India’s Personal Data Protection Act 2019

In 2017, the Supreme Court of India declared the right to privacy as a fundamental right protected under the Indian Constitution. It also recommended that the Indian Central Government put in place a data protection regime that considers the interests of individuals as well as the legitimate concerns of the state while promoting an environment for entrepreneurship and innovation.

India’s Personal Data Protection Bill was introduced in 2019, and called the Personal Data Protection Act 2019. The main objectives were to:

  • Dot Provide for protection of the privacy of individuals relating to their personal data
  • Dot Specify the flow and usage of personal data
  • Dot Create a relationship of trust between persons and entities processing the personal data
  • Dot Protect the rights of individuals whose personal data are processed
  • Dot Create a framework for organizational and technical measures in processing of data
  • Dot Establish norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, and remedies for unauthorized and harmful processing
  • Dot Establish a Data Protection Authority (DPA) of India
img1

Key Recommendations in the 2021 Report

After two years of deliberations, the Joint Parliamentary Committee submitted a report to the Indian Parliament in December 2021 on the Personal Data Protection Bill 2019 with the following recommendations:

Timeline for Implementation

Timeline for Implementation

Data fiduciaries and processors have approximately 24 months to comply with provisions.

About Consent

About Consent

The processing of non-sensitive personal data for the purposes of employment includes scenarios where "such processing is necessary or can reasonably be expected by the data principal." Legitimate interest is now explicitly called out as a basis of processing personal data if “the processing is necessary for reasonable purposes as may be specified by regulations,” balancing the interests of both the data principal and data fiduciary.

Sensitive Personal Data

Personal Data of Minors

Data fiduciaries exclusively dealing with children's data must register with the DPA, and inform the child three months before the child attains the age of majority, so they may choose to provide consent again.

Data Subjects/Users Rights

Data Subjects/Users Rights

Data subjects/users may nominate a legal heir or representative that will decide what needs to be done with their data in case of death or other casualty.

Definitions

Definitions

Several key definitions have been defined, consolidated or revised, including “consent manager,” “data auditor,” “data breach,” “data fiduciary,” “data processor,” “data protection officer,” “harm” and “non-personal data.”

About Breach

About Breach

A breach may include both personal and non-personal information. Breach reporting requirements are more specific and stringent. A breach must be reported within 72 hours. The DPA can direct the data fiduciary to adopt any urgent measures to remedy such a breach or mitigate any harm caused to the data principal.

Data Portability

Data Portability

Trade secrets are no longer viable grounds and reason to deny data portability. It can only be denied on the grounds of technical feasibility.

Social Media Platforms

Social Media Platforms

All social media platforms (that do not act as intermediaries) should be treated as ‘publishers’ and held accountable for the content they host. Social media platforms will be held accountable for content from unverified accounts. The new law also requires social media platforms to set up an office in India.

About Exemptions

About Exemptions

Any agency under the government may be exempt from any or all provisions of the law.

Key Definitions

Personal Data

Personal Data

Refers to data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.

Processing

Processing

Processing in relation to personal data means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction

Sensitive Personal Data

Data Fiduciary

A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Specifically it means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.

Data Fiduciary

Sensitive Personal Data

Personal data which may reveal, be related to, or constitute financial data, health data, official identifier, sex life or orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliatio, or any other data categorized as sensitive personal data under section 15.

Key Principles

Data Minimization

Data Minimization

Only necessary personal data should be collected for a valid reason. The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of the processing.

Integrity of Data

Integrity of Data

The data fiduciary shall take necessary steps to ensure that the personal data processed is complete, accurate, not misleading and updated, having regard to the purpose for which it is processed.

Consent

Consent

Sections 12, 13 and 14 state that personal data can be processed without consent if necessary for activities of the State, Court or Tribunal in India, medical emergency, safety of individuals and data fiduciary.

img18

Fair and Lawful Processing Practices

The Act requires that every person processing personal data of a data principal (data subject) shall process such personal data:

  • Dot In a fair and reasonable manner and ensure the privacy of the data principal
  • Dot For the purpose consented to by the data principal or which is incidental to or connected with such purpose, and which the data principal would reasonably expect that such personal data shall be used for, having regard to the purpose, and in the context and circumstances in which the personal data was collected.

Scope

check

The processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India

check

The processing of personal data by the State, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law

check

The processing of personal data by data fiduciaries or data processors not present within the territory of India, if such processing is:

  • Dot In connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India
  • Dot In connection with any activity

The Act Does Not Apply to:

  • Dot The processing of anonymised data, other than the anonymised data referred to in section 91.

The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.

See Loyalty in Action

Be inspired with endless ways to make every customer interaction rewarding.

GET A DEMO

We Can Help

Let's explore how loyalty can help you become one of your customers' most beloved brands.

CONTACT US

©2021 All Rights Reserved. AnnexCloud