The Personal Data Protection Bill 2019 has been referred to a Joint Parliamentary Committee for detailed examination, and the report is expected by the Budget Session 2020.
This bill broadly governs the processing of personal data by:
The Central Government shall establish an Authority to be called the Data Protection Authority of India for the purpose of this Act with set qualifications for the members, terms and conditions to be followed for appointment of its members including detailed roles and responsibilities of the chairperson. Code of conduct for this Authority has to be listed out in detail as well.
The bill defines Data as Personal Data, Sensitive Personal Data and Critical Personal Data
Data Fiduciary – Roles & Responsibilities
A data fiduciary is a person, state, company or any juristic entity who alone or in conjunction with others determine the purpose and means of processing of personal data. Obligations towards data are manifold, some of the key ones being:
Data Principal - Rights
The Bill also talks about the rights of the data principal including but not limited to:
This bill allows processing of data ONLY IF CONSENT IS PROVIDED BY THE INDIVIDUAL, except in certain cases as defined by the Authority
Data Storage Timelines:
The Bill states that the data fiduciary may retain personal data only as long as necessary to satisfy the purpose for which it was collected in the first place unless the retention of this data has been mandated for a longer duration or is necessary to comply with a certain law
Exemptions
The central government can exempt any of its agencies from one or more provisions of the Act owing to one or more of the reasons below:
Treatment of Data
In terms of data localization, the Bill allows for transfer of “personal” data across borders without any limitations. With respect to “sensitive personal data” it must be stored in India. An approval by the regulator would be required for it to be processed outside India., “Critical personal data”, needs to be stored and processed within the country.
Penalties & Compensation under the act
Fines/Penalties for each of the provisions has been detailed in the bill, violation of these provisions as per the bill can invite fines as high as fifteen crore rupees or four per cent of the company’s total worldwide turnover of the preceding financial year, whichever is higher Fines for breach of certain provisions can also be levied on a daily basis.
Impact of this Act on Organizations
Where an offence under this Act has been committed by a company, every person who, at the time the offence was committed was in charge of, and was responsible to, the company for the conduct of the business of the company, as well as the company, shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly. (Liability on the Company & Individuals)
No such person would be held liable if he/she proves that the offence was committed without his/her knowledge or that he/she had exercised all due diligence to prevent the commission of such offence. (Potential Liability on Individuals)
Where an offence under this Act has been committed by a company and it is proved that the offence has been committed with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly (Liability arising by virtue of the position in the company)
Insurance View
Non-compliance with the data protection requirements as per the Act (once passed) would be construed as a regulatory breach and it would be interesting to see how difference insurance policies specifically the Privacy Regulatory Liability Coverage under the Cyber policy which intends to cover losses a company would sustains as a result of regulatory investigations and claims and the D&O policy which covers any formal administrative or formal regulatory proceeding commenced by the filing of a notice of charges or formal investigations, would respond.
Apurva Gopinath – Senior Manager - Financial Lines & Casualty
Apurva has over 6 years’ experience in non-life insurance sector in India with expertise in Insurance portfolio analysis & Risk Management, Structuring and Servicing of Financial Lines and Casualty Insurance programs for large & SME corporates, premium and coverage negotiations with the insurers, client relationship management and claims handling. She also specializes in structuring of global programs for both incoming multinationals as well as Indian companies with global footprint. She holds an MBA degree from Symbiosis Institute of Management Studies, Pune.