Personal Data Protection Bill 2019: A Rupees 15 Crores Penalty Gamble

With the Personal Data Protection Bill, 2019 quickly edging towards becoming a law, many industries are gearing up to embrace its far-reaching ramifications.

Whether a seasoned corporate or a new age digital start-up, the Bill leaves no scope for an entity or individual to escape accountability when it comes to receiving, retaining and processing third party information and personal data.

The Bill not only provides watertight regulations for processing of sensitive and personal data by an entity but also ensures that the entity finds it impossible to take the regulations lightly.

According to the Personal Data Protection Bill, 2019, a company, juristic entity or individual that may be categorized as a data fiduciary may be penalized upto Rupees Fifteen Crores or four per cent of its total worldwide whichever is higher, if found in breach of the provisions of the Bill.

Needless to say, for some companies this Fifteen Crores may as well be Fifteen Hundred Crores or more.

What is a data fiduciary?

According to the Personal Data Protection Bill, 2019, "data fiduciary" means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data;

The Bill defines "personal data" as data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline.

What is the data fiduciary accountable for?

The Bill provides that a data fiduciary is responsible for complying with the provisions in respect of any processing undertaken by it or on its behalf.

Among others, the Bill provides that a data fiduciary can process personal data for a specific, clear and lawful purpose, in a fair and reasonable manner and that ensures the privacy of the person to whom the data belongs.

The Bill also states that any personal data can only be used or processed either for the purpose consented to by the owner of such data or which is incidental to or connected with such purpose. Illustratively, thus, data collected by a company for a promotional lottery draw cannot be used by the company to tele-market its product, unless explicitly consented to by the owner of such data at the time of providing such data.

There can be several such illustrations of data manipulation by companies or individuals that are now specifically disallowed under the Personal Data Protection Bill.

In what manner can information be collected by a data fiduciary?

According to the Bill, every data fiduciary is obligated to give a notice to the owner of the data, at the time of collection of the personal data, specifying, amongst others the following details:

(a) the purposes for which the personal data is to be processed;

(b) the nature and categories of personal data being collected;

(c) the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable;

(d) the right of the data principal to withdraw his consent and the procedure for such withdrawal

(e) the basis for such processing, and the consequences of the failure to provide such personal data

(f) the source of such collection, if the personal data is not collected from the data principal;

(g) the individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable;

(h) information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out Etc.

The Bill also states that the data fiduciary is obligated to undertake periodic review to determine whether it is necessary to retain the personal data in its possession and delete any data that it is not authorized to retain or possess beyond what has been consented for by the owner of such data.

Additionally, the burden to prove that the consent given by the owner of the data for processing of the personal data is also on the data fiduciary.

Clearly, the role of the data fiduciary carries the most burden under the Personal Data Protection Bill, 2019 and the data fiduciary has the most to lose in case this burden is not discharged appropriately.

What happens in the event of breach of any provision by the Data Fiduciary?

The Bill specifically provides that where a data fiduciary contravenes any of the provisions related to processing of personal data, it shall be liable to a penalty which may extend to fifteen crore rupees or four per cent of its total worldwide turnover of the preceding financial year, whichever is higher.

What tangible steps can an entity take to ensure compliance of the Personal Data Protection Bill?

The first step to ensuring complete compliance of the Data Protection Law is to carefully identify the points or spaces in your business where information is received or volunteered by a person or third party.

Apart from any offline forms for collection of data, a website or blog, google forms, subscription scheme forms online etc are all crucial means through which personal data may be received or shared. It is important to identify such areas and means of collecting personal data and prepare a thorough form notifying the purpose of collection personal data through such means.

Setting up a specific mechanism to ensure compliance of the Data Protection Laws and a periodic review of this mechanism is another step towards ensuring that an entity is never in breach of the law and not liable to the extortionate penalty thereunder.

Lastly, consulting a trusted legal professional from time to time is imperative for a thorough risk assessment and maximum protection.

©Dakshayani Saxena