Data Protection Bill – India

The Personal Data Protection Bill 2019 has been referred to a Joint Parliamentary Committee for detailed examination, and the report is expected by the Budget Session 2020.

This bill broadly governs the processing of personal data by:

Government
Companies incorporated in India, and
Foreign companies dealing with personal data of individuals in India

The Central Government shall establish an Authority to be called the Data Protection Authority of India for the purpose of this Act with set qualifications for the members, terms and conditions to be followed for appointment of its members including detailed roles and responsibilities of the chairperson. Code of conduct for this Authority has to be listed out in detail as well.

The bill defines Data as Personal Data, Sensitive Personal Data and Critical Personal Data

“Personal data” is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual
“Sensitive Personal Data” means personal data related to passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation etc
“Critical Personal Data” is yet to be clearly defined

Data Fiduciary – Roles & Responsibilities

A data fiduciary is a person, state, company or any juristic entity who alone or in conjunction with others determine the purpose and means of processing of personal data. Obligations towards data are manifold, some of the key ones being:

Reason for data collection and data usage
Amount of data that can be stored
Obligation for fair and reasonable processing of the data to ensure privacy
Transparency of data principal (holder/owner of the data) towards the use and protection of data and sharing requisite information as and when requested for.

Data Principal - Rights

The Bill also talks about the rights of the data principal including but not limited to:

Right to obtain information on the purpose for which their personal data has been processed
Correct any incomplete or incorrect information
Have their data ported to any other data fiduciary in certain circumstances
Restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.

ONLY IF CONSENT IS PROVIDED BY THE INDIVIDUAL, except in certain cases as defined by the Authority.

Data Storage Timelines:

The Bill states that the data fiduciary may retain personal data only as long as necessary to satisfy the purpose for which it was collected in the first place unless the retention of this data has been mandated for a longer duration or is necessary to comply with a certain law.

Exemptions

The central government can exempt any of its agencies from one or more provisions of the Act owing to one or more of the reasons below:

Interest of security of state
Prevention, detection, investigation and prosecution of contraventions of law
Processing for the purpose of legal proceedings
Research, archiving or statistical purposes
Personal or domestic purposes by an individual
Journalistic purposes
Manual processing by small entities

Treatment of Data

In terms of data localization, the Bill allows for transfer of “personal” data across borders without any limitations. With respect to “sensitive personal data” it must be stored in India. An approval by the regulator would be required for it to be processed outside India., “Critical personal data”, needs to be stored and processed within the country.

Penalties & Compensation under the act

Fines/Penalties for each of the provisions has been detailed in the bill, violation of these provisions as per the bill can invite fines as high as fifteen crore rupees or four per cent of the company’s total worldwide turnover of the preceding financial year, whichever is higher Fines for breach of certain provisions can also be levied on a daily basis.

Impact of this Act on Organizations

Where an offence under this Act has been committed by a company, every person who, at the time the offence was committed was in charge of, and was responsible to, the company for the conduct of the business of the company, as well as the company, shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly. (Liability on the Company & Individuals)

No such person would be held liable if he/she proves that the offence was committed without his/her knowledge or that he/she had exercised all due diligence to prevent the commission of such offence. (Potential Liability on Individuals)

Where an offence under this Act has been committed by a company and it is proved that the offence has been committed with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly (Liability arising by virtue of the position in the company)

Insurance View

Non-compliance with the data protection requirements as per the Act (once passed) would be construed as a regulatory breach and it would be interesting to see how difference insurance policies specifically the Privacy Regulatory Liability Coverage under the Cyber policy which intends to cover losses a company would sustains as a result of regulatory investigations and claims and the D&O policy which covers any formal administrative or formal regulatory proceeding commenced by the filing of a notice of charges or formal investigations, would respond.