PDPA (Personal Data Protection Act) India – Questions and Answers
Thursday, June 11, 2020
We’re getting lots of queries about PDPA (Personal Data Protection Act) India and it seems like individuals/companies needs more clarification on same. That’s why, here we’ve put together a PDPA FAQ – a list of frequently asked questions about the bill and our responses to same.
If you’re not sure what PDPA really is, please go to our first post of All about Personal Data Protection Bill (PDP) – 2019, India.
PDPA full form / What PDPA stands for?
Full form of PDPA is Personal Data Protection Act.
What PDPB stands for?
PDPB stands for Personal Data Protection Bill.
What PDPA means / PDPA Meaning?
The Personal Data Protection Act or PDPA is an Act (yet to be implemented as of June 2020) in India law, on data protection and privacy of Indian citizens, applicable to all companies who deals with Indian Citizens data – despite the data storage location or processing company origin country. It protects the privacy of Indian citizens all over the world and makes sure that privacy of their (Indian) citizen’s personal Identifiable information (PII) is not compromised. It aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international businesses by unifying the regulation.
PDPA which act of parliament?
The Personal Data Protection Act is yet to be implemented as of June 2020.
In July 2017, the Ministry of Electronics and Information Technology set up a committee to study issues related to data protection. The committee was chaired by retired Supreme Court judge Justice B. N. Srikrishna. The committee submitted the draft Personal Data Protection Bill, 2018 in July 2018. After further deliberations, the Bill was approved by the cabinet ministry of India on 4 December 2019 as the Personal Data Protection Bill 2019 and tabled in the Lok Sabha (Bill No. 373) by the Minister of Electronics and Information Technology on 11 December 2019. As of June 2020, the Bill is being analysed by a Joint Parliamentary Committee (JPC) in consultation with various groups.
PDPA when did it start?
The first draft of bill was prepared on July 2018 and revised bill was presented in Dec 2019. As of June 2020, the Bill is being analysed by a Joint Parliamentary Committee (JPC) in consultation with various groups and Act is yet to be implemented.
PDPA where to start?
You can leverage our PDPA primary Article for your PDPA journey, which will give you a brief insight about Personal Data Protection Bill 2019, its key highlights, definitions, principals, impacts & penalties in detail.
Rest details you can find here on PDPA Q&A Article page, for all your PDPA queries and their answers. Most of your PDP doubts will get clear here.
In case you want to deep dive further, you can download the PDPB 2019 pdf from here.
Why PDPA was Introduced?
At the current moment, Data is probably the most valuable resource, and everyone is behind collecting and processing the data for a meaningful business gain. Now how much data a company collects from you (via cookies, webforms, third party sharing etc.) and how they process or sell same is completely hidden. Such data collection and processing should be regulated in order to prevent even the slightest possibility of abuse and misuse of personal information by any means – intentional or un-intentional. Users should know their rights and companies should know their responsibilities.
So, Minister of Electronics and Information Technology, India, took the initiative and Introduced the Data Privacy Bill, PDP 2018 and 2019 (revised), who protects the rights of end users (data Subject) about handling of their personal data (Personal Identifiable Information – PII) by other Organizations and Professionals. Though PDPA is yet to be implemented, once implemented, it will be a major reform in IT industry of India. It will change the way, how businesses will operate in India. Currently millions of phone calls are being made daily and mails are sent without taking the consent from clients. Once PDPA will come in effect, only legitimate marketing calls will be made, and genuine mails will be sent, after taking proper consent from end users. No random data sell-purchase will occur, and Personal Information of any user will not be used for business gain without advance consent from end-client.
PDPA – Who does it apply to?
Any organisation which processes and holds the personal data of Indian citizens is obliged to abide by the laws set out by PDPA (As per current PDP Bill 2019). This applies to every organisation, regardless of whether or not they themselves reside in one of the Indian states. Any company (irrespective of its origin country or current working location) who deals with Indian citizen data (in any form – collect, store, process, share etc) will be abide by PDPA Act.
What is Personally Identifiable Information (PII)?
Personal data, which is also termed as Personal Information or personally identifiable information is any information relating to an identifiable person or identity. Such information may include but not limited to his/her name, gender, address, genetic privacy, Sex life, Caste, SSN or UID number, Bank details, financial details, Mobile number, biometric information, religious or political belief or affiliation etc.
What is Personal data protection?
Personal Data Protection is protecting People’s right of Information Privacy. Personal Data Protection is about giving ownership to Data Subject or Data Principal (Personnel whose details are being used), on how their data is being collected, Opt-in Consent from them before it is shared further and right to get their data deleted whenever they want same to get deleted.
PDPA is about giving below rights to Data Subject or Data Principal:
- Right to confirmation and access
- Right to correction and erasure
- Right to data portability
- Right to be forgotten
Why is Personal Data protection Important?
For an individual, his personal details (also known as Personally Identifiable Information -PII) like name, bank account number, passwords, his sexual interest information, Biometric details, his relationships etc are confidential data and he needs privacy around it. While on the other hands, companies are using such details for their business gains and expansions.
For e.g. WhatsApp is selling data or sharing it with partners/sister companies (like Facebook) for business gains and expansions. Such vendors and partners use People’s Personal Information like their mobile numbers, age, e-mails IDs, Interests to send them specific marketing mails or messages.
From collection to Delete (including processing, usage, sharing), Data should be regulated in order to prevent even the slightest possibility of abuse and misuse of personal information by any means – intentional or un-intentional. Users should know their rights and companies should know their responsibilities.
What is Personal Data Protection Bill
Personal Data Protection Bills are the draft versions of Personal Data protection Act, which are being drafted and presented in Indian Parliament for approval and to Implement same in Indian Legislation as an Act/Law.
What is Personal Data Protection Act (PDPA)
The Personal Data Protection Act or PDPA will be an legitimate Act (yet to be implemented as of June 2020) in India law, on data protection and privacy of Indian citizens, applicable to all companies who deals with Indian Citizens data – despite the data storage location or processing company origin country.
What is Personal Data Protection Bill 2018?
The Personal Data Protection Bill 2018 (PDPB 2018) is the first Indian bill which aims at regulating the processing of personal data of individuals (data principals) by government and private entities (data fiduciaries) incorporated in India and abroad. Data collection and processing is allowed if the individual gives consent, or in a medical emergency, or by the State for providing benefits. It was the first draft for Indian citizen’s data privacy, prepared by a committee which was chaired by retired Supreme Court judge Justice B. N. Srikrishna. The committee submitted the draft Personal Data Protection Bill, 2018 in July 2018. Lateron some amendments to this bill was done and new bill – PDPB 2019 was submitted in the Lok Sabha, the lower house of parliament, on December 11, 2019.
In case you want to have a look at draft version of PDPB 2018 bill, same can be seen here.
What is Personal Data Protection Bill 2019?
Personal Data Protection Bill 2019 is a bill (No 373) aims to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the fundamental rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected there with or incidental thereto.
The Personal Data Protection Bill 2019 was approved by the cabinet ministry of India on 4 December 2019 and tabled in the Lok Sabha by the Minister of Electronics and Information Technology (MEIT) India on 11 December 2019. As of June 2020, the Bill is being analysed by a Joint Parliamentary Committee (JPC) in consultation with various groups.
In case you want to deep dive for the bill, you can download the PDPB 2019 pdf from here.
PDPA rights to be forgotten
The data principal shall have the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary (data processor). The right to erasure is also known as ‘the right to be forgotten’ and vice-versa.
The data principal shall have the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary where such disclosure—
- has served the purpose for which it was collected or is no longer necessary for the purpose;
- was made with the consent of the data principal and such consent has since been withdrawn; or
- was made contrary to the provisions of this Act or any other law for the time being in force.
Why Criticism on Personal Data Protection Bill 2019?
The revised Bill – Personal Data Protection Bill 2019 is criticized by many people including Justice B. N. Srikrishna, the drafter of the original Bill; due to clause no 35- “Power of Central Government to exempt any agency of Government from application of Act.”
As per such commentators, the clause 35 has dangerous implications. the government can at any time access private data or government agency data on grounds of sovereignty or public order.
What is PDPA compliance?
The Indian Personal Data Protection Act will fundamentally transform – how businesses handle personal data of Indian Citizens. Any company that does not follow these new norms will face severe fines, potentially up to 15 crores or 4% of annual global revenue, depending on the severity and circumstances of the violation. So, every company which deals with India Citizens Personal Data, will have to follow the guidelines of PDPA as per the regulations defined by Indian Legislation.
How to become PDPA compliant?
Make sure to follow all the rules and guidelines of PDPA (like Opt-In consent, providing Opt-Out options, Notice to Subjects, Security and Privacy guidelines) to become PDPA complaint.
Some of the rules which a company (data fiduciary) must follow to remain complaint are:
- Purpose Limitation: Only use or disclose personal data for the purposes defined.
- Notification: Inform the individuals on the purposes for collection, use and disclosure of their personal data during collection.
- Consent: Ensure that the consent has been obtained from the individuals before collecting, using or disclosure of the personal data. Consent must be free, informed, specific, clear and capable of being withdrawn.
- Access and Correction: Upon request, provide the personal data of the individual and information on how the individual’s personal data has been used or disclosed in the past year. Correct an individual’s personal data upon request.
- Accuracy: Ensure that personal data is accurate and complete during collection or when making a decision which will affect the individual.
- Protection: Keep personal data in your possession secure from unauthorised access, modification, disclosure, use, copying, whether in hardcopy or electronic form.
- Retention Limitation: Retain personal data only for business/legal purposes and securely destroy personal data when no longer needed.
- Transfer Limitation: Ensure overseas external organisations provide a standard of protection comparable to the protection under the Singapore PDPA
- Evidence Keeping: The burden of proof that the consent has been given by the data principal for processing of the personal data under this section shall be on the data fiduciary.
- Transparency: Every data fiduciary shall take necessary steps to maintain transparency in processing personal data.
Non-compliance may face severe fines, potentially up to INR 15 Crores or 4% of annual global revenue, depending on the severity and circumstances of the violation.
How much are PDPA fines and penalties?
PDPA will (PDP Bill have such clauses) also incorporates multiple stringent penalties clauses for the effectiveness of law. Offences under the Bill include: (i) processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual worldwide turnover of the fiduciary, whichever is higher, and (ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual worldwide turnover of the fiduciary, whichever is higher. Re-identification and processing of de- identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.
How PDPA will affect companies?
PDPA will sets a high standard for consent, which will have a huge impact on the Organizations. Customers will need to be given choice and control over how their data is handled. To comply, you’ll need to know how PDPA defines personal data, where it’s located in your business, how it’s used, who can access it, where it is shared and much more. Companies will have to be very careful about how data is collected, how consent are being sought and managed, and how data will be securely processed inside the company. Any company who deals with Indian people personal data or PII, will have to be PDPA compliant now and need to follow the regulation guidelines.
Sales team will also need to be very careful before calling the clients or before sending the mail, as they need to have proper consent from client, before they reach out to clients for such marketing calls.
Companies will not be able to sell or share client’s person data or personal identifiable Information (PII) with taking Data Subject’s consent. They have to follow PDPA compliance rules before collecting, sharing and deleting the Data Principal/Subject’s Personal or Sensitive data.
Considering the Stringent compliance & policies, most global firms will face challenges in-terms of increased compliance costs and restrictions.
Personal data protection bill 2018 pdf
The PDPA 2018 Bill regulates the processing of personal data of individuals (data principals) by government and private entities (data fiduciaries) incorporated in India and abroad. Processing is allowed if the individual gives consent, or in a medical emergency, or by the State for providing benefits. It was the first draft for Indian citizen’s data privacy, prepared by a committee which was chaired by retired Supreme Court judge Justice B. N. Srikrishna. The committee submitted the draft Personal Data Protection Bill, 2018 in July 2018.
PDPA 2018 pdf can be downloaded from here.
Personal data protection bill 2019 pdf
The Personal Data Protection Bill (PDPB) 2019 is approved by the cabinet ministry of India in Dec 2019 and tabled in the Lok Sabha on 11 December 2019. As of June 2020, the Bill is being analysed by a Joint Parliamentary Committee (JPC) and once approved, it’ll be rolled out as a Legislation Act.
Current in-discussion PDPB 2019 pdf can be downloaded from here.
Data Classification:
This Website/document does not constitute any professional advice. The information in this document has been obtained or derived from different sources believed by dataprivacyacts.com to be reliable but dataprivacyacts.com does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of Dataprivacyacts.com at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. Dataprivacyacts.com neither accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take.
© dataprivacyacts.com. All rights reserved.