20 January 2020
India's Personal Data Protection Bill (PDPB) is currently in draft form and set to be tabled in Parliament.
The PDPB looks set to be one of the strictest and most comprehensive data privacy laws in the world. In fact, it's stricter in some areas than the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Protection Act (CCPA).
The PDPB will impose obligations on practically all businesses operating in India. It will require you to reassess all of your company's data processing practices, policies, and safeguards.
To help you prepare for the passing of the PDBD, we've created a summary of the law's most important sections, including practical guidance on how to adapt to India's new privacy regime.
First, let's define some of the important terms used in the PDPB.
"Personal data" is information that relates to a living individual and could be used to identify them. Personal data can include:
The PDPB defines personal data broadly, much like the GDPR and some more recent US privacy laws, such as the CCPA.
The PDPB uses the term "processing." Processing personal data means doing something with it, for example, storing, receiving, or transmitting it.
For more information, see our articles What is Personal Information? and What Activities Count as Processing Under the GDPR?
The PDPB provides distinct rules for processing "sensitive personal data," which includes the following:
The Data Protection Authority can also specify additional types of sensitive personal data.
A similar distinction exists in the GDPR. See our article on Sensitive Personal Data and the GDPR for more information.
A "data principal" is a living individual to whom personal data relates. Under the GDPR, this is a "data subject." Under US privacy law, this is a "consumer."
Every living individual is a data principal in respect of their own personal data.
A "data fiduciary" is a person, business, or other organization that decides why and how to process personal data.
Generally, a data fiduciary:
For example, Amazon is a data fiduciary. It needs to collect its customers' personal data to make sales and deliver products. Amazon is responsible for handling this personal data with care.
The concept of a data fiduciary is similar to the data controller under the GDPR.
A "data processor" is any person who processes personal data on behalf of a data fiduciary, but is not the data fiduciary's employee.
For example, email marketing company MailChimp is a data processor. MailChimp processes personal data because other companies - data fiduciaries - ask it to do so. It must handle this personal data with care, but the data fiduciaries have greater responsibility for it.
The PDPB establishes the Data Protection Authority of India. The Data Protection Authority is an independent public body whose responsibilities include:
Before we look at your obligations under the PDPB, let's address some Frequently Asked Questions about the nature of the Bill.
Yes, the PDPB applies to non-Indian companies based outside of India.
If your company has no presence in India, the PDPB still applies if:
Your company might "offer goods and services" to individuals in India if any of the following applies:
"Profiling" is any activity that "analyzes or predicts" an individual's "behavior, attributes or interests."
Personalized advertising is a common example of profiling. Personalized advertising uses web cookies to track the websites an individual visits. You can then serve them personalized ads based on this information.
So, if you operate a website that uses personalized advertising, and it's accessible in India, you must comply with the PDPB. This could apply even if you don't actively seek Indian customers.
The system of penalties under the PDPB is very similar to the system of penalties under the GDPR.
Serious violations of the PDPB are punishable by a maximum penalty of the greater of:
The PDPB also contains a set of criminal offenses that are punishable by imprisonment. These include unlawfully obtaining or selling personal data, and re-identifying personal data that has been de-identified.
The PDPB contains some limited exemptions for small entities (including businesses) engaged in "manual processing." Manual processing is data processing that is not performed on a computer or other automated device.
The PDPB defines a small entity as one which:
Small entities are exempt from the following parts of the PDPB:
This exemption is unlikely to apply to your business if, for example, you:
The PDPB provides seven data protection obligations that apply to all data fiduciaries.
The data protection obligations must underpin all processing of personal data (unless an exemption applies). They are similar to the principles of data protection under the GDPR.
The seven data protection obligations are:
Let's take a detailed look at each of these data protection obligations.
You must process personal data in a way that is:
Consider people's reasonable expectations at all times. If you feel they would be surprised to learn about how you're using their personal data, you should reassess your approach.
You may only process personal data for clear, specific, and lawful reasons. You must generally only process personal data for the specific reason for which you collected it.
You can sometimes process personal data for a further reason other than the reason for which you collected it. However, this must be in-line with the data principals' reasonable expectations, considering the context in which you collected their personal data.
You must not collect personal data unless you need it for a specific purpose.
You may only process personal data in accordance with the PDPB's grounds for processing. There are also a set separate set of grounds for processing sensitive personal data.
You must provide the data principal with clear and transparent notice about how and why you wish to process their personal data.
This notice must include information about the following:
You must provide this information when you collect personal data from the data principal. If you received the personal data from a third party, you must provide this information to the data principal as soon as possible.
You must take reasonable steps to ensure that the personal data you process is of good quality. This includes ensuring that the personal data is:
You may need to take particular care to ensure that the personal data you keep is of good quality if:
If you share personal data with another person and subsequently discover that it was of poor quality, you may need to take steps to notify the recipient.
You must not keep personal data for longer than you need it.
There are some exceptions to this rule. For example, you must retain certain types of personal data to comply with the law.
You must regularly review the personal data in your possession to determine whether you need it.
You must ensure that you only process personal data in accordance with the data processing obligations. You must be able to demonstrate your compliance with these obligations.
You're also responsible for ensuring that any data processors you employ comply with the data processing obligations.
The PDPB provides six grounds for processing personal data. As a data fiduciary, you must not process personal data without grounds to do so (unless an exemption applies).
This means that for each act of data processing you engage in, you must consider whether you have grounds for processing.
The grounds for processing personal data under the PDPB is a similar concept to the lawful bases for processing under the GDPR.
The six grounds for processing personal data are:
You must not process sensitive personal data on the grounds of "employment purposes" or "reasonable purposes."
Let's take a detailed look at each of these grounds for processing personal data.
You may be able to process someone's personal data if you have their consent.
Under the PDPB, consent is only valid if it is:
You cannot force a person to consent to the processing of their personal data. This means that you cannot deny a person access to goods or services if they refuse to consent unless you need to process their personal data in a specific way in order to provide your goods or services.
You must keep records of consent.
Unlike under certain other privacy laws, such as the CPPA, you can't rely on "opt-out" or "implied" consent under the PDPB.
Consent under the PDPB is quite similar to consent under the GDPR.
The Indian Parliament and any Indian State Legislature can process personal data if it is necessary to do so to carry out any of their functions.
Other people can also process personal data to carry out the functions of the Parliament and State Legislature, in order to:
You may process personal data if:
Certain types of medical or public emergency are grounds for processing personal data. These include:
Employers may process the personal data of their employees' and potential employees in certain circumstances, including:
You may also process personal data for "reasonable purposes." To determine what's reasonable, you must consider:
This is similar to the test for legitimate interests under the GDPR.
Data principals have certain rights over their personal data. If you've processed someone's personal data, you're legally obliged to facilitate their data principal rights. This doesn't only apply to your customers or users, but anyone whose personal data you've processed.
The data principal rights are:
You must comply with requests made under "the right to confirmation and access" and the "right to correction" for free. You may charge a reasonable fee for meeting requests made under the other rights.
The PDPB doesn't provide a set period for complying with a request. The Data Protection Authority will decide this once the Bill becomes law.
Let's take a look at how you can meet your obligations under these rights.
You must provide the following clear and concise information to any data principal who requests it:
This is similar to the Subject Access Request process under the GDPR.
You must correct, complete, or update personal data on request from the data principal.
You may refuse a request if you disagree that personal data is inaccurate, incomplete, or outdated. You must provide written justification for your decision. The data principal may then request that you display a notice alongside the personal data that discloses their disagreement.
You may have already shared inaccurate, incomplete, or outdated personal data with another party. If so, you must take steps to notify them once you become aware of the issue.
If you receive a request under the right to data portability, and if it's technically feasible to do so, you must provide the data principal with following information in a commonly-used electronic format:
The right to data portability doesn't apply to personal data you've collected on the grounds of "state functions" or "legal compliance."
You must stop disclosing the data principal's personal data on request if:
You may not have to comply if you believe that doing so would infringe on your freedom of speech.
As a data fiduciary, the PDPB requires you to take proactive steps to ensure you're respecting people's privacy and keeping their personal data safe.
Let's take a look at some of the most important transparency and accountability obligations that the PDPB imposes.
You must implement certain security safeguards to keep personal data safe. These safeguards may include measures which:
You must regularly review your security measures.
You have some discretion as to the scope of your security measures, bearing in mind the size of your company, and the risks associated with your data processing practices.
You must keep records of your data processing practices. These records must include details of your regular reviews of your security safeguards.
You must engage an independent auditor once per year who will examine your records and report back the Data Protection Authority.
You must appoint a Data Protection Officer who will be responsible for:
Your Data Protection Officer can be someone who already works within your company.
There is a similar requirement to appoint a Data Protection Officer under the GDPR.
Your Data Protection Officer must be based in India. This applies even to non-Indian companies. Again, a similar requirement exists under the GDPR. Non-EU companies must appoint an EU Representative under certain conditions.
The Indian Personal Data Protection Bill (PDPB) is extensive, and complying with it is likely to require considerable effort. Get started now so you have a solid foundation for implementation when the PDPB becomes law.
Here are some actions you can take in preparation:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.