provision under the Draft Bill, and not for a harm per se, this may have certain unintended consequences. For instance, if the data fiduciary is unable to provide the data principal with a summary of the processing undertaken to make the evaluative decision, thereby violating the data principal"s right to confirmation and access provided in section 24, then the data principal could claim compensation, even though the denial of service may be entirely justified.

Further, unlike the European Union"s General Data Protection Regulation, 2018 (GDPR), the definition of "harm" under the Draft Bill extends to all types of evaluative decisions regardless of whether humans are involved or not. Such a broad definition may have a chilling effect on data-based predictive decision-making.

3. Applicability

Owing to the universal and dynamic nature of the internet, any data protection framework must necessarily address the specific types of data that it intends to cover within its ambit.

The Draft Bill, applies to the processing of PD by the State and state entities, and to Indian corporate entities and Indian citizens if they are located within India. The Draft Bill also applies to the processing of any PD by entities located outside India if the PD processed is with respect to any business or activity that involves offering goods or services to individuals located in India or the "profiling" (defined to mean any form of processing that analyses or predicts the behaviour, attributes or interests of a data principal located in India) of data principals within India. However, any such activity must specifically target Indian citizens and the provision of goods or services must not be incidental.

The Draft Bill does not apply to the processing of anonymised data.

4. Data Protection Obligations

The Draft Bill envisages a fiduciary relationship between the data fiduciary and data principal wherein the data fiduciary must act in the best interest of the data principal. In this context, the Draft Bill imposes several obligations on data fiduciaries with respect to collection and processing of PD as set out below:

(a) Fair and Reasonable Processing

The Draft Bill mandates a data fiduciary to process PD fairly and in a manner that upholds the privacy of the data principal and does not go beyond the reasonable expectations of the data principal. This obligation extends to data processors with whom the data fiduciary may have shared the PD for fulfilment of the purpose, irrespective of whether such a data processor has a direct relationship with the data principal or not.

(b) Collection and Purpose Limitation

The Draft Bill requires the data fiduciary to use PD provided by the data principal only for lawful purposes that were specified to the data principal or for incidental purposes that the data principal reasonably expects it to be used. The collection of PD must be limited to such data that is necessary for the purposes of such processing.

(c) Lawful Processing

A data fiduciary can process PD only on the grounds for lawful processing specifically provided under the Draft Bill.

(d) Notice

The data fiduciary is obliged to provide notice to the data principal no later than at the time of the collection of PD. The notice must contain inter alia (i) the various purposes for which PD is to be processed; (ii) the categories of PD being collected; (iii) the identity and contact details of the data fiduciary (including its data trust score, if applicable) and Data Protection Officer (DPO); (iv) the rights of the data principal; (v) information pertaining to sharing, cross-border transfer and retention of PD; (vi) the procedure for grievance redressal; and (vii) any other information as specified by the DPA.

Such notice must be provided to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person and in multiple languages, if necessary. If PD is not being collected from the data principal directly, this obligation is still applicable and the data fiduciary is required to provide notice as soon as is reasonably practicable.

(e) Data Quality

The key requirements of data quality are that data should be accurate, complete and up-to-date. The data fiduciary is required to take reasonable steps to ensure that the PD being used is relevant to the purpose for which it is to be used and is not misleading. The data fiduciary is also responsible for ensuring accuracy and in case any data is inaccurate, it must correct, complete or update the data on request by the data principal. While taking reasonable steps in this regard, the data fiduciary is required to consider whether the PD is (i) likely to be used to make a decision about the data principal; (ii) likely to be disclosed to other individuals or entities; or (iii) kept in a form that distinguishes PD based on facts from opinions or personal assessments.

(f) Data storage limitation

The data fiduciary can store PD for only as long as is reasonably necessary to satisfy the purpose for which it was initially collected or is being processed. However, PD may be retained for a longer period provided such retention is mandated or necessary to comply with any obligation under applicable law.

Additionally, to avoid any breach of data, the data fiduciary is required to periodically review the PD it possesses and determine whether it is necessary to retain such PD. Once the purpose for which PD is collected and processed is achieved and such PD is not necessary to be retained, the data fiduciary is required to delete the PD.

(g) Accountability

With the objective of ensuring transparency throughout the life cycle of the processing of PD, data fiduciaries are made accountable to the data principal and must be able to demonstrate compliance with the provisions of the Draft Bill.

5. Grounds for Processing Personal and Sensitive Personal Data

Under the Draft Bill, consent is not the only ground under which PD or SPD may be processed. PD or SPD may only be processed if any one of the grounds, as detailed below, are satisfied:

(a) Consent

Consent needs to be obtained no later than at the commencement of the processing. It must be free, informed, specific, clear and capable of being withdrawn as easily as it is given. If consent is withdrawn, the data principal will have to bear any legal consequence for the effect of such withdrawal.

For the processing of SPD, consent must additionally have the following attributes: (i) informed, such that the attention of the data principal is drawn to the purposes or processing operations that could have significant consequences for the data principal ; (ii) clear, such that it is meaningful without recourse to inference from conduct; and (iii) specific, such that the data principal is given the choice to separately consent to the purpose, operations in, and the use of different categories of SPD relevant to the processing.

(b) For compliance with law or any order of any court or tribunal

PD and SPD can be processed if it is explicitly mandated under any law made by Parliament or any State legislature, or to comply with any order or judgement of any court or tribunal in India.

(c) Prompt action

PD and SPD can be processed (i) to respond to any medical emergency involving a threat to life or a severe threat to the health of a person; (ii) to provide medical treatment or health services to individuals during an outbreak of an epidemic or disease, or any other threat to public health; and (iii) to take any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or breakdown of public order.

(d) Employment

PD may be processed by an employer for recruitment or termination of employment of a data principal, provision of any service to, or benefit sought by the data principal, verifying the data principal"s attendance, or any other activity relating to the assessment of the performance of the data principal.

This ground however may be used only where processing based on consent is not appropriate based on the relationship with the data principal or which would involve a disproportionate effort on the part of the data fiduciary.

(e) Reasonable purposes

The DPA may specify reasonable purposes for collection of PD in relation to activities such as prevention and detection of any unlawful activity including fraud, whistle blowing, mergers and acquisitions, network and information security, credit scoring, recovery of debt, and processing of publicly available PD.

6. Personal and Sensitive Personal Data of Children

The Draft Bill requires data fiduciaries that process PD of a child to act in a manner that protects and advances the best interests of the child. A "child" is defined as a data principal under 18 years of age.

Data fiduciaries must incorporate mechanisms for age verification and parental consent to process children"s PD. Data fiduciaries who operate commercial websites or online services directed at children, or process large volumes of children"s PD, may be notified by the DPA as "guardian data fiduciaries". Guardian data fiduciaries are prohibited from profiling, tracking, behavioural monitoring, or targeted advertising directed at children, or undertaking other processing that may cause significant harm to children. However, where guardian data fiduciaries exclusively provide counselling or child protection services to children, parental consent is not required.

Any form of processing that may entail a risk of significant harm to a child is prohibited. The explicit language of the provision on best interests of the child indicates a positive obligation on data fiduciaries to process data for the benefit of the child. By way of precaution, entities processing children"s PD would do well to be transparent about the purpose for which the data is being used, what the risks and safeguards are, and explicitly providing for withdrawal of consent. Even with respect to products aimed at adults, if there is a likelihood that children may use them, appropriate safeguards must be taken to deter children from providing PD.

7. Data Principal Rights

Under the Draft Bill, a data principal has the following rights with respect to a data fiduciary:

(a) The Right to Confirmation and Access

A data principal has the right to request a data fiduciary to confirm if it is processing or has processed his PD. The data principal can also request the data fiduciary for a brief summary of the PD being processed or that has been processed, including a summary of processing activities undertaken with respect to the PD. The data fiduciary has a duty to provide all such information to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person.

(b) The Right to Correction

The data principal, has been granted the right to compel a data fiduciary processing his PD- (i) to correct inaccurate or misleading PD; (ii) complete any incomplete PD; and (iii) update PD that is out of date.

When a data fiduciary makes such a change, it must also take reasonable steps to notify the change to all relevant entities or individuals to whom the PD has been disclosed, particularly where such change would have an impact on the rights and interests of the data principal or on decisions made regarding data principal. Adequate justification must be provided to the data principal in writing if the request is rejected. The data principal then has the option to require the data fiduciary to take reasonable steps to indicate, alongside the relevant PD, that the same is disputed.

(c) The Right to Data Portability

The Draft Bill grants a data principal the right to receive his PD in a structured, commonly used and machine-readable format. This relates not only to data which has been provided to the data fiduciary, but also data that is generated in the course of providing goods or services by the data fiduciary or which forms part of any profile, or which the data fiduciary has otherwise obtained.

A data principal also has the right to have such data transferred to any other data fiduciary. This right is however not available where compliance with such request would reveal a trade secret of the transferor data fiduciary or would not be technically feasible.

(d) The Right to be Forgotten

A data principal has the right to restrict or prevent continued disclosure of PD by a data fiduciary, where such disclosure (i) has served the purpose for which it was made or is no longer necessary, (ii) was made on the basis of consent under section 12 and such consent has since been withdrawn, or (iii) was made contrary to the provisions of this Draft Bill or any other law made by Parliament or any State Legislature.

However, for this restriction to apply, an Adjudicating Officer must first determine that one of the above three conditions is satisfied, and also that the rights and interests of the data principal in preventing or restricting the continued disclosure override the right to freedom of speech and expression and the right to information of any citizen.

Other than the right to be forgotten, the above-mentioned rights may only be exercised upon a request made in writing to the data fiduciary, with reasonable information to satisfy the data fiduciary of the identity of the data principal making the request. A reasonable fee may be charged except in specific cases. If a data fiduciary refuses any such request, the data fiduciary must provide the data principal with the reasons for such refusal and inform the data principal that he has the right to file a complaint with the Authority against the refusal, within such period and in such manner as may be specified. However, a data fiduciary need not comply with a request where compliance would harm the rights of another data principal.

8. Transparency and Accountability Measures

(a) Privacy by Design

The Draft Bill provides for the implementation of organizational measures that engender trust in a data fiduciary, with the objective to ensure that PD is processed lawfully, fairly and reasonably. Such measures aim at setting up an accountability framework under the Draft Bill, and these organizational measures constitute "privacy by design". Key among these are:

(i) designing business practices and technical systems to anticipate, identify and avoid harm to a data principal.

(ii) embedding obligations regarding grounds of processing PD in the organisational and business practices of the data fiduciary.

(iii) protecting privacy at all stages of processing of PD till deletion.

(iv) processing PD in a transparent manner.

(v) considering the interest of a data principal at every stage of processing.

(b) Transparency and Security Safeguards

Section 30 of the Draft Bill details the level of transparency that a data fiduciary will have to maintain regarding its practices for processing PD. A data fiduciary must make available, in an easily accessible form, information such as, (i) the categories of PD collected, (ii) the purpose and manner of such collection, (iii) the existence and procedure for exercise of the rights of a data principal, (iv) the existence of the right to file complaints to the DPA, and (v) information regarding cross-border transfers of PD. There is a further obligation on a data fiduciary to notify a data principal of important operations in the processing of PD periodically.

Every data fiduciary as well as data processor is required by Section 31 to implement security safeguards, including: (i) the use of de-identification and encryption; (ii) measures to protect the integrity of PD; and (iii) measures to prevent misuse, unauthorized access to, modification, disclosure or destruction of PD. These safeguards must be implemented taking into account the nature and scope of processing, the risks associated, and the likelihood of harm that may be caused to the data principal and must be reviewed periodically.

(c) Personal Data Breach

Section 32 (1) mandates a data fiduciary to notify the DPA (as soon as possible and no later than the period specified by the DPA) of any PD breach that is likely to cause harm to any data principal. Such notification must include particulars of the nature of the PD breached, the number of data principals affected, consequences of the breach and measures being taken to remedy it.

The DPA will determine as to whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of harm to the data principal and whether some action is required from the data principal to mitigate such harm. The DPA may also direct the data fiduciary to publish the details of the breach on its website and additionally may also post such details on its own website.

(d) Third party processing of personal data

A data fiduciary may engage a data processor to process PD on its behalf only through a valid contract. Further, the processing may not be sub-contracted by a data processor without the authorization of the data fiduciary, contractually or otherwise. Further, such processing must be done only in accordance with the instructions of the data fiduciary unless otherwise prescribed by law.

(e) Significant data fiduciaries

Considering the volume of personal data processed, sensitivity of such data, annual turnover of the data fiduciary, the risk of harm from any processing undertaken by the data fiduciary, use of new technologies, and any other factor that may be relevant in causing harm to any data principal as a result of such processing, the DPA is required to notify certain data fiduciaries (or classes of data fiduciaries) as "significant data fiduciaries".

Significant data fiduciaries are required to register themselves with the DPA. Generally, significant data fiduciaries will be subject to heightened organizational measures as well as higher compliance standards. Notably, these are:

(i) Data Protection Impact Assessment

If a data fiduciary intends to undertake any data processing involving new technologies or large-scale profiling, or use of SPD, or any other processing that may pose a risk of significant harm to a data principal, it must first undertake a Data Protection Impact Assessment (DPIA). Owing to the ambiguity of what amounts to "new technology", it is currently uncertain as to when the requirement to obtain a DPIA is triggered for a significant data fiduciary. For entities that operate in high technology fields, this will potentially apply to most forms of processing that they undertake.

The DPIA is required to contain: (i) a detailed description of the proposed processing including the purpose and nature of the data processed; (ii) assessment of potential harm to data principals; and (iii) measures for managing and mitigating such risk of harm.

Upon completion of the DPIA, the DPO appointed by the data fiduciary is required to review the DPIA and submit the same to the DPA. The DPA may then (if it believes that the processing may cause harm to data principals) direct the data fiduciary to cease such processing or may prescribe conditions to such processing.

(ii) Record Keeping and Audits

A data fiduciary is required to maintain records (in the form specified by the DPA) of: (i) important operations in the data life cycle, (ii) periodic review of security safeguards; (iii) DPIAs; and (iv) any other aspect as specified by the DPA.

The DPA is required to specify the form and manner of conducting audits and will register persons as data auditors. The auditor may assign a rating in the form of a data trust score, the criteria for which will be given by the DPA. The DPA may also in its discretion order an audit to be conducted, when it is of a view that an act of processing may cause harm to a data principal, and may appoint an auditor in this regard.

(iii) Data Protection Officer (DPO)

Every data fiduciary must appoint a DPO to carry out functions such as:

- advising the data fiduciary on compliance with the Draft Bill.

- monitoring processing activities to ensure such processing does not violate the act.

- providing advice on DPIAs and Privacy by Design.

- acting as a point of contact between the DPA and the data fiduciary.

- acting as a point of contact between a data principal and the data fiduciary.

- maintaining an inventory of all records.

A data fiduciary who is not present in India is required to appoint a DPO based in India. This would apply to overseas businesses that operate completely over the internet in India but do not maintain a presence in India. The intent seems to be to identify an individual that can assume the responsibility for the activities of the data fiduciary in India, much like the resident director requirement in India.

9. Data Localisation and Cross Border Transfers of Data

The Draft Bill includes extensive provisions on the localisation of data and the way cross border transfers of data can take place.

(a) Data Localisation

One of the most prominent requirements under the Draft Bill (Section 40) is the obligation to store one "serving" copy of all data to which the Draft Bill applies in India. Setting aside for the moment the significant practical difficulties that this requirement poses, the exact scope of this requirement is unclear.

While from a plain reading of the provision it may presumably be interpreted as a requirement to store a live copy of the data that the Draft Bill applies to, very little other interpretative assistance is available. The intention appears to be that data fiduciaries mirror all data that they process (in any form) anywhere in the world, and to which the Draft Bill applies, in India. This would therefore also include all metadata, data stored in a transient form and other such kinds of data as well, for the duration for which they are processed, anywhere in the world. If we adopt this interpretation, the practical implications of this are far reaching.

While the Report does acknowledge the fact that the monetary costs to undertake data localisation may be significant, it goes on to record that the submissions made to the committee have been indicative of the fact that the benefits outweigh the monetary costs. The Report however does not acknowledge other indirect costs involved with respect to public infrastructure and India"s readiness to adopt such a requirement.

Further, Section 40 of the Draft Bill empowers the Central Government to notify certain categories of personal data as "critical personal data" that may be processed only in servers in India. This would effectively imply that these classes of data are only to be stored or processed in India at all times and cannot be transferred out of the country, except in certain limited circumstances such as provision of health services or as notified by the Central Government. At present, there is no indication as to what data may be notified as critical personal data.

(b) Cross Border Transfers of Data

Where PD, (not being critical personal data that is SPD), is required to be transferred outside the country, a data fiduciary may only transfer such data if any of the following conditions are met:

(i) if the transfer is made subject to standard contractual clauses or intra-group schemes that have been approved by the DPA. These are contractual safeguards that could potentially govern the safeguards implemented for these data transfers and would ensure that they are standard and robust.

(ii) if the transfers are to a country, a sector in a country or to an international organisation that the Central Government in consultation with the DPA deems permitted. Such adequacy determinations are notably carried out by regulators under the European GDPR. The factors involved in making such determination under the Draft Bill would include applicable laws in the transferee jurisdiction, international agreements and the enforcement climate in the relevant jurisdiction.

(iii) in a situation of necessity as approved by the DPA.

(iv) in addition to conditions (i) and (ii) above, if the consent of the data principal is obtained for the transfer of PD or the explicit consent of the data principal has been obtained for the transfer of SPD.

Owing to the similarity of these provisions to those in the GDPR, most multinational corporations would already be compliant with these conditions in their data transfer arrangements and this provision would involve very little additional compliance burdens on these corporations.

10. Exemptions

The Draft Bill sets out the following exemptions to processing of PD - (i) security of the State (ii) prevention, detection, investigation and prosecution of contravention of law (iii) legal proceedings (iv) research, archiving or statistical purposes (v) personal or domestic purposes (vi) journalistic purposes and (vii) manual processing by small entities.

To elaborate on exemptions (iv) to (vii):

(a) Research, Archiving, Statistical Purpose

The Draft Bill allows the DPA to specify different categories of research, archiving or statistical purposes and exclude the applicability of the Bill to such categories, other than the requirements to process the data in a fair and reasonable manner and to carry out a DPIA and implement security standards.

However, the exemption will be available only if (i) compliance with the Draft Bill will disproportionately divert resources from the purpose of processing, (ii) the purpose cannot be achieved if the PD is anonymised, (iii) where the purpose can be achieved with de-identified data, the de-identification is in accordance with specified standard, (iv) the PD will not be used to take any decision specific to or action directed specifically towards a data principal, and (v) PD will not be processed in a manner that gives rise to a risk of significant harm to the data principal.

The Committee has expressly considered the impact of processing limitations on big data analysis in the context of the research exemption in its report. The Committee"s views suggest that the DPA may exempt the applicability of provisions relating to consent and notice, purpose specification and data principal"s right to access, confirmation and correction in respect of processing of PD on a large scale.

(b) Personal or Domestic Purposes

The Draft Bill provides that a natural person processing PD for purely personal or domestic purposes, will not be subject to the substantive data protection requirements under the Draft Bill, except for the requirement to process data in a fair and reasonable manner. However, if the processing involves disclosure to the public or is undertaken in connection with any professional or commercial activity, then the provisions of the Draft Bill will apply.

(c) Journalistic Purposes

Where the processing of PD is necessary for or relevant to a journalistic purpose, the substantive data protection requirements under the Draft Bill will not be applicable to such processing, other than the requirement to process data in a fair and reasonable manner.

Journalistic purpose has been defined to mean any activity intended towards the dissemination of factual reports, analysis, opinions, views or documentaries regarding news, recent or current events, or any other information which the data fiduciary believes to have public interest. Further, the exemption will be available only if it can be demonstrated that the processing complies with the code of ethics issued by the Press Council of India or any self-regulatory media organisation.

(d) Manual Processing

Small entities are defined as data fiduciaries who: (i) do not have a turnover in excess of INR 2 Million (unless a lower threshold is notified by the Central Government), (ii) do not collect personal data for the purpose of disclosure to any other persons, and (iii) have processed the personal data of not more than 100 data principals in any one day in the preceding calendar year.

The Draft Bill excludes small entities from the following: (i) the requirement to provide notice for collection of PD, (ii) the obligation to ensure quality of data, (iii) the limitations on storage of PD, (iv) the obligation to provide a summary of processing activities to data principals, (v) the requirement to facilitate a data principal"s right to data portability and the right to be forgotten, (vi) the obligations regarding privacy by design, transparency, security safeguards, personal data breach notification, data protection impact assessment, maintenance of records, data audits, data protection officer and grievance redressal. Further, such data fiduciaries will not be subject to classification as significant data fiduciaries.

11. Data Protection Authority

The Draft Bill establishes a DPA to serve as the regulatory and enforcement body. The DPA has been vested with wide ranging powers to, (i) provide guidelines and directions on the applicability of several provisions of the Draft Bill, (ii) ensure consistency of data protection regulations across ministries, regulators and legislations and monitor, and (iii) enforce compliance with provisions of the Draft Bill by various stakeholders.

In performing these functions, the DPA would have the powers of a civil court with respect to discovery, summons and inspection.

A few notable functions of the DPA are:

(a) Codes of Practice

While the Draft Bill itself specifies the substantive obligations that would apply to the handling of data, the specifics of these obligations are to be detailed under what is termed in the Draft Bill as "Codes of Practice", which will be issued by the DPA.

These Codes of Practice would relate to issues such as form of notices, retention periods, grounds for processing, method for exercise of rights by data principals, specific measures or standards for security and safeguards for personal data, cross border data transfers, personal data breaches, data protection impact assessments, processing of de-identified data for research, archiving or statistical purposes etc.

Codes of Practice would be applicable either generally or to a particular industry or sector. The DPA would have to issue these Codes of Practice in consultation with the relevant stakeholders including the regulators, the industry and the public. The DPA would also be authorised to approve Codes of Practice submitted by an industry or trade association.

Considering that the Draft Bill deals with the substantive provisions and majority of the compliance obligations under the Draft Bill would be covered under the Codes of Practice that would then operate as sectoral privacy regulations, it is advisable to engage with the DPA in the formulation of these to ensure that the interests of the industry are also adequately protected.

(b) Inquiry and Investigation

The DPA can conduct an inquiry when it has reasonable grounds to believe that a data fiduciary or processor is either contravening its obligations under the Draft Bill or carrying out activities detrimental to the interest of data principals. For this purpose, the DPA may appoint an Inquiry Officer. Inquiry Officers have broad powers to investigate and examine the records and personnel of any data fiduciary or processor under the Draft Bill.

Further, the DPA may authorise an officer (Authorised Officer) to exercise search and seizure powers provided under the Draft Bill on the grounds that a data fiduciary or processor may tamper or not produce records that it has been directed to produce or may contravene any provisions of the Draft Bill. The search and seizure powers of an Authorised Officer are very broad and allow the officer to access and seize all property of the person being inspected and examine any person who is in possession or control of any material. An Authorised Officer may also enlist the assistance of police officers or officers of the central government for this purpose.

Upon the conclusion of an inquiry, the DPA has been authorised to issue warnings, reprimands and directions to the concerned data fiduciary or processor. The directions issued by the DPA may require the data fiduciary or processor to modify its business, cease and desist some activities, suspend any aspect of its business or even temporarily suspend or close down an aspect of their business. If a data fiduciary or processor is aggrieved by an order of the DPA, they may appeal before the Appellate Tribunal set up under the Draft Bill.

12. Offences, Compensation, Penalties and Remedies

The Draft Bill prescribes several offences including amongst those, the offence of knowingly, intentionally or recklessly re-identifying PD, without the consent of the data fiduciary or data processor where such PD has been de-identified by a data fiduciary or a data processor.

Depending on the specific offence in question, the punishment for an offence is imprisonment of a term which may extend up to 3 years or a fine which may extend up to INR 300,000 or both. Offences prescribed under this Draft Bill are cognisable and non-bailable - a sure indication that the Committee intends that these offences be treated with a high degree of severity.

The Draft Bill also specifies strict penalties for the contravention of its provisions. These penalties are prescribed in two brackets, the higher of which extends up to INR 150 million or 4% of the total worldwide turnover of the data fiduciary for the previous financial year, depending on the nature of the offence. Notably, significant data fiduciaries may be subject to a penalty up to INR 50 million or 2% of their total worldwide turnover, whichever is higher, for breaching their obligations mentioned in paragraph 8(e) above.

Data principals who have suffered harm due to violations by a data fiduciary or data processor are entitled to seek compensation from them in the manner prescribed. A data processor will only be held liable to pay compensation if it has acted outside or contrary to the instructions of the data fiduciary, or if it is found to have acted in a negligent manner, or if it has not incorporated adequate security safeguards, or if it has violated any provisions of the Draft Bill.

All issues pertaining to the imposition of penalties or compensation will be decided by an Adjudicating Officer of the DPA.

13. Miscellaneous

(a) Power to exempt certain data processors

The Draft Bill allows the central government to exempt a data processor incorporated in India from the application of the Draft Bill or any of its provisions, where it processes PD of data principals outside the territory of India pursuant to a contract entered with a person outside India.

The Report contemplates the inclusion of such a clause to ensure that Indian entities carrying out business process outsourcing involving PD of only foreign nationals may continue to function smoothly without being subject to the Draft Bill.

(b) Bar on processing certain forms of biometric data

The Draft Bill prohibits a data fiduciary from processing any biometric data which has been notified by the central government as being subject to such restriction. However, such processing may be carried out if the data fiduciary is specifically permitted by law.

While it is presently unclear as to what kind of biometric data will be notified under this section, it seems likely that entities may face some restrictions on use of specific forms of biometric data, such as fingerprints, iris scans, facial recognition, etc. This has the potential to affect a wide variety of activities from biometric verification systems for employees to device access.

14. The Road Ahead

Owing to the breadth of the recommendations in the Report and the sweeping effects that the Draft Bill may potentially have, the MeitY has announced that it intends to have a wide parliamentary consultation process on the Draft Bill before it is passed by Parliament and enacted into law.

The Draft Bill is also proposed to be implemented in a phased manner and may be 'notified' on any date in the 12 months following its enactment. During this 12-month period the DPA will be formulating the Codes of Practice.

The Draft Bill when enacted will usher in a new data privacy regime requiring corporates to re-examine their privacy practices with respect to processing of PD in India. However, since many compliances may come from the Codes of Practice, the full impact of the Draft Bill will have to be assessed upon their release.

The Draft Bill when enacted will usher in a new data privacy regime requiring corporates to re-examine their privacy practices with respect to processing of PD in India. However, since many compliances may come from the Codes of Practice, the full impact of the Draft Bill will have to be assessed upon their release.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions