Skip to main content

India’s Data Protection Law 2018: Future Road Ahead


With the submission of SriKrishna Committee report on data protection, the final countdown for India’s own Data Protection Regime has finally begun.  A detailed legal framework on data protection is to be implemented in the coming days.
Purpose of Data Protection Bill 2018- To protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organizational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorized and harmful processing, and to establish a Data Protection Authority for overseeing processing activities.
The key Highlights are as following:
1.     The term Data means and includes a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means.
2.     Personal Data means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information. The Sensitive Personal Data as it existed under SDPI Rules has been expanded to include passwords; financial data; health data; official identifier; sex life; sexual orientation; biometric data; genetic data; transgender status; intersex status; caste or tribe; religious or political belief or affiliation
3.     Application- Applies to both government and private entities. The applicability of the law will extend to data fiduciaries or data processors not present within the territory of India, if they carry out processing of personal data in connection with (i) any business carried on in India, (ii) systematic offering of good and services to data principals in India, or (iii) any activity which involves of data principals within the territory of India ;
4.     Data Fiduciary means any person including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing personal data;
5.     Data Processor means any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary;
6.     Processing means any form of processing of personal data that analyses or predicts aspects concerning the behavior, attributes or interest of a data principal
7.     Grounds for Processing Personal Data- includes (a) consent, (b) functions of state, (c ) compliance with law or order of court/tribunal, (d) for prompt action incase of emergencies, (e) purposes related to employment and (f) reasonable purposes of the data fiduciary.
8.     Grounds for Processing Sensitive Personal Data- includes (a) explicit consent, (b) functions of state, (c ) compliance with law or order of court/tribunal, (d) for prompt action in case of emergencies for passwords, financial data, health data, official identifiers, genetic data and biometric data.
9.     Personal and Sensitive Personal Data of Children: Processing of personal and sensitive personal data of children by data fiduciaries should be done in a manner that protects and advances the rights and best interests of the child. Data fiduciaries are required to establish mechanisms for age verification and parental consent. Fiduciaries that operate commercial websites or online services directed at children or process large volume of children personal data would be classified as guardian data fiduciaries and barred from certain processing operations.
10.   Transparency and Accountability measures includes- (a) Privacy by design, (b) data protection impact assessment, (c ) record keeping, (d) appointing a data protection officer, and (e ) data audits. Practices inscribed in (b) to (e ) are to be carried about by data fiduciaries which can be classified as “significant data fiduciaries”  by the Data Protection Authority. Technology companies including but not limited to BFSI  processing huge amounts of personal data will have to register as data fiduciaries and undergo government audits.
11.  Transfer of Personal Data Outside India- There is a restriction on cross border data flows. There is a mandate to store one serving copy of all personal data within the territory of India. Also, the Government is empowered to classify any sensitive personal data as critical personal data and mandate its storage and processing exclusively within India. Any cross border transfer of data is made subject to standard contractual clauses or inter group schemes that have been approved by the Data protection Authority, prescribed that transfer to a particular country, or to a sector within a country or to a particular international organization is permissible by the Central Government, transfers permissible due to a situation of necessity, consent with respect to personal data and explicit consent with respect to sensitive personal data. However, would not be applicable or extend to critical personal data. This will impact and put a check on technology service providers, credit scoring, insurance, lending & financial companies, etc. which forces ‘take it or leave it’ contracts from customers. This provision is to deal with non-negotiable contracts, wherein the data controller uses its market power to force people to give up personal data. And, now only the data which is necessary for the service or product being provided;
12.  Penalties- range from 2-4% of the world wide’s turnover, or fines between 5 crores and 15 crores, whichever is higher. There are certain offences which punishable with imprisonment.
13.  Data Protection Authority to be established by Government of India and a data protection fund to be set up through proceeds from the penalties and the fines;
14.  Overriding Effect – The provisions of this law shall have an overriding effect to the extent that such provisions are inconsistent with any other law for the time being in force or any instrument having effect by virtue of any such law. Existing Acts, such as Right to Information, Aadhaar and Information Technology will have to be amended.   
To know further details and other legal aspects of India’s forthcoming Data Protection Law and its impact on your business or get your company compliant or any clarification, please feel free to connect with us at admin@equicorplegal.com  / 08448824659.

Comments

Popular posts from this blog

PSARA License: To Start a Private Security Agency Business in India

Private Security Agency business is one of the most sought and rapid growing business in India with huge demand and potential. Due to ever evolving demand for private security by industry & business segments, the Private Security Agency business is growing for more than 20% and there is still huge untapped market still wide open for the future ventures. Today in any and every aspect, private security has an important role to play, whether its transfer of cash to ATM, transportation of valuables or protection to key members of business conglomerates. Any Private Security Agency cannot commence its business and operations in India without procurement of license under Private Security Agencies (Regulation) Act, 2005 also known as PSARA License . PSARA License is obtained state wise & is valid for 5 years and had to be renewed after every 5 years. The government fees for PSARA License is as following: 1.        For one (1) District- Rs. 5,000/- 2.        For more th

Non-Banking Financial Companies (NBFC)

A Non-Banking Financial Company (NBFC) is a  company registered under the Companies Act, 1956 and is engaged in the business of loans and advances, acquisition of shares stock/bonds/debentures/securities issued by Government or local authority or other securities of like marketable nature, leasing, hire-purchase, insurance business, chit business but does not include any institution whose principal business is that of agriculture activity, industrial activity, sale/purchase/construction of immovable property. A non-banking institution which is a company and which has its principal business of receiving deposits under any scheme or arrangement or any other manner, or lending in any manner is also a non-banking financial company (Residuary non-banking company). Advantages of NBFC a)       it can provide loans and credit facilities, b)       it can trade in  money market instruments c)       it can do wealth management such as Managing portfolios of stocks and shares d)     

Investment Frauds by Investment Advisers

Today driven by the promise of higher returns than the saving accounts or fixed deposits, most of the small and retail investors are moving their investments under the guidance of Investment Advisers. “ Investment Advisers ” means any person, who for consideration, is engaged in the business of providing investment advice to clients or other persons or group of persons and includes any person who holds out himself as an investment adviser, by whatever name called. Investment Advisers who make public appearance or make recommendations or offer an opinion concerning securities or public offers through public media while making recommendations through public media are required to comply with the relevant applicable laws. What is an Investment Advice: - “ Investment Advice”  is an advice relating to investing in, purchasing, selling or otherwise dealing in securities or investment products, and advice on investment portfolio containing securities or investment products, whether

Types of Companies under New Companies Act-2013

With new testament of Corporate law in force has introduced several different types of companies with special features. ONE PERSON COMPANY (OPC) One Person Company is defined in Sub- Section 62 of Section 2 of The Companies Act, 2013, which reads as follows: 'One Person Company means a company which has only one member' It shall also be important to note that Section 3 classifies OPC as a Private Company for all the legal purposes with only one member. All the provisions related to the private company are applicable to an OPC, unless otherwise expressly excluded. Ø   Only a natural person who is an Indian citizen and resident in India- ü   shall be eligible to incorporate a One Person Company; ü   shall be a nominee for the sole member of a One Person Company. Ø   No person shall be eligible to incorporate more than a One Person Company or become nominee in more than one such company. Ø   No minor shall become member or nominee of the One Person Company

NCLT has Exclusive Jurisdiction for all the Company Matters

In deciding an appeal in the matter of MAIF Investment India PTE Ltd. v/s Ind-Barath Power Infra Limited & Ors ., Company Appeal (AT) No. 334 of 2018, NCLAT has reviewed and decided on the issue of exclusive jurisdiction of NCLT in all the company matters and to bar the jurisdiction of civil courts including   complex and contentious one. The appeal was against the order given by NCLT, Hyderabad, where the NCLT, Hyderabad bench declined to entertain the petition under Section 59 of the Companies Act, 2013 for seeking a rectification in the register of members. The alleged dispute involved conversion of compulsory convertible debentures without requisite consent and quorum. NCLT, Hyderabad dismissed the petition stating the reason that issue raised were complex or contentious issue which required the examination of the Arbitration Act, 1996 & Insolvency & Bankruptcy Code, 2016. While dismissing the petition, NCLT, Hyderabad had relied on Supreme Court’s 1998 judge

Legal Obligations of Technology Service Providers as Intermediaries

A database of millions of customers including their contact details are found freely accessible online and are available for sale at a very nominal price at various online social media platforms has brought a serious and basic question in focus- who all can be held responsible and accountable for such unauthorize and illegal acts? Prima facie , the person who is selling the database is responsible under the eyes of law, but do the technology services providers or the platform where such database is been listed, owes any obligation to the customers and can be held responsible for unauthorize acts by a third party on their platform? The technology service providers or the online platform operators are commonly known as “ Intermediaries ”. In India, these technology service providers or Intermediaries are governed by the provisions of Information Technology Act, 2000 (“ IT Act ”) along with Information Technology (Intermediaries Guidelines) Rules, 2011 (“ Intermediary Rules ”)

Nidhi Companies in India

This article enumerates the brief transaction procedure involved in the establishment of a Nidhi Company and the laws relating to Nidhi Company in force in India. It shall be noted that the activities described hereunder covers various relevant legislations, regulations and rules, for the time being in force in India and the legal entity has to obtain approval/register itself with Ministry of Corporate Affairs (“ MCA ”). Preface In the Indian financial sector, Nidhi Company refers to any mutual benefit society notified by the MCA. They are created mainly for cultivating the habit of thrift and savings amongst its members. The amount of business conducted by Nidhi Companies is not as big as commercial banks or deposit taking Non-Banking Finance Companies. Nidhi Companies are highly localized and mostly single office institutions. They are also referred to as mutual benefit societies, because they accept deposits and give loans to only their own members; and membership is limited