India’s proposed data protection law has been a long time in the making. In 2018, a committee of experts constituted by the Indian government issued a first draft of a proposed law on data protection. In late 2019, a revised version of the draft, titled the Personal Data Protection Bill, 2019 (the “PDPB”), was introduced in the Indian Parliament. The PDPB was dogged by controversies, especially on exemptions that were afforded to government agencies, the treatment of anonymised data, data localisation requirements, and regulated cross-border transfers. For a deeper examination of the proposed law, the draft was referred to a Joint Parliamentary Committee that comprised of members of both Houses of the Parliament (“Committee”).
On December 16, 2021, the Committee finally presented the “Report of the Joint Committee on the Personal Data Protection Bill, 2019” (referred to as the “Report”) to the Parliament. The Report substantially consists of the Committee’s overarching recommendations on the PDPB and a revised draft of the PDPB. Now referred to as the Data Protection Bill, 2021 (hereafter, the “Bill”), the updated draft law contains the spirit of its predecessor – that is, it seeks to protect the digital privacy of citizens and create a relationship of trust between individuals and entities processing their data – but also goes several steps further.
Part 3 of this series looks closely at the “Obligations of Data Fiduciaries” under the PDPB Bill.
OBLIGATIONS OF DATA FIDUCIARIES
Purpose and Collection Limitation:
Personal data may only be processed in a fair and reasonable manner that will ensure the privacy of data principals. It can be collected only to the extent necessary for the purposes of processing.
Data fiduciaries are required to provide data principals with a notice that details specific information, including purposes of processing, nature and categories of personal data being collected, and the basis of processing. This notice must be clear, precise, and easily comprehensible to an individual and in multiple languages to the extent necessary and practicable. Notably, no notice is required where the provision of such notice would prejudice the processing of personal data for Public Interest.
- Quality of Personal Data:
Data fiduciaries must take necessary steps to ensure personal data processed is complete, accurate, not misleading, and updated.
Personal data may be retained only for the period necessary for the purpose for which it was processed, and the data must be deleted at the end of such period, unless expressly consented to the contrary by the data principal, or if necessary to comply with any law in force.
Data fiduciaries are responsible for compliance with the Bill, and any rules and regulations made under it, with respect to any processing undertaken by them or on their behalf. In this vein, data fiduciaries are required to enter into contracts with data processors.