The Personal Data Protection Bill of 2019, which was introduced in the Lok Sabha on Wednesday requires companies to strictly adhere to various provisions, failing which it will be liable to pay penalties of up to Rs 15 crore or 4% of the entity’s worldwide turnover.
The proposed Bill lays out various provisions for a ‘data fiduciary’ to adhere to, ranging from prompt action on data security breach to violations of processing of personal data. A data fiduciary, according to the proposed Bill, is a person, State, a company or any entity that decides the purpose and means of processing of personal data. This means that a data fiduciary decides why and how personal data is processed.
The proposed Bill lays out obligations and responsibilities for companies, failing which they can attract penalties.
Inform and take consent
For starters, the Bill prohibits processing of personal data, unless it is for a specific, clear and lawful purpose. And if personal data is being collected, it can only be done with the consent of the user, who should be clearly told why the data is being collected.
According to the chapter 2, section 7 of the Bill, every data fiduciary has to take consent from users before processing personal data. Every user has to be informed about the nature and categories of personal data being collected and the purpose for which the data will be processed.
The user, referred to as data principal in the Bill, has the right to withdraw consent and the process for the same has to be informed as well.
Users should also be informed about the source from where the data is being collected, who the data will be shared with and the period for which the personal data shall be retained.
Companies should also tell users that they have the right to file complaints to the Data Protection Authority, which will have members selected by the Centre, and lay out the procedure for grievance redressal.
Every data fiduciary needs to register itself with the Data Protection Authority in such manner as may be specified by regulations.
Processing personal data of a child
Chapter 4 of the Bill mandates that a company can process the personal data of a child in a way that it protects the rights of the child and is in their best interests. It needs to verify the child’s age, obtain consent of the parent of guardian.
Companies are also barred from profiling, tracking or behaviourally monitoring children and target advertising at them. They are also barred from processing of personal data that can cause significant harm to the child.
Data breach
Section 25 of chapter 6 of the proposed bill mandates every data fiduciary to inform the authority when there is a breach of any personal data, which is likely to cause harm to any user.
Companies are required to give a notice to the authority on the nature of the personal data that has been breached, the number of users that have been affected, the possible consequences of the breach and action being taken by the data fiduciary to fix the breach.
This notice is to be given as soon as possible and “within such period as may be specified by regulations, following the breach after accounting for any period that may be required to adopt any urgent measures to remedy the breach or mitigate any immediate harm.”
Once the authority receives the notice of breach, it will take into account the severity of the harm the breach could cause to users and then determine if users should be informed or not.
Companies, on direction from Data Protection Authority, will have to clearly post the details of the personal data breach on its website.
Data Audit
The proposed Bill says that social media entities that have a user base above a certain threshold will be considered 'significant data fiduciary'. This is if their actions have or are likely to have a significant impact on electoral democracy, the security of the State, public order or the sovereignty and integrity of India.
The Bill states that every significant data fiduciary shall have its policies and the conduct of its processing of personal data audited annually by an independent data auditor. Compliance of all the obligations and responsibilities listed above will be evaluated.
Data protection officer
Every significant data fiduciary shall appoint a data protection officer based in India and shall represent the data fiduciary.
As per the Bill, the data protection officer’s duties will include providing information and advice to the data fiduciary on matters relating to fulfilling its obligations under this Act. The officer will monitor personal data processing activities to ensure the company isn’t violating provisions of the Act.
The officer shall provide advice to the data fiduciary on carrying out the data protection impact assessments, and advice it on development of internal mechanisms to satisfy the principles specified under section 22 of the Act.
The data protection officer will be the point of contact for users for the purpose of grievance redressal.
Penalties
If a company contravenes the obligations of responding to a data breach, fails to register with the authority, fails to undertake a data protection impact assessment and conduct a data audit and doesn’t appoint a data protection officer, it will be liable to a penalty which may extend to Rs 5 crore or 2% of the entity’s worldwide turnover of the preceding financial year, whichever is higher.
If a fiduciary violates provisions of personal data processing, processing of data of children, transfers personal data outside India in violation of the provisions of Chapter 7, it shall be liable to a penalty which may extend to Rs 15 crore or 4% of its total worldwide turnover of the preceding financial year, whichever is higher.