India’s Personal Data Protection Act 2019
In 2017, the Supreme Court of India declared the right to privacy as a fundamental right protected under the Indian Constitution. It also recommended that the Indian Central Government put in place a data protection regime that considers the interests of individuals as well as the legitimate concerns of the state while promoting an environment for entrepreneurship and innovation.
India’s Personal Data Protection Bill was introduced in 2019, and called the Personal Data Protection Act 2019. The main objectives were to:
- Provide for protection of the privacy of individuals relating to their personal data
- Specify the flow and usage of personal data
- Create a relationship of trust between persons and entities processing the personal data
- Protect the rights of individuals whose personal data are processed
- Create a framework for organizational and technical measures in the processing of data
- Establish norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, and remedies for unauthorized and harmful processing
- Establish a Data Protection Authority (DPA) of India
Key Recommendations in the 2021 Report
After two years of deliberations, the Joint Parliamentary Committee submitted a report to the Indian Parliament in December 2021 on the Personal Data Protection Bill 2019 with the following recommendations:
Timeline for Implementation
Data fiduciaries and processors have approximately 24 months to comply with the provisions.
The processing of non-sensitive personal data for the purposes of employment includes scenarios where “such processing is necessary or can reasonably be expected by the data principal.” Legitimate interest is now explicitly called out as a basis of processing personal data if “the processing is necessary for reasonable purposes as may be specified by regulations,” balancing the interests of both the data principal and data fiduciary.
Personal Data of Minors
Data fiduciaries exclusively dealing with children’s data must register with the DPA, and inform the child three months before the child attains the age of majority, so they may choose to provide consent again.
Data Subjects/Users Rights
Data subjects/users may nominate a legal heir or representative that will decide what needs to be done with their data in case of death or other casualty.
Several key definitions have been defined, consolidated or revised, including “consent manager,” “data auditor,” “data breach,” “data fiduciary,” “data processor,” “data protection officer,” “harm” and “non-personal data.”
A breach may include both personal and non-personal information. Breach reporting requirements are more specific and stringent. A breach must be reported within 72 hours. The DPA can direct the data fiduciary to adopt any urgent measures to remedy such a breach or mitigate any harm caused to the data principal.
Trade secrets are no longer viable grounds and reason to deny data portability. It can only be denied on the grounds of technical feasibility.
Social Media Platforms
All social media platforms (that do not act as intermediaries) should be treated as ‘publishers’ and held accountable for the content they host. Social media platforms will be held accountable for content from unverified accounts. The new law also requires social media platforms to set up an office in India.
Any agency under the government may be exempt from any or all provisions of the law.
Refers to data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.
Processing in relation to personal data means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction
Organizations must fulfill legal obligations. Organizations must document their decision to rely on this lawful basis and ensure they can justify their reasoning.
A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Specifically it means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.
Sensitive Personal Data
Personal data which may reveal, be related to, or constitute financial data, health data, official identifier, sex life or orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliatio, or any other data categorized as sensitive personal data under section 15.
Only necessary personal data should be collected for a valid reason. The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of the processing.
Integrity of Data
The data fiduciary shall take necessary steps to ensure that the personal data processed is complete, accurate, not misleading and updated, having regard to the purpose for which it is processed.
Sections 12, 13 and 14 state that personal data can be processed without consent if necessary for activities of the State, Court or Tribunal in India, medical emergency, safety of individuals and data fiduciary.
Fair and Lawful Processing Practices
The Act requires that every person processing personal data of a data principal (data subject) shall process such personal data:
- In a fair and reasonable manner and ensure the privacy of the data principal
- For the purpose consented to by the data principal or which is incidental to or connected with such purpose, and which the data principal would reasonably expect that such personal data shall be used for, having regard to the purpose, and in the context and circumstances in which the personal data was collected.
The processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India
The processing of personal data by the State, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law
The processing of personal data by data fiduciaries or data processors not present within the territory of India, if such processing is:
- In connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India
- In connection with any activity
The Act Does Not Apply to:
- The processing of anonymised data, other than the anonymised data referred to in section 91.
The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.