DATA

PROTECTION
LAW IN INDIA-
POST PDPB 2019
WITHDRAWAL
A STATUS REPORT

BY

NAAVI
  A Bill titled Personal Data Protection Bill 2019 (PDPB 2019) had
been presented in the Parliament in December 2019 as a law for
providing Privacy and Data Protection in India.

WHY THIS
 Bill had been vetted by a Joint Parliamentary Committee and was
expected to be passed soon into a law.

REPORT  On August 3, 2022, the Government of India withdrew PDPB 2019

creating an uncertainty in the industry.
 This report has been prepared to provide some clarity to the
developing regulatory situation and to assist the industry players to
take necessary policy decisions for the immediate future
  On 24th August 2017 Supreme Court of India held in its Judgement that
Privacy is a fundamental right under the Indian constitution under Article 21.
 A few days earlier on 31st July 2017, Government had constituted an expert
committee under the Chairmanship of Justice B N Srikrishna to suggest a
legal framework for Privacy Protection.
 The recommendations of the committee was first presented in December

JOURNEY 2018 and later evolved as PDPB 2019, examined in detail by the Joint
Parliamentary committee which presented a revised version of the Bill in

SO FAR December 2021.

 The Bill was expected to be passed into law but has now been withdrawn
with a statement that a revised Bill will be presented shortly.
 The revised Bill is said to be in an advanced stage of drafting and may
simultaneously address amendment to Information Technology Act, 2000
(ITA 2000) also.
  The exact nature of the final version of the Bill and the time
line of its presentation by the Government in the Parliament
DISCLAIME and being passed as a legislation is unknown.
R  This report is prepared by an Expert in good faith based on
the available information and discounting the many false
reports planted in the media by vested interests.
THERE IS
 Information Technology Act 2000 (ITA 2000) effective from 17 th October 2000
addresses all issues of misuse of data including personal and non personal data.

NO  Amendment of ITA 2000 from October 27, 2009, ITA 2000 address protection of
Personal and Sensitive Personal data on the form of Section 72A and Section 43A
respectively.
VACUUM  There are also other provisions that are part of the data protection regime such as
data retention, exemptions and powers of surveillance etc

The view that there is  Regulation under ITA 2000 is managed by the CERT-IN in respect of security

no data protection law and a set of Adjudicators across the country in respect of civil wrongs and the
criminal justice system in respect of criminal offences.
in India since the Bill
has been withdrawn is  Penalties upto INR 50 million are under the jurisdiction of Adjudicators. There is

not true. no upper limit. Criminal punishments vary from 1 year to life imprisonment.
 There is vicarious liability on executives for criminal offences and extra
territorial jurisdiction.
THERE IS
NO  Hence ITA 2000/8 was and continues to the

VACUUM Data Protection Act of India till the new law

comes in force and
The view that there is  All organizations using data in any form are
no data protection law
in India since the Bill required to be in compliance with ITA 2000/8
has been withdrawn is
not true.
along with the relevant rules notified.
 1. Provide a Policy for Privacy and Disclosure of personal or non personal
information disclosing the purpose of collection, usage of information
and reasonable security practices and procedures practiced by the
organization.
SUMMARY OF 2. Obtain consent in writing from the provider of sensitive personal
COMPLIANCE information before collection.

REQUIREMENT 3. Not collect such information except for lawful purpose in connection
with a function or activity of the body corporate and the collection is
S UNDER ITA necessary for such purpose.
2000 4. Ensure that the provider of personal information (DATA SUBJECT) shall
have adequate knowledge (Notice) of the fact that the information is
being collected, the purpose of collection, the intended recipients of
the information, the name and address of the agency that is collecting
the information and the agency that will retain the information.
 5. Not retain the information longer than required for the purpose for
which it was collected.
6. Not use the information except for the purpose for which it was
SUMMARY OF collected.
COMPLIANCE 7. Provide the information provider (data subject) ability to review the
REQUIREMENT information provided, ensure that it remains accurate and complete and
amend it as feasible and necessary.
S UNDER ITA
8. Provide an opportunity for the data subject not to provide the
2000 information sought to be collected or withdraw the consent already
provided but the body corporate shall have the option not to provide
goods or services for which the said information was sought and was not
provided or consent given earlier is withdrawn.
 9. Have a system to address grievances of the data subject

10. Designate a Grievance Officer and publish his name and contact

SUMMARY OF details on its website.

COMPLIANCE 11. Redress the grievances within one month from the date of
receipt of grievance.
REQUIREMENT
12. Not publish nor disclose the sensitive personal information to
S UNDER ITA any third party without prior permission except to authorized
2000 Government agencies for purpose of verification of identity, or for
prevention, detection, investigation including cyber incidents,
prosecution, and punishment of offences subject to certain
conditions imposed on such agencies.
 13. Not transfer sensitive personal data or information including any information, to
any other body corporate or a person in India, or located in any other country, that
ensures the same level of data protection that is adhered to by the body
corporate as provided for under these Rules.

-The transfer may be allowed only if it is necessary and there is a consent of

SUMMARY OF the data subject

COMPLIANCE 14. Implement “Reasonable Security Practices”

REQUIREMENT -which includes a comprehensive documented information security programme

S UNDER ITA and information security policies

2000 -that contain managerial, technical, operational and physical security control
measures

-that are commensurate with the information assets being protected with the
nature of business.

-Such reasonable security practices shall be capable of demonstrating in the event

of an information security breach, that the body corporate has implemented
security control measures as per their documented information security
programme and information security policies.
SUMMARY OF
ITA 2000/8 compliance covers all essential aspects of
COMPLIANCE
Data Protection Law which was expected to have been
REQUIREMENT
formalized under the new Act.
S UNDER ITA
2000 Withdrawal of the PDPB 2019 places the onus of Data
Protection unambiguously on ITA 2000/8
COMPLIANCE
OF ITA 2000/8 IS
BROADER AND
DEEPER THAN
PDPB 2019
 ADDITIONAL
COMPLIANCE UNDER
INTERMEDIARY
REQUIREMEN GUIDELINES

TS
COMPLIANCE..
INTERMEDIARY
GUIDELINES
"Intermediary" with respect to
any particular electronic
records, means any person who
on behalf of another person
receives, stores or transmits
that record or
provides any service with
respect to that record
An organization may be a Data
consumer in one capacity and an
Intermediary in another capacity
1. Shall prominently publish on its website, mobile based
application, the rules and regulations,
privacy policy and user agreement and
such policy shall include the specific requirements mentioned
under Rule 3 of the notification of February 25.
2. Shall renew the changes in the policies at least once a
year
3. Shall remove within 36 hours any content ordered to be
removed by a competent authority.
4. Shall disclose data required by an investigating agency
within 72 hours.

COMPLIANCE..
INTERMEDIAR
Y GUIDELINES
Government by a specific
order may declare any system
critical to the national
security as a “Protected
System” and take the
information security under its
supervision.
Eg: ICICI Bank, HDFC
Bank, NPCI
5. Shall preserve the copy of the removed content and
associated evidence including log records for 180 days or for
such longer periods as may be required.
Preservation of evidence shall comply with Section 65B of
6.
Indian Evidence Act
7. Shall preserve the registration information even for cancelled
accounts for 180 days. (Now enhanced to 5 years)
8. Shall not knowingly deploy or install or modify technical
configuration of any computer resource circumventing any law.
9. Shall synchronize system clocks with designated system
10. Shall report Cyber Security incidents within 6 hours to CERT-
IN
 11. Shall maintain a grievance redressal mechanism and designate a Grievance
officer whose details are made available on the website, acknowledge
complaints within 24 hours and dispose the grievance within 15 days.

12. Shall disable obscene content on receipt of a complaint within 24 hours

13. Significant Social Media Intermediaries (like Twitter, WhatsApp etc)

COMPLIANCE.. -shall appoint a Chief Compliance Officer and an India Nodal Officer besides a

INTERMEDIAR Resident Grievance officer,

-Shall provide the first originator of a message when required through a

Y GUIDELINES judicial order,

-Shall properly identify advertisements and make them identifiable in an

appropriate manner,

-Shall enable users to identified etc.

14. Digital Media intermediaries shall follow the Code of ethics and safeguards as
prescribed.
 15. Shall ensure that all the time clocks on their network are
synchronized not to deviate from NPL and NIC
16. Shall ensure that log records of all transactions are
maintained for a minimum of 180 days
COMPLIANCE.. 17. Shall ensure that data of registration of users including the
INTERMEDIARY names, e amil address, IP address at the time of
GUIDELINES registration, contact numbers etc are retained for a period
of 5 years
18. Shall ensure that al Virtual Asset exchange providers and
custodian wallet providers shall maintain KYC records for 5
years
 19. Shall maintain transaction records in such a
manner that the data transaction can be re-
COMPLIANCE
constructed along with relevant elements
..
of time, IP address etc.
INTERMEDIA
RY 20. Shall report data breaches in the prescribed

GUIDELINES format to CERT-IN

21. Shall follow the directives of CERT-IN
  In summary,

 The need to remain compliant with ITA

2000 has become more rigorous and
COMPLIANCE.. all the data protection requirements
expected to be introduced by PDPB
2019 are now required to be
implemented scrupulously for both
personal and non personal data.
EXPECTED
PROVISION  Scope of the Act may be broadened to create a
S OF PDPB unified law for Data Protection and Governance

2019 THAT and covering both personal and non personal data.

MAY  Certain aspects of existing Telegraph Act, E

Commerce regulations and proposed Crypto
SURVIVE Currency Act may become part of the new law
THE NEW which may be called the Digital India Act.
LAW
EXPECTED
 Consent is likely to remain as the principal legal
PROVISION basis for personal data collection, processing/use
S OF PDPB and disposal
2019 THAT  Legitimate interest will be the alternative to
MAY address necessary exemptions and derogations
SURVIVE  Exemptions for Publicly available data and

THE NEW Employee data as provided in PDPB 2019 are

likely to continue.
LAW
EXPECTED  Restrictions on transfer of data out of India are likely
PROVISION to remain at the current level where a copy of
S OF PDPB Sensitive personal information may be required to be
maintained in India if transferred out of India.
2019 THAT
 No Changes are expected in the Data Subject’s
MAY Rights.
SURVIVE  Audit requirements involving mandatory annual
THE NEW audit by an external data auditor with publishing of
LAW Data Trust Score and concurrent audit may continue.
EXPECTED
 Compliance provisions such as Privacy By Design
PROVISION Policy, DPIA etc are expected to continue
S OF PDPB  Data Protection Officer to be an employee of the
2019 THAT organization at a top management level is
MAY expected to be continued.
SURVIVE  Sand Box system and exemption for processing of

THE NEW personal data of foreigners by data processors in

India is expected to continue.
LAW
  In the light of the above, organizations who are likely to be in Data
related business in India are likely to confront a very dynamic
regulatory scenario.
 Progressive and wise organizations therefore need to go ahead and
continue their data protection project plans as if the PDPB 2019-
JPC version and the current ITA 2000 will both required to be
SUMMARY compliance drivers in the upcoming regime of the Digital India Act.
 Hence organizations are recommended to review their ITA 2000
compliance (incorporating the latest CERT-IN guidelines) and also
implement the PDPB 2019 compliance as if it is the data protection
law of India.
 The DPCSI framework (Data Protection Compliance Standard of
India) is the only comprehensive framework that addresses this
requirement at present and could be a useful guideline.
NOTE  Na.Vijayashankar

 Managing Director, Ujvala Consultants Private Limited

PREPARED  Chairman, Foundation of Data Protection Professionals in India

BY  E Mail: [email protected]

 Mob: 9343554943