India’s Personal Data Protection Bill, 2019 (PDP Bill) has been in the works since December 11, 2019. After two years, on December 16, 2021, the Joint Parliamentary Committee of India presented its much-awaited report to the Indian Parliament on PDP Bill.
The report recommends certain privacy rules that the global data privacy watchdogs have been awaiting. Read on to understand the impact of PDP Bill on businesses and individuals.
The current privacy law in India
|ITA-2000||Privacy as a Fundamental Right (Article 21)|
|The right to privacy is protected under the Information Technology (IT) Act, 2000. This law has some express provisions that guard individuals from breaches of their own personal data by corporate entities.||Under Article 21, the Indian Constitution has given the fundamental right to life and personal liberty (subject to certain reasonable restrictions). This came after the Supreme Court’s judgement of case ‘K.S. Puttaswamy v. Union of India 2017’.|
Under the sections 43A and 72A of the IT Act, 2000, the government has implemented Sensitive Personal Data or Information (SPDI) rule. According to this, the sensitive data of an individual must be protected, and any person accessing sensitive data without permission must pay for the damages.
However, currently, there is no specific legal framework in place to deal with the issue of data protection and privacy in India.
The Personal Data Protection Bill, 2021
Almost after two years, the Joint Parliamentary Committee (JPC) finally released the report on the Personal Data Protection Bill, 2019 which it released on December 16, 2021. The report also included the new version of the law named as, “The Data Protection Bill, 2021”.
Overall, the bill revolves around these key requirements:
- Data Protection Authority of India.
- Rights of an individual/Data principal.
- Restrictions on data sharing outside India.
- Consent before processing personal data.
- Notification in case of breach.
- Appointment of a data protection officer.
- Data impact assessment and monitoring of sensitive data processing.
- Security solutions.
Key Changes/Additions/Deletions to the PDP Bill
The Joint Parliamentary Committee has made the following revisions to their report: (we’ve summarized all one by one below)
|Added timelines for bill implementation.||The revised bill has defined the time limit of around 24 months for implementation of all its provisions. According to the bill, the data protection authority must start the work within six months, the registration of data fiduciaries must be completed within nine months, and the authorities under the Act must start their work within 12 months from the notification date.|
|Changed the name of the bill.||The name of the bill has been changed from ‘Personal Data Protection Bill’ to ‘The Data Protection Bill, 2021’ or ‘The Data Protection Act, 2021’.|
|Mandated consent before processing of children’s personal data.||The bill states that parental or guardian’s consent is a must before processing child’s personal data, and information can only be processed after verifying age.|
|Defined user rights in case of death.||The new version of the law will give people more power to control how their data is used in case of death or casualty and nominate a representative who can make decisions or take actions on their behalf.|
|Included data other than personal data.||Now, not just personal data but all other types of non-personal data is included in the data breach reporting.|
|Discussed the disclosure and reporting of data breach.||In case of a data breach:
– Companies have 72 hours to report a data breach, and they must provide a reason if there is a delay in reporting.
– The data fiduciaries only need to inform the Data Protection Authority (DPA) about the harm caused.
– Companies need to report all data breaches regardless of whether or not any damage was done.
|Made amendments to the processing of social media platforms.||– The term ‘social media intermediaries’ now changed to ‘social media platforms’.
– All social media platforms will be treated like publishers and will be responsible for any content that is posted on their site (intermediaries excluded)
– All social media platforms need to have an office in India.
– A media regulatory authority will be appointed to regulate the content posted on these platforms.
|Applied restrictions on data sharing outside national borders.||The JPC report stated that all sensitive data relating to national security, economic activities, personal data, etc., must necessarily be stored within India, and suggested that the data of Indians stored outside of India must be brought back within the specified period.|
|Mandated appointment of Data Protection Officer.||The revised bill mandated the appointment of Data Protection Officer, and only person who is a senior position in the company can be appointed to perform the duties of it.|
|Set criteria for hardware and software usage||The authorities will set up a framework that will be used for testing hardware and software before approval.|
Since the European Union’s General Data Protection Regulation (GDPR) came into force in the year 2018, several countries around the world either followed suit, changed existing law, or introduced new law for data protection. India has also made its way towards data protection with various unique provisions that are inspired by GDPR. This includes changes to deal with several issues that were present in the original bill. However, some people have criticized these changes because they give too much power to the government, and this could lead to violations of individual rights.
Furthermore, the new data protection regime will impose different and additional compliance obligations on foreign companies doing business in India. These compliance obligations may be difficult, or time consuming to meet and could potentially cause problems for these companies.
Companies can implement a cybersecurity solution beforehand to ensure that they fully meet the requirements of IT and data compliance. An all-in-one cybersecurity platform like Acronis can help businesses make sure that their IT architecture meet the latest data protection regulations.
What do you think about the new data protection bill, 2021? Share your views in the comments section.
Priyanka Dadhich – a content writer, can usually be found reading books. She likes to write about technology, healthcare, travel and fashion. Priyanka loves coffee and listens to music in her free time. She spends her free time with her family.