Business Guide | Israel-India 2022

India is moving forwards towards Data Protection legislation Tightening up Protection of Data and Strengthening Trust in Business P resently, India does not have a comprehensive and specific legislation on data protection, but certain provisions on data protection are set out in The Information Technology Act, 2000 and Rules thereunder. The Data Protection Bill, 2021 has been presently placed and pending before the Indian Parliament for discussions. The 2021 Bill is an amended and updated version of the Personal Data Protection Bill 2019 based on recommendations of a joint parliamentary committee to make it more relevant to current times. Key Highlights of the Proposed Data Protection Bill Regulation of Personal and Non-Personal data: The legislation aims to regulate collection and processing of personal data i.e. any data relating to an identifiable natural person and non-personal data i.e. any data other than personal data including anonymized personal data will be regulated. Application topersons inandoutside India: The legislation will also apply to persons outside India if the processing is connected to their business or systematic offering of goods or services to persons in India or any activity involving profiling of persons within Indian territory. Obligations of Data Fiduciary and Data Processors: Data Fiduciary decide ‘why’ and ‘how’ personal data should be processed. Data Processor processes personal data on behalf of Data Fiduciary. Obligations of Data Fiduciary varies from that of Data Processor. The obligations include requirement to: ●● Obtain consent prior to processing of personal data ●● Implement Privacy Policy ●● Maintain transparency in processing personal data ●● Maintain Security safeguards ●● Report Personal Data breach within 72 hours of becoming aware of the breach ●● Delete Personal Data when no longer relevant ●● Appoint Grievance Redressal Officer ●● Maintain log of Data Breaches Rights of DataPrincipal: These rights include right to confirm, access, correct and erase their personal data, and right to port data among other rights. Localization of SensitivePersonal Data: While sensitive personal data can be transferred outside India for specific purposes, it will be mandatory to store the data locally in India. Concept of Significant Data Fiduciary: Authorities can classify certain Data Fiduciaries to be Significant Data Fiduciary basis factors such as Volume of data processed, Sensitivity of data processed, Turnover of Data Fiduciary, Risk of harm due to processing and use of new technologies. Significant Data Fiduciaries have higher compliance thresholds including requirement to register with the Data Protection Authority, undertaking Data Protection Impact Assessment, annual audit of its policies, appointingData ProtectionOfficer, undertaking periodic review of security safeguards, andmaintaining record of key operations in life cycle of data. Grounds for processingpersonal datawithout consent: Personal data can be processed without consent of Data Principal under specific conditions including for compliance with local laws and court orders, functions of State, medical emergency, disaster management, employment purposes, whistleblowing, corporate restructuring etc., Establishment of Data Protection Authority of India: A Data ProtectionAuthoritywill be established to regulate all entities and matters relating to Data Protection and Privacy in India. Courtesy: Adv. Anagha Subramaniam, Partner, Solomon & Co. www.solomonco.in 50 > Business Services > Data Protection