Status of Data Privacy Law in India
The draft law obliges data custodians to keep information on processing activities, which includes the categories of personal data collected and the method of collection, the purposes of the processing, the categories of personal data that are processed and present a significant risk of harm, the procedures for exercising the rights of the payer and, where applicable, information on the cross-border transfer of personal data. The APS will dictate the format and manner of retaining this information. In March 2021, California`s attorney general approved amendments to the California Consumer Privacy Act of 2018 (“CCPA”), which prohibits the use of website practices that impede consumers` ability to opt out of selling their personal information. On the other side of the Atlantic, EU rules on privacy and respect for e-communications have imposed standards for informed consent. Over the past decade, there has been a growing chorus calling for a more ethical, privacy-focused, and internet-focused design choice. Aadya Misra, Senior Partner at Spice Route Legal, explores concerns surrounding unfair online business practices and how regulation in India addresses this issue. Data protection law does not provide for a general obligation of the controller or processor to inform the controller in the event of a personal data breach. The processing of children`s personal data, from collection to destruction, usually requires special considerations. In fact, the level of protection afforded to children is often higher, in part because they are able to understand the consequences of sharing their information and the potential risks associated with its use or misuse. In the first part of this series, OneTrust DataGuidance examines the APAC rules governing children`s personal data and presents perspectives from Australia, China, India and Japan. The 2019 bill proposed strict regulations on cross-border data flows, proposing to give the Indian government the power to request user data from businesses, as part of Prime Minister Narendra Modi`s stricter regulation on tech giants. According to the draft law, a client`s right to data portability can be exercised with regard to personal data processed by automated means.
Principals shall have the right to receive data provided to the custodian, data generated in connection with the supply of goods or services and data that are part of the main data profile in a structured, commonly used and machine-readable format. You also have the right to request the transfer of this data between data custodians. The PDP bill provides for a three-year prison sentence if personal data or sensitive personal data is re-identified without the consent of the data subject. The bill does not prescribe retention periods; However, data should not be kept longer than necessary to achieve the purpose for which they were processed. In terms of legislation, the Joint Parliamentary Committee`s report on the Data Protection Bill set a new tone and mandate for the 2021 Data Protection Act. The Reserve Bank of India has developed restrictions on payment aggregators and loan applications, while the Bureau of Indian Guidelines has formulated privacy standards as a security framework for businesses. The central government has also issued due diligence rules for internet intermediaries to regulate them. However, the rules state that a legal entity or any person who processes personal data on behalf of the legal entity must provide a privacy policy (see Is there a general responsibility? below). India asserts that such regulations are necessary to protect citizens` data and privacy.
Politicians have said concerns about the misuse of sensitive personal data in India have increased exponentially. For an overview of the processing of children`s personal data in New Zealand, the Philippines and Singapore, please read Part II here. RBI also acknowledged the growing lack of data security and privacy in the digital lending industry. As there is an exponential penetration of digital lending applications, the RBI has set up a working group to assess the maturity of the privacy practices implemented and recommended that data be stored only on Indian servers. The international transfer of personal data to a country that does not have an adequate level of protection of personal data may take place if: The PDP bill proposes that data custodians take a number of steps to ensure transparency and accountability. The measures include introducing privacy by design, maintaining transparency regarding general practices for the processing of personal data, implementing appropriate safeguards and implementing procedures and mechanisms to deal with complaints against principals. According to the bill, “significant data custodians” must be registered with the DPA. With the latest draft, the PBO wants to regulate the collection, storage, transmission and use of personal data. In addition, the provision will be extended to companies based abroad in case Indians are exposed to their data processing activities. The draft law provides for two additional grounds for the processing of personal data: a person who re-identifies personal data previously anonymised by a data custodian or processor without the consent of the data custodian or data processor can be punished by imprisonment of up to three years and a fine of up to INR 200,000 (approximately €2,350). The Commissioner issued Instruction No.
06 of 28 May 2010 “On the correct use of SMS for advertising, advertising, information, direct sales, via mobile phones”. This instruction stresses the importance of the prior consent of the data subject. If, after informing the DPO, the large data processor does not take appropriate measures to remedy the problem in a timely manner, the DPO shall inform the Commissioner without delay.