India
India introduces Data Privacy Bill in the Parliament
Ministry of Electronics and Information Technology (“MeitY”) has introduced the Data Protection Bill in the Indian Parliament on December 11, 2019, which provides for the protection of personal data of individuals. It also mentions certain obligations on individuals and entities in order for governance and regulation of the collection, processing, usage, and transmission of personal data.
Some of the highlights of the Bill are as under:
- The Bill governs the processing of personal data by companies incorporated in India and foreign companies dealing with personal data of individuals in India.
- “Personal data” means data about or relating to a natural person who is directly or indirectly identifiable.
- “Sensitive personal data” includes Password, Financial data, Health data, Official identifier, Sex life, Sexual orientation, Biometric data, Genetic data, Transgender status, Intersex status, caste or tribe, religious or political belief or affiliation, or any other data specified by the authority.
- Personal data may be processed on the consent of the person and should be obtained before the commencement of the processing. The consent to be considered as valid, if it is given freely, informed, specific, clear and capable of being withdrawn.
- Sensitive personal data may be processed on the basis of explicit consent.
- The Bill sets up a Data Protection Authority.
- The businesses have various duties under the bill, which includes the duty to:
- Have adequate security controls.
- Have a detailed and clear personal data protection plan
- Establishment of reporting mechanisms for any data breach to the concerned authority, etc.
- The bill also sets out the rights of the data principal (individual) which includes the Right to confirmation and access, Right to correction, Right to Data Portability, Right to be forgotten.
- Personal data and sensitive personal data may be transferred outside the territory of India subject to conditions mentioned in the bill.
Implication
The Indian data protection bill, once enacted, will require any business operating in India and outside India having personal data of individuals in India to comply with additional compliances and processes specified under this bill which is similar to GDPR in the EU.
© 2019 Shan & Co.