In India, the regulations for data protection and privacy are primarily governed by the Personal Data Protection Bill, 2019 (PDP Bill), which is currently under consideration by the Indian Parliament.
- Personal Data Protection Bill, 2019 (PDP Bill):
The PDP Bill aims to establish a comprehensive framework for the protection of personal data in India. It is largely based on the principles of the European Union’s General Data Protection Regulation (GDPR) and seeks to provide individuals with greater control over their personal data. Here are some important provisions of the PDP Bill:
a. Definition of Personal Data: The bill defines personal data as any data that relates to a natural person and can be used to identify that person.
b. Consent: The PDP Bill emphasizes the importance of obtaining informed and freely given consent from individuals for the processing of their personal data. It requires organizations to clearly communicate the purpose of data collection and provide individuals with the ability to withdraw consent.
c. Grounds for Processing: The bill specifies certain grounds for processing personal data, including the necessity for the performance of a contract, compliance with a legal obligation, protection of vital interests, functions of the state, consent, and legitimate interests pursued by the data controller.
d. Data Localization: The PDP Bill introduces the concept of data localization, which requires certain categories of sensitive personal data to be stored and processed only within India. The government has the power to notify certain categories of personal data as critical personal data, mandating their storage and processing exclusively in India.
e. Data Protection Authority: The bill establishes a Data Protection Authority of India (DPA) as an independent regulatory body responsible for the enforcement and implementation of the PDP Bill. The DPA will have the power to investigate and impose penalties for non-compliance.
f. Rights of Individuals: The bill grants several rights to individuals, including the right to access their personal data, the right to rectification, the right to erasure (“right to be forgotten”), and the right to data portability.
g. Data Breach Notification: The PDP Bill introduces provisions for mandatory reporting of data breaches. Data controllers are required to notify the DPA and affected individuals about any unauthorized access, acquisition, or processing of personal data.
- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011:
The Information Technology (IT) Rules, 2011 provide additional guidelines for the protection of sensitive personal data or information (SPDI). The rules require organizations handling SPDI to implement reasonable security practices and procedures to protect the data from unauthorized access, disclosure, or misuse.
a. Definition of SPDI: The IT Rules define sensitive personal data or information as personal information that consists of passwords, financial information, health records, sexual orientation, biometric information, etc.
b. Consent and Disclosure: The rules mandate that organizations obtain the consent of individuals for collecting and disclosing their SPDI. They also require organizations to provide a privacy policy detailing the purpose of data collection, intended recipients, and the disclosure practices.
c. Grievance Redressal: The IT Rules prescribe the establishment of a grievance officer by organizations to address complaints related to the handling of SPDI.
- Indian Contract Act, 1872:
The Indian Contract Act, 1872, provides a general framework for enforcing contracts in India. It includes provisions related to consent, lawful object, and lawful consideration, which are relevant to data protection and privacy when contracts are involved in the processing of personal data.
The final provisions and enactment of the PDP Bill may have changed, It is advisable to refer to the most recent updates and consult legal experts for accurate and up-to-date information on data protection and privacy regulations in India.