In 2017, the Supreme Court of India declared the right to privacy as a fundamental right protected under the Indian Constitution. It also recommended that the Indian Central Government put in place a data protection regime that considers the interests of individuals as well as the legitimate concerns of the state while promoting an environment for entrepreneurship and innovation.
India’s Personal Data Protection Bill was introduced in 2019, and called the Personal Data Protection Act 2019. The main objectives were to:
After two years of deliberations, the Joint Parliamentary Committee submitted a report to the Indian Parliament in December 2021 on the Personal Data Protection Bill 2019 with the following recommendations:
Data fiduciaries and processors have approximately 24 months to comply with provisions.
The processing of non-sensitive personal data for the purposes of employment includes scenarios where "such processing is necessary or can reasonably be expected by the data principal." Legitimate interest is now explicitly called out as a basis of processing personal data if “the processing is necessary for reasonable purposes as may be specified by regulations,” balancing the interests of both the data principal and data fiduciary.
Data fiduciaries exclusively dealing with children's data must register with the DPA, and inform the child three months before the child attains the age of majority, so they may choose to provide consent again.
Data subjects/users may nominate a legal heir or representative that will decide what needs to be done with their data in case of death or other casualty.
Several key definitions have been defined, consolidated or revised, including “consent manager,” “data auditor,” “data breach,” “data fiduciary,” “data processor,” “data protection officer,” “harm” and “non-personal data.”
A breach may include both personal and non-personal information. Breach reporting requirements are more specific and stringent. A breach must be reported within 72 hours. The DPA can direct the data fiduciary to adopt any urgent measures to remedy such a breach or mitigate any harm caused to the data principal.
Trade secrets are no longer viable grounds and reason to deny data portability. It can only be denied on the grounds of technical feasibility.
All social media platforms (that do not act as intermediaries) should be treated as ‘publishers’ and held accountable for the content they host. Social media platforms will be held accountable for content from unverified accounts. The new law also requires social media platforms to set up an office in India.
Any agency under the government may be exempt from any or all provisions of the law.
Refers to data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.
Processing in relation to personal data means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction
A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Specifically it means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.
Personal data which may reveal, be related to, or constitute financial data, health data, official identifier, sex life or orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliatio, or any other data categorized as sensitive personal data under section 15.
Only necessary personal data should be collected for a valid reason. The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of the processing.
The data fiduciary shall take necessary steps to ensure that the personal data processed is complete, accurate, not misleading and updated, having regard to the purpose for which it is processed.
Sections 12, 13 and 14 state that personal data can be processed without consent if necessary for activities of the State, Court or Tribunal in India, medical emergency, safety of individuals and data fiduciary.
The Act requires that every person processing personal data of a data principal (data subject) shall process such personal data:
The processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India
The processing of personal data by the State, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law
The processing of personal data by data fiduciaries or data processors not present within the territory of India, if such processing is: