Data protection obligation
Till now, there are no laws in India to ensure personal data stored with businesses (Banks, Telcos, Insurance firms, Social media platforms e.t.c.,) is protected from data breaches.
The proposed bill intends to make it an obligation to safeguard the data and impose hefty penalties for data security breaches.
Personal data processing
The bill mandates that companies who process personal data for business purposes should be doing so only if they have one of the below grounds –
a. Consent from the person
b. To fulfill a contract
c. To comply with law
d. Legitimate interest to carry out their business
Rights of Data principal
The bill proposes certain rights related to personal data of an individual, namely:
a) Right to confirmation and access – For example, an individual can ask any business or service provider about his/her personal data they hold.
b) Right to correction – In case incorrect personal data is stored with a provider, an individual will have the right to ask for correcting the same. This right has several implications including sending a information correction request to search engines like Google and social media companies like Facebook to correct any personal data with those companies.
c) Right to Data Portability – An individual can request a soft copy of his personal data that is stored and processed by a company.
d) Right to Be Forgotten – Also known as “the right to be left alone”, this right ensures that all the copies of the data is deleted when requested by the individual. This right also will have wider implications like asking a search engine like Google to delete certain references to an individual from the search results.
While the bill permits transfer of personal data of Indian citizens outside the territory of India, it mandates that a copy of data to be stored within India. This restriction may increase the IT costs for companies that do not store the data inside India already.
The bill proposes several accountability measures for organizations that process personal data like privacy by design, appointing a Data Protection Officer/DPO, Carrying out Data Protection Impact Assessment/DPIA, data breach notifications among others.