April 22, 2021

The PDPB & India’s Data Privacy Initiatives 2021

In today’s world, data collection and sharing are ubiquitous. Governments worldwide are introducing data privacy laws for assigning rights to individuals over collecting, storing, deleting, retaining and using their PII (Personal Identifiable Information) & PD (Personal Data).

The introduction of new Data Privacy Laws such as GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act)/CPRA (California Privacy Rights Act), PDPA (Personal Data Protection Act, 2012, Singapore),and PIPEDA (Personal Information Protection & Electronic Documents Act, Canada) brought a drastic change in organisations’ data privacy mechanisms.

The good news is India has also joined the data privacy revolution. And the lawmakers are working relentlessly for our own data privacy regulations, i.e., PDPB (Personal Data Protection Bill) to ensure data privacy for the individuals/controllers. This initiative will disrupt how the data is collected, recorded, stored and used by the organisations.

In this guide, we will investigate how India’s data privacy initiatives may impact the organisations at large.

India’s Quest for Data Privacy Initiatives

It all started in the year 2009.

The Indian Government developed a framework of identity called ‘Aadhar Scheme’. The objective of introducing ‘Aadhar Scheme’ was to provide government benefits, services, subsidies to the inhabitants of the country.

But it lacked the authentic identification. And instead of bringing forth the benefits to the mass, it had become the means of exploitation & forgery.

To regulate this, in March 2016, the Aadhar Act was introduced. As per the act, the system would provide UI (unique identification) cards to the residents and prior to the distribution of these cards, each resident would need to go through the fingerprint & eye scanning using the most sophisticated & largest biometric system.

In 2017, K.S. Puttaswamy questioned the validity of Aadhar card on the grounds of privacy, exclusivity of a few welfare benefits, and surveillance. And India got its landmark verdict in terms of privacy as individual’s intrinsic right.

In 2018, the Central Government built a committee to create the first draft of PDPB (Personal Data Protection Bill).

In 2019, the PDPB was updated.

In 2020, the PDPB draft was reviewed by JPC (Joint Parliamentary Committee) in advance for the parliamentary session in December 2020.

What is PDPB?

The Personal Data Protection Bill is going to be the most comprehensive & the strictest data privacy law in the world.

When we compare PDPB with GDPR and CCPA, PDPB turns out to be stricter in a few areas than other respective privacy laws.

The PDPB will force you to rethink about your data policies and data processing practices so that you can safeguard your data. Because the PDPB will affect every business run or operated in India.

Six Key Definition under the PDPB

To understand how the PDPB impacts your business, you need to know six key definitions under the PDPB.

Personal Data

Personal data is defined as the data that relates and identifies a living individual of India.

Personal data includes –

  • Name
  • Contact number
  • Fingerprint of the individual
  • Individual’s web browsing history
  • Cookie ID

The way GDPR and CCPA defines ‘personal data’, the PDPB defines ‘personal data’ in similar way (hint – broadly).

Sensitive Personal Data

The PDPB also defines ‘sensitive personal data’ as –

  • Health Data
  • Financial Data
  • Passwords
  • Genetic Data
  • Biometric Data
  • Caste or Tribe
  • Philosophical or Religious Belief, etc.

Data Principal

The PDPB defines ‘data principal’ as someone to whom personal data is related.

For example, the ‘name’, the ‘contact number’, etc., are about an individual which according to the PDPB is ‘data principal’.

Data Fiduciary

The PDPB defines ‘data fiduciary’ as a person, business, or organisation that makes the decision regarding how to process the data.

For example, Google is a data fiduciary since it is an organisation that decides how to process its data (customer data and other allied data).

Data Processor

The PDPB has defined ‘data processor’ as an entity that processes data on the behalf of the data fiduciary but at the same time it is not data fiduciary’s employee.

For example, ConvertKit is a data processor since it processes data on behalf of many organisations via email because the organisations ask ConvertKit to do so.

Data Protection Authority

The PDPB has established the data protection authority (DPA).

The role of DPA is to –

  • Develop and regulate the PDPB when it becomes a law
  • Audit the data reports
  • Enforce penalties in case of the violation of penalties

The Basics of PDPB and How It’s Applicable to the Businesses in India & Elsewhere

First, let’s talk about for organisations PDPB applies to – especially Indian companies and non-Indian companies.

The PDPB applies to all Indian companies.

And the PDPB also applied to non-Indian companies if you are an organisation/entity that –

  • Offers goods and services in India
  • And profiles individuals in India

The obvious question is what lies within the periphery of ‘goods & services’ and ‘profiling’.

The PDPB defines offering ‘goods & services’ in India as –

  • As an organisation you send your products to India
  • As an entity you receive payment in INR
  • As a company your target audience is Indian & you advertise to them

Under the PDPB, ‘profiling’ Indians means when you as an organisation/entity

  • Analyses
  • Predicts

the behaviours/interests/attributes of individual/s.

For example, when you advertise to a targeted audience, personalise your target audience, and show ads that are made typically for them, this is personalised profiling of individuals.

The question remains whether small businesses also come under the periphery of the PDPB!

The answer to this is a resounding yes, but at the same time small businesses enjoy few exemptions as well.

If you run a small business in India that –

  • Has a turnover of less than INR twenty lakhs
  • Has not processed data of more than 100 data principals in the last year or 12 months
  • Has not shared any personal data with other companies/businesses

If you say ‘yes’ to the above three, you get the following exemption –

  • You will be exempted from accountability & transparency. You also don’t need to have a privacy policy or don’t need to appoint a data protection officer
  • You will be exempted from the obligation of data storage limitation, notice, and data quality
  • You will also be exempted from the data principal rights except the right to correction and the right of access & confirmation

You also need to remember that if you

  • Take orders from your website
  • Use email to communication with your customers, &
  • Use online advertising

Then, you won’t be eligible for the exemptions mentioned above for a particular category of small businesses.

Data Protection Obligations under the PDPB

You need to have eight data protection obligations under the PDPB –

  • The processing of data should be fair & reasonable. And also as an organisation you must respect the privacy of data principal
  • You can only process personal data that are clear, specific, and should be under lawful reasonings. You may also process the personal data for other aspects but they should be in sync with the data principals’ expectations in the scope of the context under which the data is collected
  • There should be a specific reason for collecting personal data. If there’s no specific purpose, you cannot collect personal data
  • While you process personal data, you should keep in mind the grounds for processing under the PDPB
  • Providing transparent & clear notice to the data principal about why you’re collecting their personal data is of utmost importance
  • The personal data you collect should be of good quality – accurate, up-to-date, not ambiguous, complete
  • You can’t keep personal data of any data principal longer than you need
  • You must process personal data in accordance with the data processing obligations. You also should be able to demonstrate compliance

Penalties for not Complying with the PDPB

If you fail to comply with the standards of PDPB, here’s the maximum penalty you need to pay off (the greater of the following will be applicable) –

  • INR 15 Crores
  • Four percent of your annual global turnover [whichever is higher]

In a few chosen cases, the PDPB is stricter than the other privacy protection laws. In these special cases, imprisonment could be a possible punishment under the PDPB.

Conclusion

If you’ve gone through the guide, you probably understand the importance and applicability of the Personal Data Protection Bill.

If you want to know more about this, consider reading this & this.

If you’re running an organisation in India or outside India and serving the Indian population, consider reading the PDPB in detail once. It will help you make amends and prevent you from any undesired punishable offence.