Last month the draft of digital personal data protection bill was released for public opinion. It has attracted a mix reaction from industry. However, it is a great step forward to the legal framework which is much needed in fast growing digitization in India. Here is the key highlights from the draft bill.
Where does it apply? The act applies to personal data collected online, or collected offline and is digitized, processing of such data within country, processing outside country if data relates to individuals within India. However, it is not applicable if data is offline personal data, Or if the data is processed for personal purpose Or if the data in record exists for at least 100 years. According to the draft, provisions also shall not apply to non-automated processing of personal data.
Non-compliance and penalty: Here are the key points to note in case of non-compliance:
A. In case of failure of data processor or entity responsible to process or guard data to take reasonable security safeguards to prevent personal data breach, there is a provision for penalty of up to INR 2.5Bn. It is the responsibility of the data processor to make sure that data is safe and proper IT control is in place.
B. A business / entity has to notify data protection board on India and the affected parties in case of data breach. Failure to do so would result in the penalty of up to INR 2Bn
C. Another key area of the draft is the consent of parents if the individual, whose data is being collected, is below 18 years of age (being considered as children). Such data can’t be used to study behavioral pattern for targeted marketing. Failure to comply with this has a provision of penalty of up to INR 2Bn. This section may have some implications for social media platforms where significant numbers of the users belong to the age groups of up to 18 years.
D. “Data Fiduciary” as per draft bill definition “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data”. Based on assessment of certain factors government may notify fiduciary as a “significant data fiduciary”. Now a significant data fiduciary officer is to appoint a data protection officer who would be point of contact and responsible to the BOD. The responsibility of data protection officer includes impact assessment, audit, grievance redressal etc. Non-fulfilment of these obligations would be liable to penalty of up to INR 1.5Bn.
E. There is also a section on individuals (to whom the data relates); and it talks about the duties of such individuals failing to comply with which would attract penalty of up to INR ten thousand. Key points include no false complaint reporting, furnishing no false document, abide by all applicable law.
Other than what are mentioned above, non-compliance with other provision might attract penalty of up to INR 0.5Bn.
According to Statista, the number of internet user in India is estimated at 932 million. The growing pace of digitization welcomes such forward movement in regulations. The pace of digitization also necessitates the need to be more cyber literate and savvy to fight back cyber-crimes.