PERSONAL DATA PROTECTION

BILL
 APPLICABILITY

Processing of personal data:

• Where such data has been collected, disclosed, shared or

otherwise processed within the territory of India; and

• by any Indian company, any Indian citizen or any person or

body of persons incorporated or created under Indian law.

The PDPB does not apply to processing of anonymised data.

PDPB shall apply to data fiduciaries or data processors not present

within the territory of India, only if such processing is:

in connection with any business carried on in India, or any

systematic activity of offering goods or services to data principals
within the territory of India;

or in connection with any activity which involves profiling of data

principals within the territory of India.

Remarks:

 If personal data of foreign nationals is shared with an Indian

Company to comply with management/statutory reporting
requirement, PDPB shall not apply to such foreign company.

 If personal data of a person is anonymised through an

irreversible process, such that the person cannot be identified,
PDPB shall not apply.

2
 TRANSITIONAL PROVISION

The Act once notified, a period of 12 months thereto is prescribed

for notifying various Rules and Regulations thereunder.

The Data Protection Authority (DPA) will be constituted within a

period of 15 months from enactment of the Act.

DPA is conferred with the powers to issue code of practice on

various principles of data protection obligations and to notify
exceptional grounds for processing personal data without seeking
consent.

The Act once notified, various provisions will come into effect
within a span of 1 to 2 and a half year.

Remarks:
 Although the Bill has prescribed a transition period, the
penalties prescribed are quite onerous and are almost at par
with GDPR of EU. Further after the landmark judgement of
Supreme Court recognising privacy as fundamental right, it is
imperative for the organisation to re-look at its systems and
processes while the law is being enacted.

OVERRIDING EFFECT OF THIS ACT

In event of any inconsistency, PDPA will have an overriding effect

over any other laws.

The said laws will also rescind the existing the Information
Technology (Reasonable security practices and procedures and
sensitive personal data or information) Rules, 2011.

3
 GROUNDS FOR PROCESSING OF PERSONAL DATA

PERMISSIBLE PROCESSING

Compliance with law or

Basis Function For
compliance with any In case of In relation to
Consent of the reasonable
order of the court or emergency employment
State purposes
tribunal

Consent is not a pre-requisite in such events.

Remarks:
 Except the events stated herein above in the diagram, consent is a
pre-requisite before processing personal data. The consent has to
qualify all the attributes of sec. 12 of PDPB.

 The burden of proof to establish that a valid consent was given by

the individual is on the data fiduciary.

 In the event an individual, who is a party to a contract withdraws

consent to processing of his personal data, which is necessary to
performance of a contract, all legal consequences arising out of
such withdrawal has to borne by the respective individual only.

 The Bill explicitly states that consent is not essential to processing

of personal data of an employee in relation to employment.
However, processing of sensitive personal data in relation to
employment may require explicit consent of the employees,
currently there is an ambiguity on this aspect and clarification is
being sought.

 In the event of corporate restructuring events such as mergers

and acquisitions, prevention and detection of frauds, network and
information security measures, etc., given the fact these purposes
are reasonable purpose and seeking consent wouldn’t be a viable
option, DPA will issue a list of such purposes along with the
security measures company should ensure thereto. 4
 PROCESSING THROUGH CONTRACTORS/SUB-CONTRACTORS

A Company can process personal data of an individual through

contractor/sub-contractor strictly only on execution of a valid
contract.

The contract so executed should restrict the vendor from further

engaging a sub – contractor unless expressly agreed by the
Company in the contract.

The purpose for processing such data should be solely

determined by the Company.

Remarks:

 It is imperative to bind the contractor with obligation to

protect and treat the data as confidential. It is also important
to ensure that the liability of the contractor in the event of
breach is not capped and unlimited, further the Company
should also have indemnity right.

5
 CROSS-BORDER TRANSFER OF PERSONAL DATA

Cross- border transfer of personal data will be allowed only

pursuant to standard contractual clauses or intra- group scheme
duly approved by Authority.

PDPB mandates storage of one copy of the personal data to whom

the Act applies, on a server maintained in India.

The Authority will notify list of critical data which mandatorily

needs to be maintained only in India.

Central Government may notify few exemptions to the above.

Remarks:

 On account of increasing instances of fraud/scams, recently

RBI vide its circular dated 6th April, 2018 has mandated
maintenance of all payments system within India latest by 15th
Oct, 2018. While there are multiple re-presentations to the
Government on the matter, RBI haven’t relaxed the condition
yet and in the interim the Bill aswell now mandates
maintenance of one copy of the personal data being processed
outside India, in India. It is imperative for the organisations
maintaining personal data of individuals outside India to
review their processes and system.

6
 TRANSPARENCY AND ACCOUNTABILITY MEASURES

PRIVACY BY SECURITY PERSONAL

DESIGN TRANSPARENCY SAFEGUARDS DATA BREACH
• The • The purpose • Organisation • Depending on
management, and operation should take the severity of
Group A

organisational involved in appropriate the harm

practices processing is security caused, the
should be required to be measures to Data Principal
aligned to the disclosed to the protect the is required to
interest of the Data Principals integrity of be initiated.
Data the data.
Principals.

DATA PROTECTION DATA PROTECTION

IMPACT RECORD KEEPING DATA AUDITS
OFFICER
ASSESSMENT
• Company need • Company has • A DPO needs to
• Before to maintain to get its be appointed
undertaking any complete processes who can guide
new processing record of end - involved in the Company in
activity or to end data processing of relation to its
processing obligation
technological personal data
activity for such arising out of
Group B

change or large audited by an

scale profiling period as may PDPA.
be notified by independent
or use of SPD, • The aforesaid
the Authority. data auditor role can be in
Company annually.
mandatorily has addition to any
to undertake other role
Data Impact played by the
Assessment DPO.

Remarks:

 Actions listed in Group B are required to be complied only by

such class of data fiduciary and significant data fiduciaries as
may be notified by Data Protection Authority.

7
 RIGHTS OF DATA SUBJECT

Right to
correction

Right to Rights of Right to

be Data Data
forgotten Subject Portability

Right to
confirmation
and access

Remarks:
 An application has to be made to the Company in writing for
exercise of any of the said rights.

 If Right to be Forgotten is exercised by an individual, however

there exist a dispute or company envisage a litigation,
regulatory enquiry or is required to maintain the data until the
stipulated statutory period, in such events Company can refuse
eraser of data to the person concerned in writing.

 Company is required to have in place a robust grievance

redressal mechanism in place. A DPO so designated or an
officer authorised for this purpose should be the point of
contact for the data principals.

 The grievance if raised has to be resolved within a period of 30

days, if not resolved or not satisfactorily resolved data
principal has a right to file a complaint with adjudicating wing.

POWERS VESTED WITH THE AUTHORITY

The Authority is vested with the power to call for information,

conduct inquiry, search and seizure.
8
 DATA PROTECTION OBLIGATIONS

Fair and Purpose

reasonable limitation
processing

Collection Lawful
limitation processing

Notice Data Quality

Data Storage
Accountability
Limitation

Remarks:

 An application has to be made to the Company in writing for

exercise of any of the said rights.

 If Right to be Forgotten is exercised by an individual, however

there exist a dispute or company envisage a litigation,
regulatory enquiry or is required to maintain the data until the
stipulated statutory period, in such events Company can refuse
eraser of data to the person concerned in writing.

 Company is required to have in place a robust grievance

redressal mechanism in place. A DPO so designated or an officer
authorised for this purpose should be the point of contact for
the data principals.

 The grievance if raised has to be resolved within a period of 30

days, if not resolved or not satisfactorily resolved data principal
has a right to file a complaint with adjudicating wing.
9
 PENALTIES

PROVISIONS PENALTY
 Failure to take prompt action in Up to 5 Crs. Or 2% of the
response to data security breach worldwide turnover of the
 Failure on the part of significant preceding financial year,
whichever is higher
data fiduciary:
 To undertake data protection
impact assessment
 To conduct data audit
 To register with the Authority
 Processing of personal data Up to 15 Crs. Or 4% of the
against the data protection worldwide turnover of the
obligation principles preceding financial year,
whichever is higher
 Processing of personal data not
in accordance with the grounds
of processing as provided under
the law
 Processing of sensitive personal
data not in accordance with the
grounds of processing as
provided under the law
 Failure to adhere to the security
safeguards
 Transfer of personal data in
violation of the Act

10
 PENALTIES CONTINUED…

PROVISIONS PENALTY
Total worldwide turnover in relation to a data fiduciary is the
total worldwide turnover of the data fiduciary and the total
worldwide turnover of any group entity of the data fiduciary
where such turnover of a group entity arises as a result of the
processing activities of the data fiduciary, having regard to factors,
including—
(i) the alignment of the overall economic interests of the data
fiduciary and the group entity;
(ii) the relationship between the data fiduciary and the group
entity specifically in relation to the processing activity undertaken
by the data fiduciary; and
(iii) the degree of control exercised by the group entity over the
data fiduciary or vice versa, as the case may be.
 Without any reasonable Rs. 5000/- for each day
explanation, failure to comply with during which the default
data principals request continues, subject to a
maximum of Rs. 10 Lakhs
in case of significant data
fiduciaries and 5 lakhs in
other cases.
 Failure to furnish reports, returns, Rs 10,000 for each day
information to the Authority during which such
default continues,
subject to a maximum
Rs.20 lakhs in case of
significant data
fiduciaries and 5 lakhs in
other cases.

11
 PENALTIES CONTINUED…

PROVISIONS PENALTY
Failure to comply with the order of the Data Fiduciary - Up to
Authority Rs 20,000 for each day
during which such
default continues,
subject to a maximum
Rs.2 Crs.

Processor – Up to Rs
5,000 for each day
during which such
default continues,
subject to a maximum
Rs. 50 lakhs.

Penalty for contravention where no Significant Data

penalty is prescribed Fiduciary – maximum
1 Cr.
Other data fiduciary
– maximum Rs. 25
lakhs.
Remarks on Penalties:

 In addition to the penalty, the data principals also have right to

compensation for damages suffered.

 The compensation awarded or penalty imposed, under the

PDPA does not limit the award of compensation or imposition
of any other penalty or punishment under any other law for the
time being in force.

12
 OFFENCES PUNISHABLE WITH IMPRISONMENT

Offence Liability
Personal Data Imprisonment for a
term not exceeding
In contravention of the provision of the 3 years or shall be
Act, one obtains, disclose transfer, sell or liable to fine which
offer to sell personal data of a person may extend up to 2
which causes significant harm to the data lakhs or both.
principal

Sensitive Personal Data Imprisonment for a

term not exceeding
In contravention of the provision of the 5 years or shall be
Act, one obtains, disclose transfer, sell or liable to fine which
offer to sell personal data of a person may extend up to 3
which causes significant harm to the data lakhs or both.
principal

Anyone who re-identification and Imprisonment for a

processes de-identified personal data term not exceeding
without the consent of data fiduciary or 3 years or shall be
processor liable to fine which
may extend up to
2 lakhs or both.

13
 OFFENCES PUNISHABLE WITH IMPRISONMENT
CONTINUED…

Remarks:

 Offences under PDPA are cognizable and non-bailable

offence.

 Offences committed by Company:

Every person who is in charge is responsible to the Company

for the conduct of the business of the Company as well as the
Company shall be deemed to be guilty. This includes
Managing Director, Manager and/or Whole- time Director of
the Company.

Further, also if it is proved that the offence by the Company

has been committed with the consent or connivance of, or is
attributable to any neglect on the part of any director,
manager, secretary or other officer of the company, such
persons shall be deemed to be guilty of the offence and shall
be liable to be proceeded against and punished accordingly.

14
 KEY TAKEAWAYS

The Personal Data Protection Bill 2018 of India is a law with

extra – territorial jurisdiction and is aligned to the privacy
principles as laid down under GDPR, including severe fine in
case of data breach. After the Supreme Court Landmark
Judgement recognising privacy as a fundamental right, people
have become more vigilant towards their rights and are
questioning any usage of their data for purposes other than
they have consented to. In order to enjoy competitive edge
in the sectors the Business is operating in, especially the
sectors whose business model is directly linked to the
customers’ data, the law will have far reaching implications.

IMPLICATIONS

In the event of breach, not only one will be liable to pay

penalty and pay damages to the aggrieved person but will
also be subjected to business and reputational loss. In the
event it is determined that significant harm is caused to an
individual, the officer in default may even be sentenced to
imprisonment. The liability in certain events extents even to
the directors and manager of the Company. Further,
depending upon the harm caused to an individual, the
respective international privacy regulatory authority may
even restrict processing of data principals’ personal data
residing in the respective jurisdiction by an Indian Entity.

15
 ACTION POINTS

 One of the essential pillar to data protection laid under the

law, is the importance of ‘adequate safeguards’ such as
including de-identification, encryption, and tools to
prevent misuse, unauthorized access, modification,
disclosure, or destruction of personal data.

 Temporal limitations on processing and retention of

personal data. Store the data as long as “reasonably
necessary" to satisfy its intended purpose or to comply
with legal obligations. Undertake periodic review to check
that no one is unnecessarily retaining personal data.

 Undertake gap assessment exercise, frame privacy &

security policy of the company and adopt the code of
practice as may be notified by the Authority.

 Review existing contracts with vendors, bind them with

restrictive covenants aswell as security and privacy policy
of the Company.

 Undertake data – audits in case of any outsourced

processing assignments.

 Given the nature of operation of the Company, consider

taking Data Insurance.

16
 GLOSSARY OF KEY TERMS
Data means and includes a representation of
information, facts, concepts, opinions, or
instructions in a manner suitable for
communication, interpretation, or processing by
humans or by automated means.
Data means any person, including the State, a company,
fiduciary any juristic entity or any individual who alone or in
conjunction with others determines the purpose
and means of processing of personal data.
Data means the natural person to whom the personal
principal data referred to in sub-clause (28) relates.
Data means any person, including the State, a company,
processor any juristic entity or any individual who processes
personal data on behalf of a data fiduciary, but does
not include an employee of the data fiduciary.
Harm includes— (i) bodily or mental injury; (ii) loss,
distortion or theft of identity; (iii) financial loss or
loss of property, (iv) loss of reputation, or
humiliation; (v) loss of employment; (vi) any
discriminatory treatment; (vii) any subjection to
blackmail or extortion; (viii) any denial or
withdrawal of a service, benefit or good resulting
from an evaluative decision about the data
principal; (ix) any restriction placed or suffered
directly or indirectly on speech, movement or any
other action arising out of a fear of being observed
or surveyed; or (x) any observation or surveillance
that is not reasonably expected by the data
principal.

17
 GLOSSARY OF KEY TERMS CONTINUED…
Person means— (i) an individual, (ii) a Hindu undivided
family, (iii) a company, (iv) a firm, (v) an association of
persons or a body of individuals, whether
incorporated or not, (vi) the State, and (vii) every
artificial juridical person, not falling within any of the
preceding sub-clauses;
Personal means data about or relating to a natural person who
data is directly or indirectly identifiable, having regard to
any characteristic, trait, attribute or any other
feature of the identity of such natural person, or any
combination of such features, or any combination of
such features with any other information
Personal means any unauthorised or accidental disclosure,
Data Breach acquisition, sharing, use, alteration, destruction, loss
(PDB) of access to, of personal data that compromises the
confidentiality, integrity or availability of personal
data to a data principal
Profiling means any form of processing of personal data that
analyses or predicts aspects concerning the
behaviour, attributes or interest of a data principal
Sensitive means personal data revealing, related to, or
Personal constituting, as may be applicable— (i) passwords; (ii)
Data (SPD) financial data; (iii) health data; (iv) official identifier;
(v) sex life; (vi) sexual orientation; (vii) biometric
data; (viii) genetic data; (ix) transgender status; (x)
intersex status; (xi) caste or tribe
Significant means a data fiduciary notified by the Authority
data under section 38.
Fiduciary
(SDF)
Significant means harm that has an aggravated effect having
harm regard to the nature of the personal data being
processed, the impact, continuity, persistence or
irreversibility of the harm. 18
THANK YOU

19