PART II
This blog post is a continuation of Part I for India’s new Data Protection Law: Simply Put. The first part refers to the concept and Data Fiduciaries. This second part deals with the rights, duties & exemptions of data principal, advisory on processing of children’s data and cross border transfer.
Introduction
Rights and duties of Data Principal[1]
The Act provides that the Data Principal, whose data is being processed, will have the right to obtain information about Processing, seek correction and erasure of Personal Data, nominate another person to exercise rights in the event of death or incapacity, and availability of grievance redressal mechanism.
The Act states that the Data Principals will have certain duties[2] as well. They must not register a false or frivolous complaint, furnish any false particulars, or impersonate another person in specified cases. Violation of duties by the Data Principals will attract a penalty of up to ₹ 10,000.
Indian businesses are already following many of the same data protection rules as businesses in the US and Europe. So, the Act won’t change much for most businesses in real terms. However, it will give Indian Data Principals the same level of protection as their American and European counterparts.
The Act will also require businesses to re-examine their privacy policies and data policies to make sure they are in line with the Act. This will mean extending protection to non-sensitive Personal Data, which was not previously covered by the law.
Now that the Act has officially been passed, Data Principals can expect to start receiving notices from all Data Fiduciaries and Data Processors about the data that is available to them and how it is being processed.
Exemptions
The rights of the Data Principal and obligations of Data Fiduciaries (except data security) will not apply in specified cases. The State is exempt, which excludes privacy requirements for the State. Broadly, the exemptions proposed in the Act includes Processing of Personal Data by the State and its instrumentalities, as notified by Central Government from time to time, in the interests of sovereignty, integrity, security of the State, friendly foreign relations, public order or incitement of related offence.
The exemptions also include Processing of Personal Data for research, archiving or statistical purposes, for startups or other notified categories of Data Fiduciaries, for enforcement of legal rights and claims, for performance of judicial or regulatory functions, for preventing, detecting, investigating, or prosecuting offences or contraventions, for Processing data of non-residents under foreign contract, for approved merger, demerger, etc. and for locating defaulters and their assets.
The companies in the technology and other intellectual property sectors also can now safeguard their trade secrets effectively, preventing instances of “corporate espionage” or unauthorized disclosure of critical or sensitive information. The Act acknowledges that accessing an employee’s Personal Data for such protective purposes is considered as implied consent from the employee and will also act as an exemption under the Act.
The Act also substantially and unreasonably widens the scope of exemptions available to Public Information Officers (“PIO’s”)of the State ministries and departments in rejecting the Right to Information (“RTI”) application stating grounds that the information sought under the said RTI application is on matter which ‘relates to personal information’[3].
Processing of Personal Data of children[4]
The Data Fiduciary before Processing any Personal Data of a child or a person with disability who has a lawful guardian shall obtain verifiable consent of the parent of such child or the lawful guardian.
While Processing the Personal Data of a child, the Data Fiduciary must not undertake:
- Processing that is likely to cause any detrimental effect on the well-being of the child, and
- tracking, behavioral monitoring, or targeted advertising.
Cross – border transfer[5]
The Act represents a subtle yet impactful change in how regulations are applied. It brings India’s data protection laws in consonance with the data protection laws of other countries. It acknowledges that data Processing can occur across the border while still safeguarding the data protection rights of the Indian individuals.
The Act allows the transfer of Personal Data outside India, except to countries restricted and blacklisted by the Central Government through notification.
– Archana Balasubramanian, Partner with Vineet Lathiya, Associate
For Part I, Click Here.
[1] Section 11, 12, 13 and 14 of the Act.
[2] Section 15 of the Act.
[3] Section 44 (3) of the Act.
[4] Section 9 of the Act.
[5] Section 16 of the Act.
COMMERCIAL LAW BLOG 