With thanks to our friends Karam Daulet Singh and Gaurav Desai at Platinum Partners in New Delhi for alerting me to this important development.

The Personal Data Protection Bill (PDP Bill) makes informed individual consent key to processing personal data.  The main thrust of the PDP Bill is that the personal data of individuals (i.e. data principals) can be processed by entities only if such individual has given his / her free, informed and specific consent to such processing.  It also seeks to introduce certain rights of the data principal such as the right to: (i) seek correction of inaccurate, incomplete, or out-of-date personal data; and (ii) have personal data transferred to any other data fiduciary (i.e. persons who determine the purpose and means of processing of personal data) in certain circumstances.  In addition, the PDP Bill also introduces the “right to be forgotten”.

Correspondingly, several obligations have been imposed on the data fiduciaries to ensure protection of the data being processed.  The data fiduciaries are required to: (i) notify the prescribed authority of any breaches relating to personal data being processed by them, where such breach is likely to cause harm to a data principal; (ii) implement policies with regard to processing of data; (iii) maintain transparency with regard to the practices on processing data; (iv) implement security safeguards (such as encryption of data); and (v) put in place a grievance redressal mechanism to address complaints of the data principals.  The PDP Bill also requires a data fiduciary to carry out an impact assessment before undertaking any processing involving new technologies, large scale profiling, or use of sensitive personal data or any other processing which carries a risk of significant harm to data principals. The impact assessment is required to be shared with the prescribed authority who can direct the data fiduciary to either cease such processing or require that such processing shall be subject to prescribed conditions.

In addition, the PDP Bill imposes a broad set of conditions for cross-border transfer of personal data. Personal data may be transferred outside India if, in addition to receipt of adequate consent, the transfer is made (i) subject to standard contractual clauses which have been approved by the prescribed authority and which effectively protect the rights of data principals; or (ii) to jurisdictions approved by the government.  In case data is transferred on the basis of contractual protections, the data fiduciary will be liable for any harm caused to the data principal due to non-compliance with the standard contractual clauses by the transferee. The PDP Bill also seeks to require data fiduciaries to store one copy of all personal data on a server or data center located in India.  Further, the government may notify certain categories of personal data as critical personal data which can only be processed in a server or data center located in India.  Significant penalties linked to a data fiduciary’s worldwide turnover have been prescribed for different types of violations. For instance, incorrect processing or transfer of data could make a data fiduciary subject to penalties of up to four per cent. of its worldwide turnover.

The PDP Bill is very broad in its scope and apart from Indian government and private entities it also applies to foreign data processors in so far as they have a business connection to India or carry on activities involving profiling of individuals in India.  The PDP Bill, in order to become law, needs to be passed by both houses of parliament and receive presidential assent.  Once approved, the provisions are likely to be brought into effect in a phased manner thereafter.