• Falakyar Askari & Nerjis Nathani


Updated: 5 days ago

I. Introduction

Data privacy, one of the most important issues facing the twenty-first century digital and technology laden world, has gained much currency world over and about 107 countries have already legislated some form of law in this respect. Asia-Pacific, having 60 countries, has about 27 legislations that comprise 45% of the implementation rate in APAC region.[i] This, however, is less than half of the implementation rate in Europe.[ii] Nonetheless, a majority of the economies are catching up fast on devising local regulatory frameworks for protecting data privacy and security, India being one of them.

India is one of the latest entrants in the data protection arena with the Personal Data Protection Bill, 2019 [hereinafter ‘PDP Bill’] having already been introduced in the Parliament by the Ministry of Electronics and Information Technology [hereinafter ‘MeitY’]. The Bill, governing the collection, storage and processing of personal data by public and private entities, however, has been referred to a Joint Parliamentary Committee for detailed examination before being tabled before the Lok Sabha. At this stage it would be appropriate to understand what comprises ‘personal data’ and ‘non-personal data’ and have a brief insight into the PDP Bill.

II. Personal Data versus Non-Personal Data

Data may broadly be categorized into two categories: (a) personal, and (b) non-personal data. Personal data relates to characteristics, traits or attributes of identity, which can be used to identify an individual.[iii] Non-personal data, on the other hand, includes aggregated data through which individuals cannot be identified.[iv]

To understand the difference let us consider the following example – mobile location of one individual would constitute personal data whereas the information derived from the mobile locations of multiple drivers, for analysing traffic flow, constitutes non-personal data.

III. The Personal Data Protection Bill, 2019: A Brief Insight

The PDP Bill essentially proposes to protect ‘personal data’. It also seeks to protect ‘sensitive personal data’ such as financial data, health data, official identifiers, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe and religious or political beliefs.[v]

For the purposes of protection of ‘personal data’ and ‘sensitive personal data’, the Bill proposes a scheme which may broadly be characterized under the following heads:

1. Application clause of the PDP Bill[vi]

Clause 2 of the PDP Bill mandates regulation of the processing of personal data, which has been collected, shared, disclosed, or otherwise processed in the territory of India, by the following:

(a) Indian government, citizen, company, or any person or body of persons that has been duly incorporated within the territory of India; and

(b) any foreign entity which is engaged in the processing of personal data in the territory of India.

The PDP Bill, however, does not extend to the processing of anonymized data, other than such anonymized or other non-personal data which is intended to allow the Central Government to better target service delivery or devise evidence-based policies and strategies.[vii]

2. Obligations of Data Fiduciaries[viii]

Data fiduciaries have been obligated to process personal data subject to certain specified clear and lawful purposes, and collection and storage limitations. Clauses 4 to 11 of the PDP Bill deal with the obligations of Data Fiduciaries. These obligations are enlisted below:

(a) only such personal data may be collected as is required for the purposes of processing;

(b) mandatory prior notice has to be served upon individual(s)/data principal(s) informing them of collection or processing of personal data;

(c) retention of personal data is limited to the time required to process it and for the limited purpose it was collected. At the end of the processing, all such personal data has to be deleted;

(d) free consent has to be taken from the data principal at the commencement of data processing;

(e) it is mandatory for the data fiduciary to verify the age of the user. In case the user is a minor, the data fiduciary is required to obtain parental consent for processing sensitive personal data of such minors.

Over and above, data fiduciaries are under an obligation to undertake certain transparency and accountability measures.[ix] Clauses 22 to 32 of the PDP Bill deal with such transparency and accountability measures which are briefly summarized herein below:

(i) preparing privacy by design policy and securing its certification;

(ii) maintaining transparency in the processing of personal and sensitive data;

(iii) ensuring that the technology used in the processing of personal data is in commercially accepted or certified standards;

(iv) making sure that necessary security safeguards are in place (such as data encryption to steer clear of misuse of data);

(v) making sure that necessary actions are taken in the event of security breach, most important being informing the Data Protection Authority [hereinafter ‘DPA’] of any breach of personal data;

(vi) auditing policies annually;

(vii) undertaking data impact assessment where significant data fiduciaries undertake data processing involving new technologies or large scale profiling or sensitive personal data;

(viii) appointing Data Protection Officer to advise and monitor its activities; and,

(ix) instituting procedures for grievance resolution in order to remedy individual grievances.

3. Processing of Personal Data without Consent