India's Personal Data Protection Bill (PDPB) is currently in draft form and set to be tabled in Parliament.
The PDPB looks set to be one of the strictest and most comprehensive data privacy laws in the world. In fact, it's stricter in some areas than the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Protection Act (CCPA).
The PDPB will impose obligations on practically all businesses operating in India. It will require you to reassess all of your company's data processing practices, policies, and safeguards.
To help you prepare for the passing of the PDBD, we've created a summary of the law's most important sections, including practical guidance on how to adapt to India's new privacy regime.
PDPB Key Definitions
First, let's define some of the important terms used in the PDPB.
"Personal data" is information that relates to a living individual and could be used to identify them. Personal data can include:
- Contact details
- Web browsing history
- Cookie ID
The PDPB defines personal data broadly, much like the GDPR and some more recent US privacy laws, such as the CCPA.
The PDPB uses the term "processing." Processing personal data means doing something with it, for example, storing, receiving, or transmitting it.
For more information, see our articles What is Personal Information? and What Activities Count as Processing Under the GDPR?
Sensitive Personal Data
The PDPB provides distinct rules for processing "sensitive personal data," which includes the following:
- Financial data
- Health data
- Official identifier
- Sex life
- Sexual orientation
- Biometric data
- Genetic data
- Transgender status
- Intersex status
- Caste or tribe
- Religious or philosophical belief or affiliation
The Data Protection Authority can also specify additional types of sensitive personal data.
A similar distinction exists in the GDPR. See our article on Sensitive Personal Data and the GDPR for more information.
A "data principal" is a living individual to whom personal data relates. Under the GDPR, this is a "data subject." Under US privacy law, this is a "consumer."
Every living individual is a data principal in respect of their own personal data.
A "data fiduciary" is a person, business, or other organization that decides why and how to process personal data.
Generally, a data fiduciary:
- Needs or decides to process personal data to achieve a business purpose
- Chooses how to process personal data
- Has a direct relationship with data principals
For example, Amazon is a data fiduciary. It needs to collect its customers' personal data to make sales and deliver products. Amazon is responsible for handling this personal data with care.
The concept of a data fiduciary is similar to the data controller under the GDPR.
A "data processor" is any person who processes personal data on behalf of a data fiduciary, but is not the data fiduciary's employee.
For example, email marketing company MailChimp is a data processor. MailChimp processes personal data because other companies - data fiduciaries - ask it to do so. It must handle this personal data with care, but the data fiduciaries have greater responsibility for it.
Data Protection Authority
The PDPB establishes the Data Protection Authority of India. The Data Protection Authority is an independent public body whose responsibilities include:
India's Personal Data Protection Bill (PDPB): The Basics
Before we look at your obligations under the PDPB, let's address some Frequently Asked Questions about the nature of the Bill.
Do Non-Indian Companies Have to Comply with the PDPB?
Yes, the PDPB applies to non-Indian companies based outside of India.
If your company has no presence in India, the PDPB still applies if:
- You offer goods and services to individuals in India, or
- You profile individuals within India
Your company might "offer goods and services" to individuals in India if any of the following applies:
- You take payment in rupees
- You ship your products to India
- You advertise to Indian customers
"Profiling" is any activity that "analyzes or predicts" an individual's "behavior, attributes or interests."
Personalized advertising is a common example of profiling. Personalized advertising uses web cookies to track the websites an individual visits. You can then serve them personalized ads based on this information.
So, if you operate a website that uses personalized advertising, and it's accessible in India, you must comply with the PDPB. This could apply even if you don't actively seek Indian customers.
What are the Penalties for Failing to Comply with the PDPB?
The system of penalties under the PDPB is very similar to the system of penalties under the GDPR.
Serious violations of the PDPB are punishable by a maximum penalty of the greater of:
- Fifteen crore (150 thousand) rupees (approximately 2,121,900 USD)
- 4 percent of annual global turnover
The PDPB also contains a set of criminal offenses that are punishable by imprisonment. These include unlawfully obtaining or selling personal data, and re-identifying personal data that has been de-identified.
Are There Any Exemptions for Small Businesses?
The PDPB contains some limited exemptions for small entities (including businesses) engaged in "manual processing." Manual processing is data processing that is not performed on a computer or other automated device.
The PDPB defines a small entity as one which:
- Has a turnover of less than twenty lakh (2 million) rupees (approximately 28,365 USD)
- Does not share personal data with other businesses
- Did not process the personal data of more than 100 data principals on any single day in the past 12 months
Small entities are exempt from the following parts of the PDPB:
- The obligations of notice, data quality, and data storage limitation
- The data principal rights, except for basic information under "the right of confirmation and access" and "the right to correction."
This exemption is unlikely to apply to your business if, for example, you:
- Engage in online advertising
- Take orders through your website
- Communicate with customers via email
7 Data Protection Obligations Under the PDPB
The PDPB provides seven data protection obligations that apply to all data fiduciaries.
The data protection obligations must underpin all processing of personal data (unless an exemption applies). They are similar to the principles of data protection under the GDPR.
The seven data protection obligations are:
- Fair and reasonable processing
- Purpose limitation
- Collection limitation
- Lawful processing
- Data quality
- Data storage limitation
Let's take a detailed look at each of these data protection obligations.
Fair and Reasonable Processing
You must process personal data in a way that is:
- Respects the privacy of the data principal
Consider people's reasonable expectations at all times. If you feel they would be surprised to learn about how you're using their personal data, you should reassess your approach.
You may only process personal data for clear, specific, and lawful reasons. You must generally only process personal data for the specific reason for which you collected it.
You can sometimes process personal data for a further reason other than the reason for which you collected it. However, this must be in-line with the data principals' reasonable expectations, considering the context in which you collected their personal data.
You must not collect personal data unless you need it for a specific purpose.
You may only process personal data in accordance with the PDPB's grounds for processing. There are also a set separate set of grounds for processing sensitive personal data.
You must provide the data principal with clear and transparent notice about how and why you wish to process their personal data.
This notice must include information about the following:
- Your purposes for processing the personal data
- Which categories of personal data you're collecting
- Your company's name and contact or that of your Data Protection Officer
- The data principal's right to withdraw consent (if applicable)
- Your grounds for processing and the consequences of refusing to provide the personal data (if applicable)
- Where you obtained the personal data (if you obtained it from a third party)
- Anyone with whom you might share the personal data
- Any cross-border data transfers you might carry out
- How long you will store the personal data
- How data principals can access their data principal rights
- Your grievance redressal system
- The data principal's right to complain to the Data Protection Authority
- Your data trust score (if you have one)
- Anything else specified by the Data Protection Authority
You must provide this information when you collect personal data from the data principal. If you received the personal data from a third party, you must provide this information to the data principal as soon as possible.
You must take reasonable steps to ensure that the personal data you process is of good quality. This includes ensuring that the personal data is:
- Not misleading
You may need to take particular care to ensure that the personal data you keep is of good quality if:
- You're likely to use the personal data to make a decision about the data principal
- You're likely to disclose the personal data to others
- You're keeping personal data based on facts separate from personal data based on opinion (for example, medical or psychological assessments)
If you share personal data with another person and subsequently discover that it was of poor quality, you may need to take steps to notify the recipient.
Data Storage Limitation
You must not keep personal data for longer than you need it.
There are some exceptions to this rule. For example, you must retain certain types of personal data to comply with the law.
You must regularly review the personal data in your possession to determine whether you need it.
You must ensure that you only process personal data in accordance with the data processing obligations. You must be able to demonstrate your compliance with these obligations.
You're also responsible for ensuring that any data processors you employ comply with the data processing obligations.
Grounds for Processing Personal Data Under the PDPB
The PDPB provides six grounds for processing personal data. As a data fiduciary, you must not process personal data without grounds to do so (unless an exemption applies).
This means that for each act of data processing you engage in, you must consider whether you have grounds for processing.
The grounds for processing personal data under the PDPB is a similar concept to the lawful bases for processing under the GDPR.
The six grounds for processing personal data are:
- State functions
- Legal compliance
- Prompt action
- Employment purposes
- Reasonable purposes
You must not process sensitive personal data on the grounds of "employment purposes" or "reasonable purposes."
Let's take a detailed look at each of these grounds for processing personal data.
You may be able to process someone's personal data if you have their consent.
Under the PDPB, consent is only valid if it is:
- Capable of being withdrawn
You cannot force a person to consent to the processing of their personal data. This means that you cannot deny a person access to goods or services if they refuse to consent unless you need to process their personal data in a specific way in order to provide your goods or services.
You must keep records of consent.
Unlike under certain other privacy laws, such as the CPPA, you can't rely on "opt-out" or "implied" consent under the PDPB.
Consent under the PDPB is quite similar to consent under the GDPR.
The Indian Parliament and any Indian State Legislature can process personal data if it is necessary to do so to carry out any of their functions.
Other people can also process personal data to carry out the functions of the Parliament and State Legislature, in order to:
- Provide public services to the data principal, or
- Issue official licenses or certificates to the data principal so that they can carry out public services
You may process personal data if:
- It's explicitly mandated under Indian state or national law, or
- You need to do so to comply with the judgment or order of an Indian court
Certain types of medical or public emergency are grounds for processing personal data. These include:
- Responding to a serious medical emergency
- Providing medical treatment during an epidemic or outbreak
- Ensuring safety or providing assistance during a natural disaster or breakdown of public order
Employers may process the personal data of their employees' and potential employees in certain circumstances, including:
- Recruitment or termination
- Provision of services and benefits
- Verifying attendance
- Assessing performance
You may also process personal data for "reasonable purposes." To determine what's reasonable, you must consider:
- How you will benefit from the processing
- Whether there is any public benefit
- Whether you could reasonably be expected to earn consent
- How you might impact the data principal's rights
- Whether you would be acting within the data principal's reasonable expectations
This is similar to the test for legitimate interests under the GDPR.
Data Principal Rights of the PDPB
Data principals have certain rights over their personal data. If you've processed someone's personal data, you're legally obliged to facilitate their data principal rights. This doesn't only apply to your customers or users, but anyone whose personal data you've processed.
The data principal rights are:
- The right to confirmation and access
- The right to correction
- The right to data portability
- The right to be forgotten
Similar rights exist under other privacy laws, including the GDPR data subject rights and the CCPA consumer rights.
You must comply with requests made under "the right to confirmation and access" and the "right to correction" for free. You may charge a reasonable fee for meeting requests made under the other rights.
The PDPB doesn't provide a set period for complying with a request. The Data Protection Authority will decide this once the Bill becomes law.
Let's take a look at how you can meet your obligations under these rights.
Right to Confirmation and Access
You must provide the following clear and concise information to any data principal who requests it:
- Confirmation of whether you have processed their personal data
- A brief summary of all the data principal's personal data you have processed
- A brief summary of how you have processed the data principal's personal data, with specific reference to all relevant items set out under the principle of notice
This is similar to the Subject Access Request process under the GDPR.
Right to Correction
You must correct, complete, or update personal data on request from the data principal.
You may refuse a request if you disagree that personal data is inaccurate, incomplete, or outdated. You must provide written justification for your decision. The data principal may then request that you display a notice alongside the personal data that discloses their disagreement.
You may have already shared inaccurate, incomplete, or outdated personal data with another party. If so, you must take steps to notify them once you become aware of the issue.
Right to Data Portability
If you receive a request under the right to data portability, and if it's technically feasible to do so, you must provide the data principal with following information in a commonly-used electronic format:
- Any personal data that the data principal has provided to you
- Any personal data that you've generated in the course of providing them with goods or services
- Any personal data that forms part of a profile you've created about the data principal
The right to data portability doesn't apply to personal data you've collected on the grounds of "state functions" or "legal compliance."
Right to Be Forgotten
You must stop disclosing the data principal's personal data on request if:
- You no longer need it for the purposes for which you collected it
- They have withdrawn their consent
- You collected it unlawfully
You may not have to comply if you believe that doing so would infringe on your freedom of speech.
Transparency and Accountability Under the PDPB
As a data fiduciary, the PDPB requires you to take proactive steps to ensure you're respecting people's privacy and keeping their personal data safe.
Let's take a look at some of the most important transparency and accountability obligations that the PDPB imposes.
- What categories of personal data you collect and how you collect it
- Your purposes for collecting personal data
- Any categories of personal data you collect in exceptional circumstances
- How data principals can access their data principal rights
- How data principals can file a complaint with the Data Protection Authority
- Your data trust score (if you have one)
- Details of any procedures you have in place for cross-border transfers of personal data
You must implement certain security safeguards to keep personal data safe. These safeguards may include measures which:
- De-identify or encrypt personal data
- Protect the integrity of personal data
- Prevent personal data being misused, unlawfully accessed, modified, or destroyed
You must regularly review your security measures.
You have some discretion as to the scope of your security measures, bearing in mind the size of your company, and the risks associated with your data processing practices.
Auditing and Record-Keeping
You must keep records of your data processing practices. These records must include details of your regular reviews of your security safeguards.
You must engage an independent auditor once per year who will examine your records and report back the Data Protection Authority.
Data Protection Officer
You must appoint a Data Protection Officer who will be responsible for:
- Advising your employees on data protection issues
- Monitoring your company's compliance with the PDPB
- Co-operating with the Data Protection Authority
Your Data Protection Officer can be someone who already works within your company.
There is a similar requirement to appoint a Data Protection Officer under the GDPR.
Your Data Protection Officer must be based in India. This applies even to non-Indian companies. Again, a similar requirement exists under the GDPR. Non-EU companies must appoint an EU Representative under certain conditions.
PDPB Head Start Checklist
The Indian Personal Data Protection Bill (PDPB) is extensive, and complying with it is likely to require considerable effort. Get started now so you have a solid foundation for implementation when the PDPB becomes law.
Here are some actions you can take in preparation: