THE PERSONAL DATA PROTECTION BILL, 2019 – AN OVERVIEW

The Personal Data Protection Bill, 2019 (“PDPB”) is a draft law that was introduced before the
Parliament of India in December, 2019. The PDPB is a revised version of the 2018 draft of a proposed
data protection law. It sets forth principles of data processing and recognises rights of data principals.
It also prescribes transparency and accountability measures for entities processing personal data and
establishes a central authority to enforce the provisions of the proposed law and provide guidance
and instructions. This note aims to provide an easy-to-read and digestible guidance to the key
provisions of the PDPB.

Please note that a list of particular definitions and key players in the data protection regime are
detailed in the Annexure to this note.

SCOPE PDPB

1. APPLICABILITY

Territorial Applicability The PDPB applies to the processing of personal data:

• that is collected, disclosed, shared, or otherwise processed

within India;
• by the State, a citizen, or any entity, person, or body of
persons that is incorporated or created under Indian law.

Extra-Territorial Applicability The PDPB applies to the processing of personal data by data
fiduciaries or data processors not present within India, if the
processing:

• is in connection with any business carried out in India, or

any systemic activity of offering goods or services to data
principals within India;
• is in connection with any activity which involves the profiling
of data principals in India.

EXCEPTIONS TO APPLICABILITY

Anonymised Data • The PDPB does not apply to anonymised data, except where
the Government directs any data fiduciary or data processor
to provide such anonymised data to enable better targeting
of delivery of services or formulation of evidence-based
policies by the Government.

1
 SCOPE
Processing of Personal Data of
Data Principals Outside India
Government Agencies
Manual Processing by Small
Entities
Contravention of Law, Legal
and Judicial Proceedings,
Personal or Domestic Use, and
Journalistic Purposes
Data Fiduciaries Included in
Sandbox
PDPB
• Anonymisation will have to meet the standards of
irreversibility prescribed by the DPA.
• The DPA has the right to specify codes of practice, that will
include methods of anonymisation, to promote good
practices of data protection.
The PDPB allows the Government to exempt the processing of
personal data of data principals outside India by data processors (or
a class of data processors) incorporated in India who process such
data pursuant to a contract with a person outside India.
The Government is allowed to exempt government agencies from
the applicability of the PDPB.
Manual processing by small entities – i.e., entities which fall within
a particular category classified by the DPA – are allowed limited
exemptions under the PDPB.
Certain provisions of the PDPB will not apply to processing of
personal data if the processing is:
• in the interests of prevention, detection, investigation, and
prosecution of any offence or any contravention of any law;
• necessary for enforcing any legal rights or related claims,
seeking relief, defending charges, opposing claims, or
obtaining legal counsel in impeding legal proceedings;
• by any court or tribunal for the exercise of judicial functions;
• by a natural person for personal or domestic purposes,
except where the processing involves disclosure to public,
or is undertaken in connection with any professional or
commercial activity; or
• for journalistic purposes by any person, and is in compliance
with any code of ethics issued by the Press Council of India
or any media self-regulatory organisation.
The DPA may include interested data fiduciaries who fulfil certain
conditions in a sandbox created by the DPA for encouraging
innovation in AI, machine-learning, or other emerging technology,
and exempt them from specific provisions of the PDPB.
2
 SCOPE PDPB

2. OBLIGATIONS OF A DATA FIDUCIARY

Purpose Limitation Personal data may only be processed for a specific, clear, and lawful
purpose and in a fair and reasonable manner that ensures the
privacy of data principals.

Personal data can be collected only to the extent necessary for the
purposes of processing.

Privacy Notice Data fiduciaries are required to provide data principals with a notice
that details specific information – including purposes of processing,
nature and categories of personal data being collected, basis of
processing, etc. – at the time of collection of personal data, and if
the personal data is not collected from the data principal, as soon as
reasonably practicable.

Quality of Personal Data Data fiduciaries must take necessary steps to ensure personal data
processed is complete, accurate, not misleading, and updated.

Retention Personal data may be retained only for the period necessary for the
purpose for which it was processed, unless expressly consented to
the contrary by the data principal, or if necessary to comply with any
law in force.

Accountability Data fiduciaries are responsible for compliance with the PDPB with
respect to any processing undertaken by them or on their behalf.

3. GROUNDS FOR PROCESSING

WITH CONSENT

• Personal data can only be processed by a data principal providing free, informed, specific, and
clear consent at the commencement of processing.
• Consent may be withdrawn by data principals.
• The burden of proving if consent of a data principal has been sought vests with the data
fiduciary.
• Data fiduciaries can only process personal data for purposes that are consented to by the data
principal or purposes which are incidental to or connected to such purpose and where the

3
 SCOPE PDPB

data principal would reasonably expect the processing in regard to the purpose, and in the
context and circumstances in which the personal data was collected.

WITHOUT CONSENT

Specific Purposes Personal data may be processed without the consent of data
principals in the following cases:
• For the performance of certain State functions.
• For compliance with orders or judgments of courts or
tribunals in India.
• To respond to medical emergencies involving a threat to life
or threat to the health of a data principal or any other
individual.
• To undertake measures to provide medical treatment or
health services during epidemics, outbreak of diseases, or
other threats to public health.
• To provide safety measures, assistance, or services to any
individual during a disaster or breakdown of public order.

Employment Personal data may be processed without consent for employment-

related purposes, including recruitment, assessments, verifications,
etc.

Reasonable Purposes The DPA may specify certain purposes for which personal data may
be processed without consent.

4. DATA PROCESSING IN RELATION TO CHILDREN

Verification • Processing the personal data of a child (i.e., someone below

the age of 18 years) must be done in a manner that protects
and advances the best interests of the child.
• A data fiduciary must, before processing the personal data
of a child, verify the age of the child and obtain his/her
parent’s or guardian’s consent in a prescribed manner.
• Data fiduciaries exclusively offering counselling or child
protection services to children are exempted from seeking
the consent of the child’s parent or guardian.

4
 SCOPE
Prohibition on Certain Types of
Processing With Respect to
Children
5. RIGHTS OF DATA PRINCIPALS
Right of Confirmation and
Access to Information
Collected
Right to Correction and
Erasure
Right to be Forgotten
PDPB
• The DPA may notify data fiduciaries who process large
volumes of personal data of children or operate commercial
websites or online services directed at children as “guardian
data fiduciaries”.
• Guardian data fiduciaries are prohibited from profiling,
tracking, or behavioural monitoring of, or targeted
advertising directed at, or any other processing that is
harmful to children.
• The PDPB recognises the right of the data principal to seek
confirmation on whether the data fiduciary is processing or
has processed personal data of such data principal.
• A data principal has the right to:
o access all personal data being processed or a
summary of such data; and
o access the identities of the data fiduciaries with
whom personal data has been shared by any data
fiduciary, together with the categories of personal
data shared.
• The PDPB grants rights to the data principal to:
o correct inaccurate or misleading personal data;
o complete and update personal data; and
o seek the erasure of personal data if the purpose of
collection is satisfied.
• The data fiduciary is obligated to notify any correction,
completion, updation, or erasure of any personal data to all
entities to which it has disclosed such data to.
• A data principal has the right to apply to the DPA to restrict
or prevent the disclosure of personal data by a data
fiduciary if the data:
o has served its purpose;
o is not permitted to be processed due to withdrawal
of consent; or
o is processed contrary to any applicable law.
5
 SCOPE PDPB

• The DPA may grant the request to be forgotten on the

following grounds:
o the sensitivity of the personal data;
o the scale of disclosure and degree of restriction
sought;
o the data principal’s role in public life;
o the relevance of such personal data to the public;
and
o nature of disclosure and impact on the activities of
the data fiduciary.

Right to Data Portability Data principals have the right to receive data in a structured,
commonly-used, and machine-readable format if the processing has
been undertaken through automated means.

Grievance Redressal Grievances may be raised with the DPO (in case of a significant data
fiduciary) or a designated officer (in case of other data fiduciaries).
Appeals may be made to an adjudicating officer appointed by the
adjudication wing of the DPA and further appeals may be made to
an appellate tribunal that is set up under the PDPB.

6. TRANSPARENCY AND ACCOUNTABILITY

Privacy by Design Every data fiduciary is required to prepare a privacy by design policy.
The DPA has the power to approve and certify such policies.

Transparency Data fiduciaries will be required to make their transparency

processes – along with other specific information – available to the
public.

Security Safeguards The PDPB requires all data fiduciaries and data processors to
implement security standards and practices, which include de-
identification and encryption and the ability to protect the integrity
of personal data and to prevent its misuse, unauthorised access,
modification, disclosure or destruction. A review process of such
safeguards should also be undertaken periodically.

De-Identification • De-identification is a process by which a data fiduciary or

data processor removes or masks identifiers from personal
data or replace identifiers with other fictitious names or

6
 SCOPE PDPB

code that are unique to an individual but do not, on their

own, directly identify a data principal.
• De-identification is a mandatory security safeguard that has
to be implemented by data fiduciaries and data processors.
• The DPA will specify codes of practice to promote good
practices of data protection, which will include methods of
de-identification.

Notification of Breach
• The PDPB mandates every data fiduciary to report any
breach of personal data processed by it to the DPA if such
breach is likely to harm any data principal.
• The DPA will have the authority to prescribe a time period
within which the notice of a breach must be made.
• The DPA shall also have the right to determine whether the
occurrence of such breach should be notified to data
principals.

Data Protection Officer The PDPB requires all significant data fiduciaries to appoint a Data
Protection Officer (“DPO”).

Data Protection Impact All significant data fiduciaries are required to undertake data
Assessments protection impact assessments if they intend to undertake any
processing involving new technologies, large-scale profiling or use
of sensitive personal data, or other processing that carries a
significant risk of harm to data principals.

Data Audits All significant data fiduciaries are required to undertake data audits
that are to be conducted by independent data auditors.

Compliance Certification The PDPB contemplates a ‘data trust score’ which is assigned by a
Mechanisms data auditor on the completion of a data audit to a significant data
fiduciary. The criteria of determining this data trust score is specified
by the DPA, and a database of such scores is to be maintained by the
DPA.

7
 SCOPE PDPB

7. GEOGRAPHICAL RESTRICTIONS

Cross-Border Data Transfer
• Sensitive personal data may only be transferred outside
India with the explicit consent of the data principal along
with:
o a contract or an intra-group scheme approved by
the DPA on the basis of effective protection of the
data principal’s rights and the liability of the data
fiduciary;
o to a country or organisation that is approved by the
Government based on the adequacy of protection
in such country or organisation and degree of
enforcement of legal obligations; or
o an approval by the DPA for a specific purpose.
• Critical personal data may only be transferred outside India
if such transfer is to a:
o person or entity engaged in health or emergency
services or purposes; or
o country or an entity approved by the Government
with respect to security and strategic interest of the
State.

Data Localisation
• A copy of all sensitive personal data must be stored in India.
• Critical personal data may only be processed in India.
• Financial data is required to be stored in India in its entirety
in accordance with the Reserve Bank of India’s
requirements, although this requirement is not specifically
addressed in the PDPB.

8. PENALTIES

The PDPB prescribes varying penalties for contraventions of the PDPB:

• The maximum penalty – the higher of INR 150,000,000 or 4% of the data fiduciary’s total
worldwide turnover of the preceding financial year – that may be imposed on a data fiduciary
arises out of failure to comply with its obligations as a data fiduciary or a violation of provisions
that specifically address processing data with consent, failure to comply with security
safeguards, failure to process the personal data of children in accordance with the PDPB, and
failure to comply with the cross-border transfer restrictions.

8
 SCOPE PDPB

• Separately, failures by a data fiduciary to take prompt action on the occurrence of a data
security incident, register itself as a significant data fiduciary, undertake a data protection
impact assessment, conduct a data audit, or appoint a DPO may attract the a penalty that
extends to the higher of INR 50,000,000 or 2% of the data fiduciary’s worldwide turnover in
the preceding financial year.

9
 Annexure

ACTORS PDPB

Regulatory Authority Data Protection Authority (“DPA”), established by the Government.

Data Fiduciary A person, including the state, a company, any juristic entity, or any
individual who alone or in conjunction with others determines the
purpose and means of processing of personal data.

Data Processor A person, including the state, a company, any juristic entity, or any
individual who processes personal data on behalf of a data fiduciary.

Data Principal A natural person to whom the personal data relates to.

Significant Data Fiduciary The DPA may classify a data fiduciary or a class of data fiduciaries as
“significant data fiduciaries” who will be required to register
themselves with the DPA. Such classifications depend on factors
that include volume of personal data processed, sensitivity of data,
the risk of harm to the data principal, and the use of new
technologies in connection with the processing.

Social Media Intermediary
• The PDPB introduces a category of data fiduciaries called
“social media intermediaries”. These are intermediaries
who primarily or solely enable online interactions between
two or more users and allow them to create, upload, share,
disseminate, modify, or access information using their
services.
• The Government, in consultation with the DPA, may classify
social media intermediaries with users above specific
thresholds or whose actions have a significant impact on
electoral democracy, security, public order, or the
sovereignty and integrity of India as significant data
fiduciaries.

10
 DEFINITIONS PDPB

Personal Data Personal data means data about or relating to a natural person who
is directly or indirectly identifiable, having regard to any
characteristic, trait, attribute, or other feature of the identity of such
natural person, whether online or offline, or any combination of
such features with any other information, and shall include any
inference drawn from such data for the purpose of profiling.

Sensitive Personal Data
• Sensitive personal data is defined as personal data which
may reveal, be related to, or constitute:
o financial data;
o health data;
o official identifiers;
o sex life;
o sexual orientation;
o biometric data;
o genetic data;
o transgender status;
o intersex status;
o caste or tribe;
o religious or political belief or affiliation; or
o any other category notified by the Government.
• The Government may classify certain additional categories
of data as “sensitive personal data” taking into account the
risk of significant harm caused by the processing of such
data, the expectations of confidentiality attached to such
data, the possibility of a significant and discernible class of
data principals suffering significant harm from the
processing of such data, and the adequacy of protection of
the ordinary provisions of the PDPB applicable to personal
data.

Critical Personal Data The Government may notify particular categories of personal data
as “critical personal data”, which may only be processed within
India.

11
Processing Processing, in relation to personal data, means an operation or set
of operations performed on personal data, and may include
operations such as collection, recording, organisation, structuring,
storage, adaptation, alteration, retrieval, use, alignment or
combination, indexing, disclosure by transmission, dissemination or
otherwise making available, restriction, erasure, or destruction.

12
 For any queries, please reach out to our team:

Mathew Chacko Ankita Hariramani Renuka Abraham

mathew@spiceroutelegal.com ankita.hariramani@spiceroutelegal.com renuka.abraham@spiceroutelegal.com

Aadya Misra Aishwarya Prasad Aishwarya Todalbagi

aadya.misra@spiceroutelegal.com aishwarya.prasad@spiceroutelegal.com aishwarya.todalbagi@spiceroutelegal.com

Kavya Pankaj Saurabh Roy Priyanka Chaudhuri

kavya.pankaj@spiceroutelegal.com saurabh.roy@spiceroutelegal.com priyanka.chaudhuri@spiceroutelegal.com

Purushotham Kittane Samvid Shetty

purushotham.k@spiceroutelegal.com samvid.shetty@spiceroutelegal.com