In today’s world, data collection and sharing are ubiquitous. Governments worldwide are introducing data privacy laws for assigning rights to individuals over collecting, storing, deleting, retaining and using their PII (Personal Identifiable Information) & PD (Personal Data).
The introduction of new Data Privacy Laws such as GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act)/CPRA (California Privacy Rights Act), PDPA (Personal Data Protection Act, 2012, Singapore),and PIPEDA (Personal Information Protection & Electronic Documents Act, Canada) brought a drastic change in organisations’ data privacy mechanisms.
The good news is India has also joined the data privacy revolution. And the lawmakers are working relentlessly for our own data privacy regulations, i.e., PDPB (Personal Data Protection Bill) to ensure data privacy for the individuals/controllers. This initiative will disrupt how the data is collected, recorded, stored and used by the organisations.
In this guide, we will investigate how India’s data privacy initiatives may impact the organisations at large.
It all started in the year 2009.
The Indian Government developed a framework of identity called ‘Aadhar Scheme’. The objective of introducing ‘Aadhar Scheme’ was to provide government benefits, services, subsidies to the inhabitants of the country.
But it lacked the authentic identification. And instead of bringing forth the benefits to the mass, it had become the means of exploitation & forgery.
To regulate this, in March 2016, the Aadhar Act was introduced. As per the act, the system would provide UI (unique identification) cards to the residents and prior to the distribution of these cards, each resident would need to go through the fingerprint & eye scanning using the most sophisticated & largest biometric system.
In 2017, K.S. Puttaswamy questioned the validity of Aadhar card on the grounds of privacy, exclusivity of a few welfare benefits, and surveillance. And India got its landmark verdict in terms of privacy as individual’s intrinsic right.
In 2018, the Central Government built a committee to create the first draft of PDPB (Personal Data Protection Bill).
In 2019, the PDPB was updated.
In 2020, the PDPB draft was reviewed by JPC (Joint Parliamentary Committee) in advance for the parliamentary session in December 2020.
What is PDPB?
The Personal Data Protection Bill is going to be the most comprehensive & the strictest data privacy law in the world.
When we compare PDPB with GDPR and CCPA, PDPB turns out to be stricter in a few areas than other respective privacy laws.
The PDPB will force you to rethink about your data policies and data processing practices so that you can safeguard your data. Because the PDPB will affect every business run or operated in India.
Six Key Definition under the PDPB
To understand how the PDPB impacts your business, you need to know six key definitions under the PDPB.
Personal data is defined as the data that relates and identifies a living individual of India.
Personal data includes –
The way GDPR and CCPA defines ‘personal data’, the PDPB defines ‘personal data’ in similar way (hint – broadly).
Sensitive Personal Data
The PDPB also defines ‘sensitive personal data’ as –
The PDPB defines ‘data principal’ as someone to whom personal data is related.
For example, the ‘name’, the ‘contact number’, etc., are about an individual which according to the PDPB is ‘data principal’.
The PDPB defines ‘data fiduciary’ as a person, business, or organisation that makes the decision regarding how to process the data.
For example, Google is a data fiduciary since it is an organisation that decides how to process its data (customer data and other allied data).
The PDPB has defined ‘data processor’ as an entity that processes data on the behalf of the data fiduciary but at the same time it is not data fiduciary’s employee.
For example, ConvertKit is a data processor since it processes data on behalf of many organisations via email because the organisations ask ConvertKit to do so.
Data Protection Authority
The PDPB has established the data protection authority (DPA).
The role of DPA is to –
The Basics of PDPB and How It’s Applicable to the Businesses in India & Elsewhere
First, let’s talk about for organisations PDPB applies to – especially Indian companies and non-Indian companies.
The PDPB applies to all Indian companies.
And the PDPB also applied to non-Indian companies if you are an organisation/entity that –
The obvious question is what lies within the periphery of ‘goods & services’ and ‘profiling’.
The PDPB defines offering ‘goods & services’ in India as –
Under the PDPB, ‘profiling’ Indians means when you as an organisation/entity
the behaviours/interests/attributes of individual/s.
For example, when you advertise to a targeted audience, personalise your target audience, and show ads that are made typically for them, this is personalised profiling of individuals.
The question remains whether small businesses also come under the periphery of the PDPB!
The answer to this is a resounding yes, but at the same time small businesses enjoy few exemptions as well.
If you run a small business in India that –
If you say ‘yes’ to the above three, you get the following exemption –
You also need to remember that if you
Then, you won’t be eligible for the exemptions mentioned above for a particular category of small businesses.
Data Protection Obligations under the PDPB
You need to have eight data protection obligations under the PDPB –
Penalties for not Complying with the PDPB
If you fail to comply with the standards of PDPB, here’s the maximum penalty you need to pay off (the greater of the following will be applicable) –
In a few chosen cases, the PDPB is stricter than the other privacy protection laws. In these special cases, imprisonment could be a possible punishment under the PDPB.
If you’ve gone through the guide, you probably understand the importance and applicability of the Personal Data Protection Bill.
If you’re running an organisation in India or outside India and serving the Indian population, consider reading the PDPB in detail once. It will help you make amends and prevent you from any undesired punishable offence.