SlideShare une entreprise Scribd logo

Personal data protection bill

M
Mathew Chacko

A summary of the draft Indian data protection bill

Droit
1  sur  4
Télécharger pour lire hors ligne
The Personal Data Protection Bill, 2018 The Personal Data Protection Bill, 2018 (“Bill”) is a draft law submitted in July 2018 by a committee of experts on data protection constituted by the government of India (“Committee”). The bill has not yet been implemented and has drawn significant criticism and praise. Its similarities with the European Union’s General Data Protection Regulation (“GDPR”) can be seen in the language and direction of provisions such as the rights of data principals, quantum of penalties, categories of personal data, and transparency obligations. Applicability If the Bill becomes law, its provisions would apply to the processing of personal data: (a) that has been collected, disclosed, shared, or otherwise processed within India; (b) by any Indian entity, citizen, or the State (as defined under Article 12 of the Constitution of India); and (c) by data fiduciaries or data processors not present within India, if the processing is in connection with either (i) any business carried on in India or any offering of goods of services to data principals within India or (ii) profiling data principals within India. The provisions of the Bill, however, do not apply to the processing of anonymised data. The Bill applies to “personal data” and “sensitive personal data”. It treats identifiable data, with respect to any characteristic, attribute, trait, or other feature of a person’s identity, as personal data. Sensitive personal data includes some categories of personal data such as passwords, health or financial data, biometric data, and data about sex life, sexual orientation, and religious or political beliefs, which carry enhanced requirements of processing. The Bill also confers power on a data protection authority to specify other such categories. Actors A “data principal” is the natural person to whom some personal data relates to. A “data fiduciary” is any person – including the State, a company, or a juristic entity – who, either alone or with others, determines the purpose and means of processing the personal data. A “data processor” is any person who processes data on behalf of a data fiduciary; however, it does not include an employee of a data fiduciary. A data principal is conceptually similar to a data subject and a data fiduciary to a data controller under the GDPR. The Bill also seeks to establish the Data Protection Authority to oversee and regulate processing activities covered by the Bill. Obligations of data fiduciaries Data fiduciaries must comply with the following obligations and also be able to demonstrate that they have complied with them. (a) Personal data should be processed in a fair and reasonable manner that respects the privacy of the data principal;
(b) Processing should only be for the purposes specified, or other incidental purposes that the data principal would reasonably expect the personal data to be used for; (c) Collection of personal data should be limited to the data that is necessary for processing; (d) Data should be processed only on the grounds detailed in the Bill; (e) The data fiduciary should provide the data principal with adequate notice of processing of personal data; (f) The data fiduciary should ensure that the personal data being processed is complete, accurate, not misleading, and updated; and (g) Personal data should only be retained for as long as is necessary to satisfy the purpose for which it is processed. While it provides for a consent-based approach to processing data, the Bill allows some other grounds for lawfully processing personal data. Grounds for Processing These include processing (a) that is necessary for the functioning of the Parliament or state legislatures, (b) to comply with orders or judgments of courts or tribunals, (c) for purposes related to employment, (d) for “prompt” action during circumstances such as medical emergencies, disasters, and breakdowns of law and order, and (e) for “reasonable” purposes, such as whistleblowing, mergers and acquisitions, credit scoring, and debt recovery. Without more guidance, each of these grounds of processing remain subject to governmental and judicial interpretation. The grounds for lawfully processing sensitive personal data, are slightly different. One of them for example, requires explicit consent. While the Bill provides some factors that can validate explicit consent — for example, it must be informed, clear, and specific – it does not provide guidance on how explicit consent has to be sought, and how it varies substantially from regular consent. Data Localisation At least one copy of personal data should be stored on servers located in India. The government may exempt some categories of personal data from this requirement on the grounds of necessity or strategic interests of the State. While more guidance may provide clarity on this exemption, it cannot extend to sensitive personal data. The government can also prescribe categories of “critical personal data” which must necessarily only be processed on servers located in India. So far no criteria have been developed to determine this set of personal data and so its scope is not clear. Cross Border Transfer of Personal Data Subject to the localisation requirements, there are some cases where personal data may be transferred out of India. Transfer is permissible for example, if (a) it complies with contractual clauses or intra-group schemes authorised by the Data Protection Authority; (b) it is made to a country, sector within the country, or an international organisation approved by the government; (c) in addition to either of the two preceding points, the data principal has consented to such transfer; (d) the transfer is necessary, provided the Data Protection Authority has approved such necessity; or (e) the data principal has explicitly consented to such transfer. As noted previously, it is not yet clear how such explicit consent will be sought in practice.
Data Breaches The Bill has adopted a harm-based standard for responding to breaches of personal data. For example, in the event of a breach, a data fiduciary has to report it within specified timelines to the Data Protection Authority. The authority will then determine, depending on the severity of harm that may be caused, whether such breach should be reported to data principals. Harm includes injury, whether bodily or mental, identity theft, loss of employment, discrimination, and loss of reputation or humiliation, amongst others. The precise methods to gauge extent of harm are not clear. The Data Protection Authority shall also have the powers to direct the data fiduciary to take remedial action in the event of breaches. Data Protection Officer Data fiduciaries have to appoint data protection officers. A data fiduciary situated outside India must appoint one based in India. The Data Protection Authority may specify eligibility criteria for data protection officers. In addition to their other functions, these officers must monitor the data fiduciaries’ processing activities to ensure compliance with the Bill, provide advice, assist and cooperate with the Data Protection Authority, and act as points of contact between data principals and data fiduciaries. Transparency and Accountability Measures While the Bill does not prescribe any specific standards, by making “privacy by design” mandatory, it will require that the business practices and technical systems of data fiduciaries be designed to anticipate and avoid harm to data principals. Other transparency and accountability obligations it places on data fiduciaries include adequate security safeguards, accurate and up-to-date record keeping, annual data audits, and data protection impact assessments. Rights of Data Principals The Bill imagines a statutory framework to access some of the fundamental rights guaranteed by the Puttaswamy verdict. Data principals have the right to access the personal data that is collected, confirm, correct or update it, and receive it in commonly used forms. The “right to be forgotten” will allows data principals to prevent the disclosure of personal data if that disclosure is no longer necessary or has served the purpose for which it was made, or if the consent that permitted such disclosure has been withdrawn, or if the disclosure is made contrary to applicable laws. The balance it has tried to strike between these rights and the freedom of speech and expression, will need to be tested in practice. Penalties Contravention of its provisions by a data fiduciary of a category of obligations may attract a penalty of up to INR 50,000,000 or 2% of the data fiduciary’s total worldwide turnover of the preceding financial year, whichever is higher. Even higher penalties have been prescribed for contravention of obligations in respect of processing of personal data or sensitive personal data, cross-border transfer of personal data, and the security safeguards detailed in the Bill. Conclusion
Data protection law in India is in a period of transition. The impact of the Puttaswamy decision on the Data Protection Rules and the IT Act cannot be overstated. Several Indian high courts dealing with data protection issues such as the export of data, transfer of data among group companies, and the adequacy of consent, now have to consider the Supreme Court’s view that the privacy of personal information is part of the fundamental right to life and personal liberty. While no judicial trend can be discerned yet, it is clear that data collection and processing efforts in India must evaluate and anticipate the impact of this historic judgment. The decision has also provided the impetus and the founding principles for a new data protection law. While we do not yet know the extent to which the draft bill that is now in circulation will be part of that law, the principles laid down in Puttaswamy and the experience of Europe’s GDPR will indeed be influential. Data fiduciaries and processors may have to comply with a new set of obligations enforced by a new regulator through severe penalties. Do reach out to us if you have any comments or question. Mathew Chacko Ankita Hariramani mathew@spiceroutelegal.com ankita.hariramani@spiceroutelegal.com Aadya Misra Aishwarya Todalbagi aadya.misra@spiceroutelegal.com aishwarya.todalbagi@spiceroutelegal.c om

Recommandé

An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill Komal Gadia
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
Data protection
Data protectionData protection
Data protectionLewis Silkin
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdfPriyanka Aash
 
Right to privacy on internet and Data Protection
Right to privacy on internet and Data ProtectionRight to privacy on internet and Data Protection
Right to privacy on internet and Data Protectionatuljaybhaye
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
Information technology ACT - 2000 (Legal Aspect of Business)
Information technology ACT - 2000 (Legal Aspect of Business)Information technology ACT - 2000 (Legal Aspect of Business)
Information technology ACT - 2000 (Legal Aspect of Business)Parth Patel
 

Recommandé

An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill Komal Gadia
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
Data protection
Data protectionData protection
Data protectionLewis Silkin
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdfPriyanka Aash
 
Right to privacy on internet and Data Protection
Right to privacy on internet and Data ProtectionRight to privacy on internet and Data Protection
Right to privacy on internet and Data Protectionatuljaybhaye
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
Information technology ACT - 2000 (Legal Aspect of Business)
Information technology ACT - 2000 (Legal Aspect of Business)Information technology ACT - 2000 (Legal Aspect of Business)
Information technology ACT - 2000 (Legal Aspect of Business)Parth Patel
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR PresentationCILIP Ireland
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
Consumer protection laws for bank customers
Consumer protection laws for bank customersConsumer protection laws for bank customers
Consumer protection laws for bank customersCollege of Legal Studies, UPES
 
PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)Hairul Hafiz Hasbullah
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in MalaysiaMSC Malaysia Cybercentre @ Bangsar South City
 
Cyber security and prevention in Bangladesh
Cyber security and prevention in BangladeshCyber security and prevention in Bangladesh
Cyber security and prevention in BangladeshRabita Rejwana
 
Information technology Act with Cyber offences .pptx
Information technology Act with Cyber offences .pptxInformation technology Act with Cyber offences .pptx
Information technology Act with Cyber offences .pptxRahul Bharati
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationBCC - Solutions for IBM Collaboration Software
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Complianceaccenture
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacyhimanshu jain
 
Law and Technology - Mobile Phone Crimes
Law and Technology - Mobile Phone CrimesLaw and Technology - Mobile Phone Crimes
Law and Technology - Mobile Phone CrimesMrityunjaySaraswat
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
GDPR
GDPRGDPR
GDPRGopi PD
 
Information privacy and Security
Information privacy and SecurityInformation privacy and Security
Information privacy and SecurityAnuMarySunny
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)Extentia Information Technology
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPRPriyab Satoshi
 
Introduction to Cyber Crimes
Introduction to Cyber CrimesIntroduction to Cyber Crimes
Introduction to Cyber Crimesatuljaybhaye
 
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDaviesParker
 
India's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road AheadIndia's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road AheadEquiCorp Associates
 

Contenu connexe

Tendances

Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
Cyber security and prevention in Bangladesh
Cyber security and prevention in BangladeshCyber security and prevention in Bangladesh
Cyber security and prevention in BangladeshRabita Rejwana
 
Information technology Act with Cyber offences .pptx
Information technology Act with Cyber offences .pptxInformation technology Act with Cyber offences .pptx
Information technology Act with Cyber offences .pptxRahul Bharati
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Complianceaccenture
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacyhimanshu jain
 
Law and Technology - Mobile Phone Crimes
Law and Technology - Mobile Phone CrimesLaw and Technology - Mobile Phone Crimes
Law and Technology - Mobile Phone CrimesMrityunjaySaraswat
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
Information privacy and Security
Information privacy and SecurityInformation privacy and Security
Information privacy and SecurityAnuMarySunny
 
Introduction to Cyber Crimes
Introduction to Cyber CrimesIntroduction to Cyber Crimes
Introduction to Cyber Crimesatuljaybhaye
 

Tendances (20)

GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR Presentation
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issues
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theft
 
Consumer protection laws for bank customers
Consumer protection laws for bank customersConsumer protection laws for bank customers
Consumer protection laws for bank customers
 
PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
 
Cyber security and prevention in Bangladesh
Cyber security and prevention in BangladeshCyber security and prevention in Bangladesh
Cyber security and prevention in Bangladesh
 
Information technology Act with Cyber offences .pptx
Information technology Act with Cyber offences .pptxInformation technology Act with Cyber offences .pptx
Information technology Act with Cyber offences .pptx
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Compliance
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacy
 
Law and Technology - Mobile Phone Crimes
Law and Technology - Mobile Phone CrimesLaw and Technology - Mobile Phone Crimes
Law and Technology - Mobile Phone Crimes
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
GDPR
GDPRGDPR
GDPR
 
Information privacy and Security
Information privacy and SecurityInformation privacy and Security
Information privacy and Security
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
 
Introduction to Cyber Crimes
Introduction to Cyber CrimesIntroduction to Cyber Crimes
Introduction to Cyber Crimes
 

Similaire à Personal data protection bill

DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDaviesParker
 
India's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road AheadIndia's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road AheadEquiCorp Associates
 
Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfDaviesParker
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxssuser36d167
 
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfOverview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfEconomic Laws Practice
 
Digital personal data protection BILL.docx
Digital personal data protection BILL.docxDigital personal data protection BILL.docx
Digital personal data protection BILL.docxgabbarsk3
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfDaviesParker
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityEmerson Bryan
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
 
Startups - data protection
Startups - data protectionStartups - data protection
Startups - data protectionMathew Chacko
 
Digital Personal Data Protection Act, 2023: A Guide to the Applicability of t...
Digital Personal Data Protection Act, 2023: A Guide to the Applicability of t...Digital Personal Data Protection Act, 2023: A Guide to the Applicability of t...
Digital Personal Data Protection Act, 2023: A Guide to the Applicability of t...Spice Route Legal
 
Digital Personal Data Protection Bill 2023 PPT.pptx
Digital Personal Data Protection Bill 2023 PPT.pptxDigital Personal Data Protection Bill 2023 PPT.pptx
Digital Personal Data Protection Bill 2023 PPT.pptxRohanTyagi57
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfIndonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfAHRP Law Firm
 
Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018amirhannan
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing MindsetNetworkIQ
 
An Indian Outline on Database Protection
An Indian Outline on Database ProtectionAn Indian Outline on Database Protection
An Indian Outline on Database ProtectionSinghania2015
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...Dr. Oliver Massmann
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)BenjaminShalevSalovi
 

Similaire à Personal data protection bill (20)

DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
 
India's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road AheadIndia's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road Ahead
 
Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdf
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
 
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfOverview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
 
Digital personal data protection BILL.docx
Digital personal data protection BILL.docxDigital personal data protection BILL.docx
Digital personal data protection BILL.docx
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdf
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business community
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
Startups - data protection
Startups - data protectionStartups - data protection
Startups - data protection
 
Digital Personal Data Protection Act, 2023: A Guide to the Applicability of t...
Digital Personal Data Protection Act, 2023: A Guide to the Applicability of t...Digital Personal Data Protection Act, 2023: A Guide to the Applicability of t...
Digital Personal Data Protection Act, 2023: A Guide to the Applicability of t...
 
Digital Personal Data Protection Bill 2023 PPT.pptx
Digital Personal Data Protection Bill 2023 PPT.pptxDigital Personal Data Protection Bill 2023 PPT.pptx
Digital Personal Data Protection Bill 2023 PPT.pptx
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020
 
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfIndonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
 
Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing Mindset
 
An Indian Outline on Database Protection
An Indian Outline on Database ProtectionAn Indian Outline on Database Protection
An Indian Outline on Database Protection
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
China-PIPL.pdf
China-PIPL.pdfChina-PIPL.pdf
China-PIPL.pdf
 

Plus de Mathew Chacko

Overview of digital payments in india
Overview of digital payments in india Overview of digital payments in india
Overview of digital payments in india Mathew Chacko
 
Competition law and Joint Ventures
Competition law and Joint Ventures Competition law and Joint Ventures
Competition law and Joint VenturesMathew Chacko
 
Video on Demand: Indian Law
Video on Demand: Indian LawVideo on Demand: Indian Law
Video on Demand: Indian LawMathew Chacko
 
The defence india start up challenge
The defence india start up challengeThe defence india start up challenge
The defence india start up challengeMathew Chacko
 
Anatomy of a simple India - Delaware flip
Anatomy of a simple India - Delaware flip Anatomy of a simple India - Delaware flip
Anatomy of a simple India - Delaware flip Mathew Chacko
 
Online wallets: part 2 (compliance)
Online wallets: part 2 (compliance) Online wallets: part 2 (compliance)
Online wallets: part 2 (compliance) Mathew Chacko
 
The long arm of the gdpr
The long arm of the gdprThe long arm of the gdpr
The long arm of the gdprMathew Chacko
 
Spice Route Legal Data Protection & Privacy Update
Spice Route Legal Data Protection & Privacy UpdateSpice Route Legal Data Protection & Privacy Update
Spice Route Legal Data Protection & Privacy UpdateMathew Chacko
 
The Law on Token sales
The Law on Token salesThe Law on Token sales
The Law on Token salesMathew Chacko
 
Blockchain & the law 101
Blockchain & the law 101Blockchain & the law 101
Blockchain & the law 101Mathew Chacko
 

Plus de Mathew Chacko (17)

Overview of digital payments in india
Overview of digital payments in india Overview of digital payments in india
Overview of digital payments in india
 
Abuse of dominance
Abuse of dominanceAbuse of dominance
Abuse of dominance
 
Competition law and Joint Ventures
Competition law and Joint Ventures Competition law and Joint Ventures
Competition law and Joint Ventures
 
Blockchain (2019)
Blockchain (2019)Blockchain (2019)
Blockchain (2019)
 
Video on Demand: Indian Law
Video on Demand: Indian LawVideo on Demand: Indian Law
Video on Demand: Indian Law
 
An eye in the sky?
An eye in the sky? An eye in the sky?
An eye in the sky?
 
The defence india start up challenge
The defence india start up challengeThe defence india start up challenge
The defence india start up challenge
 
Anatomy of a simple India - Delaware flip
Anatomy of a simple India - Delaware flip Anatomy of a simple India - Delaware flip
Anatomy of a simple India - Delaware flip
 
Online wallets: part 2 (compliance)
Online wallets: part 2 (compliance) Online wallets: part 2 (compliance)
Online wallets: part 2 (compliance)
 
Wallets an overview
Wallets an overviewWallets an overview
Wallets an overview
 
The long arm of the gdpr
The long arm of the gdprThe long arm of the gdpr
The long arm of the gdpr
 
ICOs: A Primer
ICOs: A Primer ICOs: A Primer
ICOs: A Primer
 
Transparency gdpr
Transparency gdprTransparency gdpr
Transparency gdpr
 
Spice Route Legal Data Protection & Privacy Update
Spice Route Legal Data Protection & Privacy UpdateSpice Route Legal Data Protection & Privacy Update
Spice Route Legal Data Protection & Privacy Update
 
consent:gdpr
consent:gdprconsent:gdpr
consent:gdpr
 
The Law on Token sales
The Law on Token salesThe Law on Token sales
The Law on Token sales
 
Blockchain & the law 101
Blockchain & the law 101Blockchain & the law 101
Blockchain & the law 101
 

Dernier

Succession (Articles 774-1116 Civil Code
Succession (Articles 774-1116 Civil CodeSuccession (Articles 774-1116 Civil Code
Succession (Articles 774-1116 Civil CodeMelvinPernez2
 
Rights of under-trial Prisoners in India
Rights of under-trial Prisoners in IndiaRights of under-trial Prisoners in India
Rights of under-trial Prisoners in IndiaAbheet Mangleek
 
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfssuser3e15612
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSRoshniSingh312153
 
Alexis O'Connell Alexis Lee mugshot Lexileeyogi 512-840-8791
Alexis O'Connell Alexis Lee mugshot Lexileeyogi 512-840-8791Alexis O'Connell Alexis Lee mugshot Lexileeyogi 512-840-8791
Alexis O'Connell Alexis Lee mugshot Lexileeyogi 512-840-8791BlayneRush1
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.2020000445musaib
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Centerejlfernandez22
 
The Patents Act 1970 Notes For College .pptx
The Patents Act 1970 Notes For College .pptxThe Patents Act 1970 Notes For College .pptx
The Patents Act 1970 Notes For College .pptxAdityasinhRana4
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesritwikv20
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesChesley Lawyer
 
Special Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementSpecial Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementShubhiSharma858417
 
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书1k98h0e1
 
Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceLaw360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceMichael Cicero
 
John Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix
 
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeAlexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeBlayneRush1
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxAnto Jebin
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksFinlaw Associates
 
SecuritiesContracts(Regulation)Act,1956.pdf
SecuritiesContracts(Regulation)Act,1956.pdfSecuritiesContracts(Regulation)Act,1956.pdf
SecuritiesContracts(Regulation)Act,1956.pdfDrNiteshSaraswat
 
Hungarian legislation made by Robert Miklos
Hungarian legislation made by Robert MiklosHungarian legislation made by Robert Miklos
Hungarian legislation made by Robert Miklosbeduinpower135
 
Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...shubhuc963
 

Dernier (20)

Succession (Articles 774-1116 Civil Code
Succession (Articles 774-1116 Civil CodeSuccession (Articles 774-1116 Civil Code
Succession (Articles 774-1116 Civil Code
 
Rights of under-trial Prisoners in India
Rights of under-trial Prisoners in IndiaRights of under-trial Prisoners in India
Rights of under-trial Prisoners in India
 
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
 
Alexis O'Connell Alexis Lee mugshot Lexileeyogi 512-840-8791
Alexis O'Connell Alexis Lee mugshot Lexileeyogi 512-840-8791Alexis O'Connell Alexis Lee mugshot Lexileeyogi 512-840-8791
Alexis O'Connell Alexis Lee mugshot Lexileeyogi 512-840-8791
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Center
 
The Patents Act 1970 Notes For College .pptx
The Patents Act 1970 Notes For College .pptxThe Patents Act 1970 Notes For College .pptx
The Patents Act 1970 Notes For College .pptx
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use cases
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
 
Special Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementSpecial Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreement
 
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
 
Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceLaw360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
 
John Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A History
 
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeAlexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
 
SecuritiesContracts(Regulation)Act,1956.pdf
SecuritiesContracts(Regulation)Act,1956.pdfSecuritiesContracts(Regulation)Act,1956.pdf
SecuritiesContracts(Regulation)Act,1956.pdf
 
Hungarian legislation made by Robert Miklos
Hungarian legislation made by Robert MiklosHungarian legislation made by Robert Miklos
Hungarian legislation made by Robert Miklos
 
Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...
 

Personal data protection bill

  • 1. The Personal Data Protection Bill, 2018 The Personal Data Protection Bill, 2018 (“Bill”) is a draft law submitted in July 2018 by a committee of experts on data protection constituted by the government of India (“Committee”). The bill has not yet been implemented and has drawn significant criticism and praise. Its similarities with the European Union’s General Data Protection Regulation (“GDPR”) can be seen in the language and direction of provisions such as the rights of data principals, quantum of penalties, categories of personal data, and transparency obligations. Applicability If the Bill becomes law, its provisions would apply to the processing of personal data: (a) that has been collected, disclosed, shared, or otherwise processed within India; (b) by any Indian entity, citizen, or the State (as defined under Article 12 of the Constitution of India); and (c) by data fiduciaries or data processors not present within India, if the processing is in connection with either (i) any business carried on in India or any offering of goods of services to data principals within India or (ii) profiling data principals within India. The provisions of the Bill, however, do not apply to the processing of anonymised data. The Bill applies to “personal data” and “sensitive personal data”. It treats identifiable data, with respect to any characteristic, attribute, trait, or other feature of a person’s identity, as personal data. Sensitive personal data includes some categories of personal data such as passwords, health or financial data, biometric data, and data about sex life, sexual orientation, and religious or political beliefs, which carry enhanced requirements of processing. The Bill also confers power on a data protection authority to specify other such categories. Actors A “data principal” is the natural person to whom some personal data relates to. A “data fiduciary” is any person – including the State, a company, or a juristic entity – who, either alone or with others, determines the purpose and means of processing the personal data. A “data processor” is any person who processes data on behalf of a data fiduciary; however, it does not include an employee of a data fiduciary. A data principal is conceptually similar to a data subject and a data fiduciary to a data controller under the GDPR. The Bill also seeks to establish the Data Protection Authority to oversee and regulate processing activities covered by the Bill. Obligations of data fiduciaries Data fiduciaries must comply with the following obligations and also be able to demonstrate that they have complied with them. (a) Personal data should be processed in a fair and reasonable manner that respects the privacy of the data principal;
  • 2. (b) Processing should only be for the purposes specified, or other incidental purposes that the data principal would reasonably expect the personal data to be used for; (c) Collection of personal data should be limited to the data that is necessary for processing; (d) Data should be processed only on the grounds detailed in the Bill; (e) The data fiduciary should provide the data principal with adequate notice of processing of personal data; (f) The data fiduciary should ensure that the personal data being processed is complete, accurate, not misleading, and updated; and (g) Personal data should only be retained for as long as is necessary to satisfy the purpose for which it is processed. While it provides for a consent-based approach to processing data, the Bill allows some other grounds for lawfully processing personal data. Grounds for Processing These include processing (a) that is necessary for the functioning of the Parliament or state legislatures, (b) to comply with orders or judgments of courts or tribunals, (c) for purposes related to employment, (d) for “prompt” action during circumstances such as medical emergencies, disasters, and breakdowns of law and order, and (e) for “reasonable” purposes, such as whistleblowing, mergers and acquisitions, credit scoring, and debt recovery. Without more guidance, each of these grounds of processing remain subject to governmental and judicial interpretation. The grounds for lawfully processing sensitive personal data, are slightly different. One of them for example, requires explicit consent. While the Bill provides some factors that can validate explicit consent — for example, it must be informed, clear, and specific – it does not provide guidance on how explicit consent has to be sought, and how it varies substantially from regular consent. Data Localisation At least one copy of personal data should be stored on servers located in India. The government may exempt some categories of personal data from this requirement on the grounds of necessity or strategic interests of the State. While more guidance may provide clarity on this exemption, it cannot extend to sensitive personal data. The government can also prescribe categories of “critical personal data” which must necessarily only be processed on servers located in India. So far no criteria have been developed to determine this set of personal data and so its scope is not clear. Cross Border Transfer of Personal Data Subject to the localisation requirements, there are some cases where personal data may be transferred out of India. Transfer is permissible for example, if (a) it complies with contractual clauses or intra-group schemes authorised by the Data Protection Authority; (b) it is made to a country, sector within the country, or an international organisation approved by the government; (c) in addition to either of the two preceding points, the data principal has consented to such transfer; (d) the transfer is necessary, provided the Data Protection Authority has approved such necessity; or (e) the data principal has explicitly consented to such transfer. As noted previously, it is not yet clear how such explicit consent will be sought in practice.
  • 3. Data Breaches The Bill has adopted a harm-based standard for responding to breaches of personal data. For example, in the event of a breach, a data fiduciary has to report it within specified timelines to the Data Protection Authority. The authority will then determine, depending on the severity of harm that may be caused, whether such breach should be reported to data principals. Harm includes injury, whether bodily or mental, identity theft, loss of employment, discrimination, and loss of reputation or humiliation, amongst others. The precise methods to gauge extent of harm are not clear. The Data Protection Authority shall also have the powers to direct the data fiduciary to take remedial action in the event of breaches. Data Protection Officer Data fiduciaries have to appoint data protection officers. A data fiduciary situated outside India must appoint one based in India. The Data Protection Authority may specify eligibility criteria for data protection officers. In addition to their other functions, these officers must monitor the data fiduciaries’ processing activities to ensure compliance with the Bill, provide advice, assist and cooperate with the Data Protection Authority, and act as points of contact between data principals and data fiduciaries. Transparency and Accountability Measures While the Bill does not prescribe any specific standards, by making “privacy by design” mandatory, it will require that the business practices and technical systems of data fiduciaries be designed to anticipate and avoid harm to data principals. Other transparency and accountability obligations it places on data fiduciaries include adequate security safeguards, accurate and up-to-date record keeping, annual data audits, and data protection impact assessments. Rights of Data Principals The Bill imagines a statutory framework to access some of the fundamental rights guaranteed by the Puttaswamy verdict. Data principals have the right to access the personal data that is collected, confirm, correct or update it, and receive it in commonly used forms. The “right to be forgotten” will allows data principals to prevent the disclosure of personal data if that disclosure is no longer necessary or has served the purpose for which it was made, or if the consent that permitted such disclosure has been withdrawn, or if the disclosure is made contrary to applicable laws. The balance it has tried to strike between these rights and the freedom of speech and expression, will need to be tested in practice. Penalties Contravention of its provisions by a data fiduciary of a category of obligations may attract a penalty of up to INR 50,000,000 or 2% of the data fiduciary’s total worldwide turnover of the preceding financial year, whichever is higher. Even higher penalties have been prescribed for contravention of obligations in respect of processing of personal data or sensitive personal data, cross-border transfer of personal data, and the security safeguards detailed in the Bill. Conclusion
  • 4. Data protection law in India is in a period of transition. The impact of the Puttaswamy decision on the Data Protection Rules and the IT Act cannot be overstated. Several Indian high courts dealing with data protection issues such as the export of data, transfer of data among group companies, and the adequacy of consent, now have to consider the Supreme Court’s view that the privacy of personal information is part of the fundamental right to life and personal liberty. While no judicial trend can be discerned yet, it is clear that data collection and processing efforts in India must evaluate and anticipate the impact of this historic judgment. The decision has also provided the impetus and the founding principles for a new data protection law. While we do not yet know the extent to which the draft bill that is now in circulation will be part of that law, the principles laid down in Puttaswamy and the experience of Europe’s GDPR will indeed be influential. Data fiduciaries and processors may have to comply with a new set of obligations enforced by a new regulator through severe penalties. Do reach out to us if you have any comments or question. Mathew Chacko Ankita Hariramani mathew@spiceroutelegal.com ankita.hariramani@spiceroutelegal.com Aadya Misra Aishwarya Todalbagi aadya.misra@spiceroutelegal.com aishwarya.todalbagi@spiceroutelegal.c om