Personal Data Protection Bill,2019 (PDPB)India’s Union Cabinet on 4 December 2019 had approved the Personal Data Protection Bill 2019. The bill has been referred to a 30-member joint Parliamentary committee. Thiscommittee is expected to present its report by the last week of the Budget session 2020.

Penalties and compensation:1. Fines upto INR5 crores or 2 per cent of total worldwide turn over, whichever is higher for lower level offences2. Fines upto INR15 crores or 4 per cent of total worldwide turn over, whichever is higher for higher level offences3. Any offence punishable under PDPB will be cognisable and non-bailable.4. INR5,000 per day, for failure to address data principal requests, up to a maximum of INR10 lakhs for significant data fiduciaries and INR5 lakhs for other data fiduciaries

Data audits:1. Significant data fiduciaries will have their data processing environment audited annually by an independent data auditor2. Experts in information technology, computer systems, data science, data protection or privacy may be specified by regulations, as data auditors.

Grounds of processing:1. Medical emergency2. With consent3. Functions of state4. Compliance to law or court or tribunal 5. Law in force for the time being6. Treatment for epidemics7. During disasters

Obligations of significant data fiduciaries:1. Appoint a Data Protection Officer2. Register with the authority as prescribed3. Have data audits on its policies and conduct of processing personal data4. Conduct Data Protection Impact Assessments5. Maintain Records of processing activities.

Data processing of children (less than 18 years of age):1. Age verification and obtaining consent from parent/ guardian is mandatory2. Data fiduciaries operating on commercial websites directed at children; or processing large volume of personal data of children to be classified as guardian data fiduciaries and are prohibited to profile or monitor these children

Data principalrights:In addition to the existing rights, 'Right to Erasure' has been added for data that is no longer necessary.

New additions in the 2019 bill:1. Social media intermediaries: New category of fiduciaries called ‘Social Media Intermediary’ introduced, which may be categorised as significant data fiduciaries2. Sandbox: Introduced the concept of a Sandbox for encouraging innovation in emerging technology in public interest. This Sandbox can be accessed by data fiduciaries with a certified 'Privacy by Design' policy

Key definitions: Applicability:Personal data: data about or relating to a natural person who is directly or indirectly identifiable, having regard to

any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;

List of attributes classified as sensitive data are:

a. Financial datab. Health datac. Official identifierd. Sex lifee. Sexual orientationf. Biometric datag. Genetic datah. Transgender statusi. Intersex statusj. Caste or tribek. Religious or political beliefs.(this is not an exhaustive list)

‘Data Fiduciary’ (DF) means any person, including the state, a company, any juristic entity or any individual who alone or in conjunction with others determines the

purpose and means of processing of personal data

‘Data principal’ means the natural person to whom the personal data relates

‘Data processor’ means any person,including the state, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary.

1

2

3

4

5

3. Consent Manager: New category of fiduciaries called ' Consent Manager' introduced, who will be responsible for assisting the data principals with their consent management. Consent Managers to be registered with DPAI4. Access to anonymised data: The government at any time, may request data fiduciaries for anonymised personal data or non-personal data for better targeting of delivery of services or formulation of evidence-based policies.

Data storage:1. Personal data: can be transferred outside India2. Sensitive personal data: Have to maintain at least one local copy in India3. Critical personal data (to be notified by the central govt.): to be stored in India and cannot be transferred outside, except for health emergencies or as notified by the central govt. or the authorities

8. Recruitment or termination9. Provision of services to employee10. Attendance of employees11. Assessment of performance of employees12. Reasonable purposes

*Sensitive data to be processed only on grounds indicated in bold.

© 2020 An Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Building block of the Indian digital economy

Data Privacy Day

Yes

Yes

Yes Yes No

No YesNo YesNo

Fig: Applicability test for PDPBDoes your organisation collect or process personal information about your clients, consumers or employees etc.?

Is your organisation incorporated* in India?

PDPB doesn’t apply

PDPB applies PDPB doesn’t apply

PDPB applies PDPB doesn’t apply

PDPB applies

Does your organisation carry out business or perform systematic activity of ‘offering goods or services’ to data principals in India?

Does your organisation perform operations which involve ‘profiling’ of data principals in India?

PDPB doesn’t apply

*Incorporated or created under Indian laws such as• Companies Act• Shops and Establishment Act