4 minute read 19 Jan 2021
Personal Data Protection Bill (PDPB)

Personal Data Protection Bill (PDPB) – India’s emerging privacy paradigm

By EY India

Multidisciplinary professional services organization

4 minute read 19 Jan 2021
Related topics Cybersecurity Consulting

Rapid digitalization has made data privacy an essential goal. This can be made possible by establishing a stronger privacy regime through the forthcoming PDPB.

The pace of digitization, fueled by demand for digital transformation in the corporate ecosystem as well as in Government services, is exponentially increasing creation and collection of personal data. The usage of elements like big data, analytics, etc. gives an insight into an individual’s preferences and online behavioral patterns. As a result, this data can, then, be harnessed for targeted commercial campaigns. In India, in the absence of structured data privacy laws, the protection of personal data is more voluntary than mandatory. For a country which is among the top three in terms of number of internet users, the need for an appropriate privacy legal framework becomes critical.

With the amount of personal data being shared by citizens directly or indirectly with various entities, it has become extremely crucial to ensure that individual users have autonomy and control over their personal data in the digital economy. Our Indian Government has also understood the need for strong and structured privacy regime to govern the processing of personal data. It introduced the Draft Personal Data Protection Bill (PDPB), which is under consideration and review by a Joint Parliamentary Committee (JPC).

The Personal Data Protection Bill 2019was introduced in the Indian Parliament in December 2019 and is currently undergoing analysis by JPC. JPC has recommended that ambit of the Data protection bill in India  needs to expand to focus more on the digitization and localization of data. JPC also wants that the final Data protection bill to include nonpersonal data (not merely securing personal data), which comprises of sensitive and critical data.

The draft PDPB covers the data privacy of personal data of individuals across the data life cycle that includes collection, transfer, process, disclosure and disposal. Draft PDPB has few elements which are similar to other leading global data protection regulations like EU’s General Data Protection Regulation (GDPR). Draft PDPB also covers the obligations of the data fiduciary, such as lawfulness in processing the personal data, purpose limitation, collection limitation, storage limitation, quality of personal data, etc.

The draft PDPB in the present state also outlines provisions of tough penalties in response to data security breaches. The draft data privacy law calls for data fiduciaries to proactively develop privacy strategies to address privacy obligations and shift the way they approach data privacy. The data fiduciaries will have to establish organization-wide privacy responsibility and accountability for data privacy and might even warrant revamp of a few business processes to streamline data visibility.

The draft PDPB has the following key areas that have been covered as part of the framework which should support India with robust data privacy structure.

  • Significant data fiduciary


    Under this bill, some of the fiduciary will be classified as a significant data fiduciary based on the parameters like volume and sensitivity of personal data processed, turnover of the data fiduciary, risk of harm from processing personal data, etc. These entities must implement additional controls, such as the appointment of a Data Protection Officer, and perform data protection impact assessment.

  • Consent manager

    Consent managers are defined as a data fiduciary under the bill which enables data principals to gain, withdraw, review and manage their consent through an accessible, transparent and interoperable platform. This provision will help manage the consent of the data principal in a centralized manner.

The draft Personal Data Protection Bill (PDPB) also has some restrictions around cross-border data transfer of critical personal data but the bill is yet to provide explicit clarity around definition of the same. Further, as some of the areas of the draft bill, such as data categories definition under critical data, declaration for data fiduciaries as a significant data fiduciary, data breach notification timeline, etc. would have dependency on data protection authority. Few operational pieces like privacy notice for a multilingual country like ours, would pose constraints on implementation.

In the case of developed regions like Australia, Canada and Europe, the privacy laws have been in existence for a fairly long duration. Developing countries like Brazil have only recently witnessed the rising tide for the adoption of privacy regulations to protect the personal data of its citizens.

Summary

While the law might undergo amendment for further improvisation, it is essential to ensure protection of personal data of Indian Citizens in the digitized world by establishing a stronger privacy regime through the forthcoming Personal Data Protection Bill.

About this article

By EY India

Multidisciplinary professional services organization

Related topics Cybersecurity Consulting