Skip to main content

India’s Data Protection Law 2018: Future Road Ahead

With the submission of SriKrishna Committee report on data protection, the final countdown for India’s own Data Protection Regime has finally begun.  A detailed legal framework on data protection is to be implemented in the coming days.
Purpose of Data Protection Bill 2018- To protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organizational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorized and harmful processing, and to establish a Data Protection Authority for overseeing processing activities.
The key Highlights are as following:
1.     The term Data means and includes a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means.
2.     Personal Data means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information. The Sensitive Personal Data as it existed under SDPI Rules has been expanded to include passwords; financial data; health data; official identifier; sex life; sexual orientation; biometric data; genetic data; transgender status; intersex status; caste or tribe; religious or political belief or affiliation
3.     Application- Applies to both government and private entities. The applicability of the law will extend to data fiduciaries or data processors not present within the territory of India, if they carry out processing of personal data in connection with (i) any business carried on in India, (ii) systematic offering of good and services to data principals in India, or (iii) any activity which involves of data principals within the territory of India ;
4.     Data Fiduciary means any person including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing personal data;
5.     Data Processor means any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary;
6.     Processing means any form of processing of personal data that analyses or predicts aspects concerning the behavior, attributes or interest of a data principal
7.     Grounds for Processing Personal Data- includes (a) consent, (b) functions of state, (c ) compliance with law or order of court/tribunal, (d) for prompt action incase of emergencies, (e) purposes related to employment and (f) reasonable purposes of the data fiduciary.
8.     Grounds for Processing Sensitive Personal Data- includes (a) explicit consent, (b) functions of state, (c ) compliance with law or order of court/tribunal, (d) for prompt action in case of emergencies for passwords, financial data, health data, official identifiers, genetic data and biometric data.
9.     Personal and Sensitive Personal Data of Children: Processing of personal and sensitive personal data of children by data fiduciaries should be done in a manner that protects and advances the rights and best interests of the child. Data fiduciaries are required to establish mechanisms for age verification and parental consent. Fiduciaries that operate commercial websites or online services directed at children or process large volume of children personal data would be classified as guardian data fiduciaries and barred from certain processing operations.
10.   Transparency and Accountability measures includes- (a) Privacy by design, (b) data protection impact assessment, (c ) record keeping, (d) appointing a data protection officer, and (e ) data audits. Practices inscribed in (b) to (e ) are to be carried about by data fiduciaries which can be classified as “significant data fiduciaries”  by the Data Protection Authority. Technology companies including but not limited to BFSI  processing huge amounts of personal data will have to register as data fiduciaries and undergo government audits.
11.  Transfer of Personal Data Outside India- There is a restriction on cross border data flows. There is a mandate to store one serving copy of all personal data within the territory of India. Also, the Government is empowered to classify any sensitive personal data as critical personal data and mandate its storage and processing exclusively within India. Any cross border transfer of data is made subject to standard contractual clauses or inter group schemes that have been approved by the Data protection Authority, prescribed that transfer to a particular country, or to a sector within a country or to a particular international organization is permissible by the Central Government, transfers permissible due to a situation of necessity, consent with respect to personal data and explicit consent with respect to sensitive personal data. However, would not be applicable or extend to critical personal data. This will impact and put a check on technology service providers, credit scoring, insurance, lending & financial companies, etc. which forces ‘take it or leave it’ contracts from customers. This provision is to deal with non-negotiable contracts, wherein the data controller uses its market power to force people to give up personal data. And, now only the data which is necessary for the service or product being provided;
12.  Penalties- range from 2-4% of the world wide’s turnover, or fines between 5 crores and 15 crores, whichever is higher. There are certain offences which punishable with imprisonment.
13.  Data Protection Authority to be established by Government of India and a data protection fund to be set up through proceeds from the penalties and the fines;
14.  Overriding Effect – The provisions of this law shall have an overriding effect to the extent that such provisions are inconsistent with any other law for the time being in force or any instrument having effect by virtue of any such law. Existing Acts, such as Right to Information, Aadhaar and Information Technology will have to be amended.   
To know further details and other legal aspects of India’s forthcoming Data Protection Law and its impact on your business or get your company compliant or any clarification, please feel free to connect with us at  / 08448824659.


Popular posts from this blog

Non-Banking Financial Companies (NBFC)

A Non-Banking Financial Company (NBFC) is a  company registered under the Companies Act, 1956 and is engaged in the business of loans and advances, acquisition of shares stock/bonds/debentures/securities issued by Government or local authority or other securities of like marketable nature, leasing, hire-purchase, insurance business, chit business but does not include any institution whose principal business is that of agriculture activity, industrial activity, sale/purchase/construction of immovable property. A non-banking institution which is a company and which has its principal business of receiving deposits under any scheme or arrangement or any other manner, or lending in any manner is also a non-banking financial company (Residuary non-banking company). Advantages of NBFC a)it can provide loans and credit facilities, b)it can trade in  money market instruments c)it can do wealth management such as Managing portfolios of stocks and shares d)it can underwrite stock and shares and oth…

Nidhi Companies in India

This article enumerates the brief transaction procedure involved in the establishment of a Nidhi Company and the laws relating to Nidhi Company in force in India. It shall be noted that the activities described hereunder covers various relevant legislations, regulations and rules, for the time being in force in India and the legal entity has to obtain approval/register itself with Ministry of Corporate Affairs (“MCA”).
Preface In the Indian financial sector, Nidhi Company refers to any mutual benefit society notified by the MCA. They are created mainly for cultivating the habit of thrift and savings amongst its members. The amount of business conducted by Nidhi Companies is not as big as commercial banks or deposit taking Non-Banking Finance Companies. Nidhi Companies are highly localized and mostly single office institutions. They are also referred to as mutual benefit societies, because they accept deposits and give loans to only their own members; and membership is limited to individ…

Types of Companies under New Companies Act-2013

With new testament of Corporate law in force has introduced several different types of companies with special features.
ONE PERSON COMPANY (OPC) One Person Company is defined in Sub- Section 62 of Section 2 of The Companies Act, 2013, which reads as follows: 'One Person Company means a company which has only one member' It shall also be important to note that Section 3 classifies OPC as a Private Company for all the legal purposes with only one member. All the provisions related to the private company are applicable to an OPC, unless otherwise expressly excluded. ØOnly a natural person who is an Indian citizen and resident in India- üshall be eligible to incorporate a One Person Company; üshall be a nominee for the sole member of a One Person Company. ØNo person shall be eligible to incorporate more than a One Person Company or become nominee in more than one such company. ØNo minor shall become member or nominee of the One Person Company or can hold share with beneficial interest. ØT…

SEBI VS PACL: Trouble in Paradise

In its biggest-ever crackdown on a large-scale money pooling scheme estimated at nearly Rs. 50,000 crore (twice the amount to be recover from SAHARA group), regulator SEBI has ordered  Pearls Agrotech Corporation Limited (“PACL”) to refund investors within three months and wind up operations. SEBI had found PACL violating Collective Investment Scheme Regulations by mobilizing the money without being registered with the regulator, SEBI. Besides, closure of PACL operations, SEBI  is initiating further proceedings against PACL and its nine promoters and directors for fraudulent and unfair trade practices, as also for violation of SEBI's CIS Regulations, among others, as per a direction from the Supreme Court. At present, it is being estimated that PACL has more than 58.5 million customers, more than twice the 22 million demat accounts in the entire country and has paid commission of
Rs 7,893.8 crore up to March 2012  to more than its 8 lakh agents who works as network of chain system fo…

Nidhi Companies Rules 2014- An analysis w.r.t. Nidhi Company Registration

“Nidhi is a company formed with the exclusive object of cultivating the habit of thrift, savings and functioning for the mutual benefit of members by receiving deposits only from individuals enrolled as members and by lending only to individuals, also enrolled as members” -Section 406, Companies Act, 2013 & Companies Rules 2014
Nidhi Company are registered or formed only for the benefit for its members only, an outsider i.e. who is not the member of the Nidhi Company is not allowed to deposit any money or doing any kind of business with the concerned Nidhi Company. In this article we will analyze the impact of Nidhi Companies Rules 2014 on the registration of Nidhi Company Incorporation of Nidhi Company i)A Nidhi Company to be incorporated under the Companies Act, 2013 (“Act”) shall be a public company and with a minimum paid up equity share capital of five lakh rupees; ii)On and after the commencement of Companies Act, 2013, no Nidhi Company shall issue preference shares; iii)Except as…

NBFC & Companies Act 2013 w.r.t. issue of Debentures

With the new testament of corporate law, Companies Act, 2013 to be effective from April 01, 2014, NBFC are facing lack of oxygen supply for their survival as to ensure that debenture issuances did not trespass into the domain of public deposits and were beginning to understand that optionally convertible debentures market will die out slowly that the rules have thrown language open to interpretation. Section 71 of the Companies Act, 2013 along with the rules implies that the debenture issuances have to be secured by specific moveable and immoveable properties. NBFCs may face a rocky time in finding these specific moveable and immoveable properties for issue of secured debenture.  Section 71 of the Companies Act, 2013 states that – 1.A company may issue debentures with an option to convert such debentures into shares, either wholly or partly at the time of redemption: Provided that the issue of debentures with an option to convert such debentures into shares, wholly or partly, shall be ap…


In Sahara Desert- Distress Hours Once upon a time, Sahara’s Subrarta Roy- a friend to all who came calling-whether a matinee idol in his 80s or a sports star in her teens, self bestowed title- “Sahara Shri”- the sponsor of the Indian cricket team and a group headed by a colourful, flamboyant CEO hobnobbing with Bollywood stars and cowbelt politicianscould boast of having friends in high places. Today in this distress hours, there seems to be few people who he can turn to in his hour of distress. For the sleepy Lucknow of the 1990s whose favourite past-time seemed to be reminiscing the city’s long gone glory days, Subrata Roy Sahara brought a cash of heavy bling and some more. Sahara has stayed afloat for more than 35 years despite repeated regulatory onslaughts. The first setback was in the late '90s when RBI slashed the discretionary investment powers of its finance firm. The next blow came in 2006 when its depository services firm had to be shut down. The big jolt came in 2008 whe…