Personal Data Protection

Every day, we transmit our data to different organizations such as the administration, our employer, commercial companies, etc. This data, called personal data, is any information relating to an identified or identifiable natural person.

This data can allow an individual to be identified directly (example: name, first name) or indirectly (example: by an identifier (customer number), a (telephone) number, a biometric data, etc.)
Once collected, this information is processed by software and/or employees. The processing of personal data is an operation, or set of operations, on personal data, whatever the process used (collection, recording, organization, conservation, adaptation, modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, reconciliation).
As this information concerns the identity of individuals, it is essential to establish legal standards to protect this data. However, personal information refers only to data concerning a natural person. Legal entities are not affected by this protection.

The holder of a file containing personal data, computer or paper, must, in principle, provide you with the following information:

Public and private bodies such as the government, companies, sole proprietorships or associations engaged in commercial or professional activities incorporated in India, as well as foreign companies processing personal data of individuals in India are covered by the legislation.

Introduced by the Ministry of Electronics and Information Technology, the Personal Data Protection Bill 2019 (PDP Bill 2019) will be in force in India in some time. This bill which covers personal data protection mechanisms aims at improving the Indian data protection legislation and proposes the establishment of a Data Protection Authority of India for this purpose.
As such, this bill aims to ensure the protection of the privacy of individuals with respect to their personal and non-personal data, to clarify the flow and use of personal data, to create a relationship of trust between persons and entities processing personal data, and to protect the fundamental rights of persons whose personal data is processed.

Pending the enactment of the Personal Data Protection Act (PDP 2019), there are two main pieces of legislation that apply in this regard. These are the Information Technology Act 2000 (“the IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“the DIPS Rules”). Indeed, most businesses, regardless of their industry, are more affected by the Computer Law and the DIPS Rules.

For example, the Computer Law provides that legal entities that handle so-called sensitive personal data or information are liable for damages for any loss caused by their failure to implement and maintain reasonable security practices and procedures.

In order to improve data protection legislation, the PDP Bill proposes a broader application of data protection, applying to both manual and electronic records, as well as to non-personal data. However, not all personal data that is freely available or accessible in the public domain or provided under the Right to Information Act 2005 or any other applicable law is to be considered “sensitive personal data or information” (“SPDI”). In addition, DIPS may be disclosed to mandated government authorities for the purpose of obtaining information for identity verification or prevention, detection, investigation without obtaining the consent of the “information provider”.

The PDP Bill requires that a data trustee only process personal data if it has a valid reason to do so. The most important aspect is to obtain the consent of the data controller. Section 11 of the Bill requires the data trustee to ensure that it obtains the “express” consent of the data principal before or at the time of collecting personal information.

According to the bill, for consent to be considered valid, it must be:

1. Free and informed i.e. not induced by fraud, misrepresentation, coercion, undue influence or mistake.

2. Informed: the data controller must be provided with the information listed in Article 7 of the bill, i.e. information on the purposes for which the data will be used, the types of data collected, information on how to withdraw consent, with whom the data will be shared, etc. This information must be provided in a clear and concise manner, reasonably understandable, and in multiple languages if necessary.

3. Specific and clear: the consent given must relate specifically to the purpose of the processing envisaged by the trustee. The consent clause should not be overly broad or ambiguous or encompass unrelated purposes.

4. Withdrawal must be possible: This means ensuring that withdrawal of consent is possible and under the same conditions as obtaining consent.

Finally, the bill introduced the concept of a “consent manager“, which is a data trustee responsible for facilitating the data controller’s management of the consents collected, via an interoperable platform. Withdrawal of consent can also take place via the consent manager.

Any violation of the Data Protection Act and the “DIPS” rules may result in civil liability as well as criminal liability. It is also possible to be subject to administrative fines.

Section 72A of the IT Act provides for a fine of up to Rs. 200,000 for disclosing personal information in violation of a legal contract or without consent. The 2019 Bill also provides for revenue-related penalties for businesses that can range from 2% to 4% depending on the type of violation.

With respect to criminal liability, Section 72A of the IT Act provides for imprisonment of up to three years for disclosing personal information in breach of a legal contract or without consent.
Finally, Section 43A of the Computer Law provides that legal persons possessing, processing or handling sensitive personal data or information in a computer resource owned, controlled or operated by them would be liable to pay damages as compensation to the affected individuals in the event of negligence in implementing and maintaining reasonable security practices and procedures to protect sensitive personal data or information.

The PDP Bill also proposes that data controllers who have suffered harm as a result of a breach of the requirements of the PDP Bill may seek compensation from the data trustee or data processor.

Any organization’s compliance depends on its control of its computer applications and systems, in which they collect and process data.

Corporate espionage is a reality that no data manager can ignore. The consequences can be serious, such as leading the company to bankruptcy or legal proceedings. Secure storage of digital data is therefore a critical element for business survival.

To avoid this, there are several things to do. First of all, you need to be able to clearly identify your company’s data protection risks, in order to correctly target the actions to be taken to avoid these risks. For example, if the company records data from a website or software, the risk is of hacking, so the computer files must be protected against unauthorized access.

It is then necessary to set up an ultra-secure storage system. You should not hesitate to put the financial means for this. Otherwise, the company could be stolen, have its data destroyed or modified. Finally, it is advisable to regularly change the access codes and to regularly update the adapted software.

Cross-border flows of sensitive personal data or information may be permitted to any other legal entity or person located in India or any other country if the same levels of data protection as in India are met. However, this is only possible if such transfer is necessary for the performance of a legal contract or if such transfer has been consented to by the information provider.
There are no reservations regarding transborder data flows of information that is not sensitive personal data or information.

The PDP Bill proposes a new regime for the transborder transfer of personal data. There would be separate requirements for sensitive personal data and critical personal data. Sensitive personal data can only be transferred outside India with the express consent of the individual and in accordance with standard contractual clauses or intra-group programs approved by the Authority. Critical personal data may only be transferred to a person or entity providing emergency health services if such transfer is necessary for prompt action. Central government would define what constitutes critical personal data.