This is the first post in this series which aims to deconstruct the various provisions of the draft Personal Data Protection Bill, 2019 (PDP Bill/ Act). Before we delve right in, we need to address the elephant in the room. When will the PDP Bill get enacted? As you may know that the bill is currently being deliberated over by the joint parliamentary committee (JPC). The JPC has been reaching out to the stakeholders from IT behemoths to policy think tanks. This exercise is largely over and I am given to understand that the JPC’s report will be submitted in this budget session of the parliament. The PDP Bill is however unlikely to get passed in this session.
Anyway, the intent of this series is to deconstruct different chapters of the PDP Bill and give a perspective on how this may impact you and/ or your business. I am not going to delve into the definitions separately but I am going to address them in context of the different chapters. For your reference the definitions can be found here. I will not delve into any comparison with the GDPR as I intend to keep these posts short and addressing only the specific sections. I also intend to update each chapter once the final version of the PDP Bill is published. So watch out for that.
As the first post in this series - I will deal with a very important aspect i.e. applicability. Before we get started with the specific section, some of the definitions (as provided under the PDP Bill) which you will find in this post and later posts are given below.
So basically the provisions of the Act (once enacted) will apply to the processing of personal data:
where such data has been collected, disclosed and shared or otherwise processed within the territory of India; or
by the State (i.e. the government), any Indian company, any Indian citizen or person or any body of person who is incorporated and created under Indian law.
So far this is simple. Now, provisions of the Act will also be applicable to
3. Processing of personal data by any data fiduciary or data processor who is not present within the territory of India, but is processing personal data in connection with
any business carried on in India, or any systematic activity of offering goods and services to data principals within the territory of India; or
any activity related to profiling of data principals within the territory of India.
The provisions will not be applicable to the processing of anonymized data, other than anonymized data referred to in section 91 of the Act. I will definitely delve more into the anonymized data and the government's attempt to regulate the same as part of posts later.
Indian entity or processing data within India
So, to summarize if you are collecting and processing personal data within the territory of India, or if you are a company or an entity incorporated under Indian law processing personal data, the Act will apply to you.
We also need to be mindful of Section 37 of the PDP Bill. This says that the central government, may by notification, exempt from the application of this Act, the processing of personal data of data principals not within the territory of India, pursuant to any contract entered into with any person outside India the territory of India, by any data processors incorporated under Indian laws. India being a popular outsourcing destination, it is possible that this power may be used to exempt Indian data processors who are part of the outsourcing industry and which deal with data of foreign nationals. Although, there is nothing concrete at the moment and this is just my speculation.
Entities outside India
If you are an entity that runs a business in India i.e. provide goods and service to data principals in India, the Act will apply to you. The Act will also be applicable on a foreign entity engaged in profiling of data principals in India.
You can access the latest version of the PDP Bill here.