Prohibition of processing of personal data
Clause 4 seeks to prohibit processing of personal data without any specific, clear and lawful purpose. Earlier, the concept of reasonable processing was categorically prescribed, which could have resulted in possible processing of data without consent. The amended draft does away with that provision.
Restriction on retention of personal data
Clause 9 of the Draft Bill prescribes that the data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it was processed and shall delete the personal data at the end of processing. The personal data may be retained for a longer period only after the data fiduciary gets consent from the data principal.
Grounds for processing of personal data without consent in certain cases
Clause 12 of the Draft Bill lists out certain cases which provides for processing of personal data without consent. Likewise, recruitment and termination of employment have also been brought under categories of processing personal data. However, if such data meets the criteria of being sensitive data, then such processing cannot be done without prior consent.
Processing of personal data for other reasonable purposes
Clause 14 seeks to provide for other reasonable purposes for which personal data may be processed. One such newly introduced purpose is the operation of search engines. This is a new insertion and was not present in the previous bill.
Right to correction and erasure
As part of chapter V on the Rights of Data Principal, under Clause 18, the data principal has been provided the right to erasure of personal data which is no longer necessary for the purpose for which it was processed. This has been added in the Draft Bill over and above the other data principal rights, such as the right to correction of inaccurate data, completion of incomplete personal data and right to updating of personal data that is out of date.
Privacy by design policy
Clause 22 seeks to list out the constituents of privacy by design policy. Though the concept itself is not new (as it was already included in the previous bill), the mandatory requirement for a certification of the privacy by design policy by the data protection authority has been newly added. Such a policy is required to be published on the organisation and the authority’s website.
Transparency in processing of personal data
Clause 23 seeks to bring in transparency in the processing of personal data by requiring the fiduciary to inform the data principal and make information available. This clause introduces a new term − ‘consent manager’ − which is defined as a data fiduciary through which a data principal can give, withdraw, review and manage his/her consent through an accessible platform.
Classification of data fiduciaries as significant data fiduciaries
Clause 26 seeks to provide for the classification of certain data fiduciaries as significant data fiduciaries, including certain social media intermediaries.
- Further, clause 26(3) of the Draft Bill details that if the authority is of the opinion that any processing accomplished by any data fiduciary or class of the same carries a significant risk, then it will apply the same obligations as those applicable to a significant data fiduciary.
- The section further defines ‘social media intermediaries’ as all intermediaries who primarily enable online interaction between two or more users and allow them to create, upload, share, disseminate, modify or access information. This does not include commercially oriented transactions, providing access to the internet, search engines, online encyclopaedias, email services or online storage services. The concept of a social media intermediary is a new one and was not mentioned in the previous bill.
Data protection officer (DPO)
Clause 40 of the Draft Bill states that Every significant data fiduciary shall appoint a data protection officer possessing such qualifications and experience as may be specified by the regulations, for carrying out certain functions. Earlier a DPO was required to be appointed by all data fiduciaries. The same is required in the Draft Bill to be appointed only by a significant data fiduciary.
Prohibition on processing of sensitive personal data and critical personal data outside India
Clause 33 seeks to prohibit processing of sensitive personal data and critical personal data outside India. Though these concepts were included in the previous bill, the new provisions are clearer, and restrictions are imposed on transferring sensitive and critical data.
The new provisions state that:
- sensitive personal data may be transferred outside India, subject to conditions for transfer of sensitive personal data and critical personal data, but shall continue to be stored within India
- critical personal data (the definition of which is to be notified by the Central Government) can only be processed in India.
Conditions for transfer of sensitive personal data and critical personal data
Clause 34 seeks to list out conditions under which sensitive personal data and critical personal data could be transferred outside India. Sensitive personal data may only be transferred outside India for the purpose of processing, when explicit consent is given by the data principal for such transfer, and where such transfer is made pursuant to a contract or intra-group scheme approved by the authority. Previously, intra-group scheme related approval was provided only for the categories of personal data, not being sensitive data. However, the Draft Bill extends this provision to sensitive data as well.
Clause 66 in the Draft Billl adds a new mechanism of recovery based on arrears of land revenue. This clause seeks to lay down that penalties or compensation under this act may be recovered as arrears of land revenue. The concept of a ‘recovery officer’, as provided in the previous bill, has been done away with.
Sandbox for encouraging innovation, etc.
Clause 40 states that the authority is entrusted with the responsibility of creating a sandbox for the purposes of encouraging innovation in artificial intelligence (AI), machine learning (ML) or any other emerging technology of public interest. In this regard, certain information is required to be furnished by the data fiduciary, if such fiduciary intends to apply for inclusion in the sandbox.
Re-identification and processing of de-identified personal data
Clause 91 states that the Central Government may, in consultation with the authority, direct any data fiduciary or data processor to provide any anonymised personal data or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies, in such manner as may be prescribed. For the purposes of this sub-section, the expression ‘non-personal data’ means data other than personal data. This categorisation was not provided in the previous bill.