These safeguards show that the Indian government is interested in both protecting the data rights of Indian contractors and eliminating the glaring power imbalance that currently exists between big tech companies and Indian citizens in data collection. But again, it remains to be seen how this relationship will play out when it comes to individuals and government, not just individuals and businesses. For example, the many vaguely defined exceptions to data regulation could allow for forms of oversight if government agencies deem the collection and use relevant to government functions. The controller or processor who processes personal data in order to offer business opportunities or services may use personal data derived from a list of public data. The controller or processor may not continue the processing of such data if the data subject has expressed or objected to further processing. The Data Protection Act defines personal data as any information relating directly or indirectly to an identified or identifiable natural person, in particular by assigning an identification number or one or more particular characteristics that are the expression of his or her physical, physiological, mental, economic, cultural or social identity. The bill also mentions the amendment of the Information Technology Act 2000 and the removal of provisions requiring the payment of compensation by companies in the event of non-protection of personal data. Biometric data: According to the draft law, “biometric data” is defined as facial images, fingerprints, iris scans or similar personal data resulting from measurements or technical processing operations carried out on the physical, physiological or behavioral characteristics of a data giver that allow or confirm the unique characteristics of the data principal. “Biometrics” is defined in idPS as technologies that measure and analyze human body characteristics such as fingerprints, retina and iris of the eyes, voice patterns, facial patterns, hand measurements, and DNA for authentication purposes. In accordance with Commissioner`s Decision No. 8 of 31 October 2016, the following States have an adequate level of data protection: The main collection rules are as follows: (i) It is necessary to obtain the consent of the information provider before collection.
The information provider must be able not to provide the requested sensitive personal data or information and withdraw its consent by informing the entity in writing; (ii) sensitive personal data or information may be collected only if this is necessary for a legitimate purpose related to a function or activity of the legal person or a person acting on its behalf; and (iii) the company should provide additional information to the information provider (see below). The Commissioner for the Right to Information and Data Protection (the “Commissioner”) is the independent Albanian authority responsible for monitoring and controlling the protection of personal data and the right to information while respecting and guaranteeing fundamental human rights and freedoms in accordance with the legal framework. The RBI, the monetary authority of the Indian node, has asked all companies (whether banks or others) operating in the payments sector to process and store all financial information in India. In the case of cross-border transactions involving a foreign party and a domestic party, the regulatory authority shall require mirroring prior to the transfer. In the event that a data custodian is located outside of India, it must appoint a DPO based in India. According to Instruction No. 47 of 14. September 2018 “On the establishment of rules to maintain the security of personal data processed by large processing companies”, which, as mentioned above, applies only to large data processors, the DPO will immediately inform the large data processing unit in writing of any risk of violation of the rights of data subjects.
also in the event of a violation of the legislation on the protection of personal data. The bill does not prescribe retention periods; However, the data should not be kept longer than necessary to achieve the purpose for which the data were processed. Regulators, legislators, the judiciary and industry can expect 2022 to be a busy year. It`s been more than three years since the EU`s General Data Protection Regulation came into force, and India is poised to follow the EU`s lead and streamline its data protection rules, although there are reports of a possible overhaul of the bill. The interaction of industry-specific regulations and a general data protection law could trigger considerations and actions on a variety of data protection concerns. In addition, given the rapid adoption of cutting-edge technologies such as blockchain and AI, it would be useful to track and explore how current regulations would be applied to frameworks based on decentralization and anonymization. In the meantime, companies should consider conducting regular audits and assessments of their privacy practices to better visualize the types of data they collect, their flow within the company, retention periods and locations, and take corrective action to address the gaps they observe. Finally, the government has ensured that Article 91 is added – a provision clarifying that it reserves the right to interpret all policies for the benefit of India`s digital economy – as long as it does not involve the use of personal data that can be used directly to identify an individual. Subsection 91(2) also states that the government may require data collectors to provide anonymized personal data or other “non-personal data” for the purposes of “evidence-based policy development.” Little clarity has been provided as to what this might mean. This bill grants certain rights to a person or data giver, including the right to (iv).) in order to protect and restrict the closure of their personal data by an agent, it is no longer necessary to disclose it without consent or no longer necessary. Several requirements set out in the PMO report and the revised PBO are worth considering. Take, for example, data localization standards that apply to sensitive personal data and critical personal data (which have not yet been defined by the central government).
The flow of data from India to an overseas country would be limited. A natural entity that is negligent in implementing and maintaining security practices and procedures to protect sensitive personal data or information may be required to pay compensation to the data subject. In this context, the maximum compensation that can be imposed is not determined. The PDP Bill proposes that a child`s personal data be processed in a manner that protects the rights and best interests of the child. In addition, such processing can only be carried out after verification of the age of the child and obtaining the consent of parents or guardians. Companies that process children`s personal data or provide services to children are classified as “guardian” data trustees and are not allowed to create, track or process profiling, so they can cause significant harm to the child.