How Will India’s Personal Data Protection Bill Impact Businesses?
India’s PDP (Personal Data Privacy) bill started its reformation in 2017, with the first version submitted in 2019. Since then, further revisions to the bill have been proposed, many of which are currently being discussed in 2022. This process has left many businesses unsure of how to remain compliant with India’s privacy regulations. Many more remain unaware of the potential changes to the law and how they may cause compliance issues in the future.
Proposed revisions to the bill aim to create privacy laws similar to GDPR guidelines. Special attention is being given to increasing individual privacy without complicating the cost of doing business within the Indian economy. In this article, we’ll examine where the PDP bill is at today and where it may be headed to prepare your business for compliance.
What is India’s PDP (Personal Data Privacy) bill?
The PDP bill was designed to regulate organizations’ use of personal data. It creates a privacy protection framework that supports individual rights through strict regulations. These regulations outline the processes by which organizations can collect, store, and process personal data in India. They not only place a burden on existing business practices but also complicate the start-up process within the Indian economy.
If your business transfers data across India’s borders, the PDP bill’s regulations about cross-border data transfers will be highly relevant. The PDP bill distinguishes between three kinds of data, sensitive personal data, critical data, and personal data. Personal data is any information that can be used to identify an individual, like names, addresses, phone numbers, and photographs. Personal data can be transferred across borders without explicit approval.
Sensitive data is personally identifiable information that is at a higher risk of being stolen or misused. This includes health care records, payment information, and biometrics, as well as sensitive personal information like caste, sexual orientation, and religious beliefs. Sensitive personal data requires approval from the relevant authority to be transferred across borders.
Critical data is even more highly regulated, and can only be transferred to international organizations, or in case of an emergency. It has not been clearly defined as of yet.
The PDP bill will apply to those who collect, store, or process data within or from India.
Proposed Changes to PDP
Current changes to the PDP bill are further developing the bill to strengthen the law. Here are a few of the revisions to keep an eye on as clauses are finalized:
Clause 2 – Scope
This controversial clause expands the scope of PDP to cover both personal and non-personal data. This is a significant deviation from how most privacy bills handle personal data. This is to help mass data transfers that can be incredibly complicated when they handle personal and non-personal data.
Clauses 13 and 14 – Personal Data Processed without Consent
The PDP bill proposes to allow certain cases of non-sensitive data to be processed without consent. This is allowed for “reasonable purposes” to balance individual interests with the interests of those who process the data.
Clause 16 – Processing Children’s Data
Those who only process children’s data must register with the DPA. The changes aim to protect the inherent rights of children rather than their best interests.
Clauses 17, 19 & 23 – User Rights
The data principle has more rights to exercise their right to decide how their data is used. Data processors must be more transparent and use fair methods of processing personal data.
Clause 26 – Social Media
Social Media platforms are treated as publishers, and, therefore, must be held accountable for the content posted on their platforms. This clause proposes a media regulatory authority to regulate the content on these platforms.
Clause 34 – Data Transfer
Specific requirements for the data transfer of both sensitive and critical data have been outlined. Cross-border transfers of data will need to be approved to ensure it does not violate any policies. Data being sent to foreign governments and agencies must be explicitly approved by the Indian government.
Clause 40 – Sandbox Environments
There have been concerns about how startups and smaller businesses can navigate the stricter data protection policies. In response, the bill outlines how the government may set up sandbox environments for testing. These sandbox environments will serve to encourage innovation in products, technologies, and services while still upholding privacy requirements.
Furthermore, an alternative to SWIFT has been considered to ensure privacy for payments. Data localization regulations have also been recommended to add to the policy.
The bill outlines penalties for those who violate the approved guidelines.
A breach of the outlined obligations for data breaches, proper registration, undertaking DPIAs, appointing DPOs, and conducting data audits will result in fines of up to €586,860, or 2% of the turnover of the previous financial year.
A breach of the outlined obligations for processing personal data, processing children’s data, implementation of security safeguards, and cross-border data transfers will result in fines of up to €1.7 million or 4% of the turnover of the previous financial year.
A breach of the outlined obligations for data principal rights without explanation may result in fines of up to €11,735.
A breach of the outlined obligations to furnish reports, returns, or information may result in fines of up to €23,470. Failure to comply with directions may also result in fines of up to €234,700. A residuary penalty is also prescribed for failures that don’t fall within the outlined fines of €117,360.
The new standards will protect individual rights and enforce standards for those who process data. These standards have also been designed to allow continued innovation for businesses. As the PDP bill goes into effect, it is also projected to create employment for those who help maintain the standards.
Compliance with the India PDP bill will be important for companies looking to avoid fines when it finally passes. While the final changes have not been decided upon, now is the time to take stock of how your organization processes data.
If your organization follows GDPR privacy standards for all of its data collection and processing, no large changes will be needed. However, it will be important to keep in mind the ways that India’s personal data protection bill differs from GDPR. To remain compliant with PDP, your organization must audit the processes by which it collects and uses data from India.