The Data Protection Bill, 2021 (“Bill”) was introduced in Lok Sabha by the Minister of Electronics and Information Technology in December, 2019, which was tabled before the Joint Parliamentary Committee. The Bill seeks to provide for protection of personal data of individuals. The Bill governs the processing of personal data pertaining to characteristics, traits or attributes of identity, which can be used to identify an individual. The Bill provides that processing of data will be subject to certain purpose, collection and storage limitations, and further provides several measures and steps that shall have to be taken by technology companies to ensure protection of personal data of users. The following are few compliances that technology companies would have to incorporate in terms of the Bill as well as the report submitted by the Joint Parliamentary Committee.
Processing and Retention of personal data
a. Protection of data of the employee:
The Bill provides greater protection to employees and their personal data that is processed by their employer. The Bill creates an additional safeguard, requiring the employer to show that the processing is not only necessary but can be reasonably expected by the data principal/employee
b. Consideration before processing personal data for other reasonable purposes:
The non-consent based processing of personal data of the data principal for other reasonable purposes must be proceeded only after giving due consideration to the following factors that includes but is not limited to: (i) the legitimate interest of the data fiduciary in processing for that purpose; (ii) whether it is practicable for the data fiduciary to obtain the consent of the data principal; (iii) the degree of any adverse effect of the processing activity on the rights of the data principal.
Transparency and accountability measures:
The Bill recommends that data fiduciaries in the interest of transparency, (i) provide information in relation to ensuring fairness of the algorithm or method used for processing of personal data and (ii) submit their privacy by design policy to be certified by the Data Protection Authority, as envisaged under the Act.
Disclosure of data quality
Data fiduciary to notify the individual or entity, including a data fiduciary or processor, to whom personal data has been disclosed, if such data disclosed is incomplete, inaccurate, misleading or not updated.
*Data fiduciary is an entity or individual who decides the means and purpose of processing personal data
Storage of data
The Bill recommends that sensitive and critical personal data be stored within India and be transferred outside the country only if it satisfies certain conditions.
Reporting data breaches Data breaches shall have to be reported “as soon as possible” but within 72 hours from when the data fiduciary becomes aware about the breach. The information is to be reported to the Data Protection Authority. Further the data fiduciaries are obligated to take urgent measures, and not just appropriate remedial actions, to remedy the data breach and mitigate the harm caused to data principals because of such an event.