Personal Data Protection Laws in India
Section 43A of the Information Technology Act, 2000 read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 and 72A of the Information Technology Act 2000, protects personal and sensitive information of Indian Citizen.
Section 43A – Compensation for failure to protect data.
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
Section 72A – Punishment for disclosure of information in breach of lawful contract.
Any person including an intermediary, while providing services under the terms of a lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person. Such person shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.
Background of Personal Data Protection Law
In 2017, Honorable Supreme Court of India in a historic judgment declared the right to privacy as a fundamental right under the Constitution of India. Soon after, a committee was formed and chaired by Justice B. N. Srikrishna to draft Personal Data Protection Bill.
Justice B. N. Srikrishna Committee submitted the draft of PDPB in July 2018, and after some necessary changes, in December 2019 the bill was tabled in Lok Sabha. Joint Parliamentary Committee was formed for a further comprehensive study.JPC has made 89 Amendments and added one clause to Personal Data Protection Bill, 2019, to submit its report in the Budget Session, 2021.
Definitions as per Personal Data Protection Bill, 2019
Personal Data is any information directly or indirectly related to an identified or identifiable natural person, e.g. name, email address, IP address, etc.
Sensitive Personal Data is an exhaustive list of data that reveals any of the following,
- Financial data;
- Health data;
- Official identifier;
- Sex life;
- Sexual orientation;
- Biometric data;
- Genetic data;
- Transgender status;
- Intersex status;
- Caste or tribe;
- Religious or political belief or affiliation; or
- Any other data categorized as sensitive personal data under section 15.
Data Principal is a natural person whose personal data, a data fiduciary or data processor processes.
Data Fiduciary is any organization who determines the purpose and means of processing data.
Data Processor is an organization who processes personal data on behalf of data fiduciary.
Compliances as per Digital Personal Data Protection Bill, 2022
Digital Personal Data Protection Laws in India
In India, personal data protection is governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”) under the Information Technology Act, 2000. These rules were implemented to protect the personal data and sensitive personal data or information (SPDI) of individuals.
The SPDI Rules define “sensitive personal data or information” as personal information that reveals financial information, sexual orientation, medical records and history, and biometric information, among other types of information. The SPDI Rules also require organizations to implement reasonable security practices and procedures to protect SPDI, and to obtain consent from individuals before collecting, using or disclosing their SPDI.
Personal Data Protection Bill, 2022
The Personal Data Protection Bill, 2022 is in the process to be passed by Indian Parliament, if passed will the act will have more robust provisions for personal data protection and create a Data Protection Authority for the same.
The bill provides for the establishment of Data Protection Board of India, whose primary function is to adjudicate non – compliance with provisions of the act. The Data Protection Board will have the power to impose penalty under the provisions of the act.
Under the bill, individuals will have the right to access, rectify, and delete their personal data, and to restrict or object to the processing of their personal data. Organizations will be required to obtain consent from individuals before collecting, using, or disclosing their personal data, and will be required to implement appropriate security measures to protect personal data.
The bill also lays down conditions for the cross-border transfer of personal data and makes it mandatory to report every personal data breach to the Data Protection Board of India and each affected individual to whom the personal data relates.
Compliance
To appoint a dedicated Data Protection Officer (DPO) for a large company. Who will be responsible for ensuring that the organization complies with the IT Rules. The DPO should have the knowledge and experience to understand the regulations and implement the necessary controls.
Conduct regular risk assessments to identify and address potential vulnerabilities in the way that personal data is collected, stored, and used. This can help to ensure that the appropriate controls are in place to protect personal data and comply with the IT Rules.
Organizations should have transparent data handling and data usage policies, which communicate the type of data they collect, how they store and use it, and who they share it with and this should be communicated through Privacy Policy.
Regular training should be provided to employees, vendors, and other stakeholders to ensure that they understand the IT Rules and their responsibilities in complying with them.
Finally, organizations should conduct regular audits and assessments to ensure that their data handling practices comply with the IT Rules. This can help to identify any areas where additional controls or processes need to be put in place to ensure compliance.
List of Services:
- PDPA Readiness Assessment;
- PDPA Training and Awareness;
- Contract Review and Revision as per PDPA;
- PDPA Policies and Procedures;
- Procedure for Executing Data Principal Rights;
- Embedding privacy by default in an organization;
- Data Protection Impact Assessment and its Procedure;
- Procedure for Cross-Border Transfer of Personal Data;
- Incident Response Plan and Procedure;
- PDPA Audit.