Brief overview of the

proposed Personal Data

Protection Bill, 2018

© Vertices Partners 1
 Applicability of the Bill 2018

• The Bill 2018 applies to:

• processing of personal data where such data has been collected, disclosed, shared or
otherwise processed within the territory of India;
• processing of personal data by the State, any Indian company, any Indian citizen or any
person or body of persons incorporated or created under Indian law
• processing of personal data by data fiduciaries or data processors not present within
the territory of India, only if such processing is:
• in connection with any business carried on in India, or any systematic activity of offering
goods or services to data principals within the territory of India; or
• in connection with any activity which involves profiling of data principals within the territory
of India;

© Vertices Partners 2
 Applicability of the Bill 2018
• This Bill 2018 applies to all categories of industries without giving exception to any
specific sector of Industry.
• Exceptions
• For manual processing by Small Entities (Section 48) – (exemption from compliance of certain
provisions)
• did not have a turnover of more than INR 20,00,000/- or such other lower amount as may be prescribed by
the Central Government in the preceding financial year;;
• does not collect personal data for disclosure to any other individuals or entities, including other data
fiduciaries or processors; and
• did not process personal data of more than 100 data principals in any one day in the preceding 12 calendar
months
• Processing of anonymized data (Section 2(3))

© Vertices Partners 3
 Important Definitions
“Data”
Section 3(12) of the Bill 2018
• “Data” means and includes a representation of
information, facts, concepts, opinions, or
instructions in a manner suitable for
communication, interpretation, or processing
by humans or by automated means;
Definition of “Data” under the Bill 2018 is not
specific to any medium or form. It is applicable to
digital as well as physical form
© Vertices Partners
Section 2(o) of the Information Technology Act,
2000
• “Data" means a representation of information,
knowledge, facts, concepts or instructions
which are being prepared or have been
prepared in a formalised manner, and is
intended to be processed, is being processed or
has been processed in a computer system or
computer network, and may be in any form
(including computer printouts magnetic or
optical storage media, punched cards, punched
tapes) or stored internally in the memory of
the computer;
4
 Important Definitions
“Personal Data”
Section 3(29) of Bill 2018 Rule 2(1)(i) of Information Technology (Reasonable
security practices and procedures and sensitive
• “Personal Data” means data about or relating
personal data or information) Rules, 2011 (“IT
to a natural person who is directly or indirectly
Rules 2011”)
identifiable, having regard to any characteristic,
trait, attribute or any other feature of the • "Personal Information" means any information
identity of such natural person, or any that relates to a natural person, which, either
combination of such features, or any directly or indirectly, in combination with other
combination of such features with any other information available or likely to be available
information; with a body corporate, is capable of identifying
such person.

Definition of “Personal Data” is more clarificatory

but is not wider then definition provided in IT
Rules, 2011

© Vertices Partners 5
 Important Definitions
“Sensitive Personal Data”
Section 3(35) of Bill 2018
• “Sensitive Personal Data” means personal data revealing,
related to, or constituting, as may be applicable— (i)
passwords; (ii) financial data (Section 3(19)); (iii) health
data(Section 3(22)); (iv) official identifier(Section 3(27)); (v)
sex life; (vi) sexual orientation; (vii) biometric data (Section
3(8)); (viii) genetic data (Section 3(20)); (ix) transgender
status (Section 3(41)); (x) intersex status (Section 3(23)); (xi)
caste or tribe; (xii) religious or political belief or affiliation;
or (xiii) any other category of data specified by the
Authority under section 22;
• Section 22 provides that Data Protection Authority may
specify further category of Personal Data.
The Definition of “Sensitive Personal Data” does not contain
the exclusion as provided in the definition in IT Rules, 2011
© Vertices Partners
Rule 3 of IT Rules 2011
• “Sensitive personal data or information” of a person means
such personal information which consists of information
relating to;— (i) password; (ii) financial information such as
Bank account or credit card or debit card or other payment
instrument details ; (iii) physical, physiological and mental
health condition; (iv) sexual orientation; (v) medical records
and history; (vi) Biometric information; (vii) any detail relating
to the above clauses as provided to body corporate for
providing service; and (viii) any of the information received
under above clauses by body corporate for processing, stored
or processed under lawful contract or otherwise:
• provided that, any information that is freely available or
accessible in public domain or furnished under the Right to
Information Act, 2005 or any other law for the time being in
force shall not be regarded as sensitive personal data or
information for the purposes of these rules.
6
 Important Definitions
“Data Principal” and “Processing"
Section 3(14) of the Bill 2018
• “Data Principal” means the natural person to whom the personal data referred
to in sub-clause (28) relates;
Section 3(32) of the Bill 2018
• “Processing” in relation to personal data, means an operation or set of
operations performed on personal data, and may include operations such as
collection, recording, organisation, structuring, storage, adaptation, alteration,
retrieval, use, alignment or combination, indexing, disclosure by transmission,
dissemination or otherwise making available, restriction, erasure or destruction;

© Vertices Partners 7
 Important Definitions
“Data Fiduciary” and “Data Processor”
Section 3(13) of the Bill 2018 • Section 2(w) of the Information Technology Act,
2000
• “Data Fiduciary” means any person, including
the State, a company, any juristic entity or any • "intermediary", with respect to any particular
individual who alone or in conjunction with electronic records, means any person who on
others determines the purpose and means of behalf of another person receives, stores or
processing of personal data; transmits that record or provides any service
with respect to that record and includes
Section 3(15) of the Bill 2018
telecom service providers, network service
• “Data Processor” means any person, including providers, internet service providers, web-
the State, a company, any juristic entity or any hosting service providers, search engines,
individual who processes personal data on online payment sites, online-auction sites,
behalf of a data fiduciary, but does not include online-market places and cyber cafes.
an employee of the data fiduciary;

© Vertices Partners 8
 Right of Privacy
Under the Bill, 2018
• Section 4 – Any person processing personal
data owes a duty to the data principal to
process such personal data in a fair and
reasonable manner that respects the privacy of
the data principal.
© Vertices Partners
Under IT Rules, 2011
• Rule 4 – Any body corporate or any person who on behalf
of body corporate process information of the provider of
information, shall provide privacy policy for handling or
dealing in Personal Information including Sensitive
Personal Data or Information and ensure that the same
are available for view by such provider of information who
has provided such information under the lawful contract.
• As per Rule 4, Privacy Policy should contain
• Type of personal or sensitive personal data or information
collected
• purpose of collection and usage of such information
• Consent for disclosure of information including sensitive
personal data or information to third party.
9
 Collection of Personal Data
Under the Bill, 2018
• Section 5(2) – Personal data shall be processed
only for purposes specified or for any other
incidental purpose that the data principal would
reasonably expect, having regard to the specified
purposes, and the context and circumstances in
which the personal data was collected.
• Section 6 – Collection of personal data shall be
limited to such data that is necessary for the
purpose of processing.
• Section 5(1) – Personal data shall be processed
only for purposes that are clear, specific and lawful
© Vertices Partners
Under the IT Rules, 2011
• Rule 5(5) - The information collected shall be
used for the purpose for which it has been
collected.
• Rule 5(2) - Body corporate or any person on its
behalf shall not collect sensitive personal data or
information unless —
• the information is collected for a lawful purpose
connected with a function or activity of the body
corporate or any person on its behalf; and
• the collection of the sensitive personal data or
information is considered necessary for that
purpose.
10
 Collection of Personal Data
Under the Bill, 2018
• Section 8 – Notice (for collection of personal data)
• Purpose of Processing
• Category of Personal Data collected
• Identity of Data Fiduciary, and the details of other
Data Fiduciary and Data Procession with whom the
Personal Data would be shared
• Procedure for withdrawal of consent
• Purpose for processing Personal Data without
consent, if any
• Information regarding cross border transfer of
Personal Data
© Vertices Partners
Under the IT Rules 2011
• Rule 5 – Collection of Information – Body
Corporate collecting information shall disclose
to the relevant person of:
• the fact that the information is being collected,
• the purpose for which the information is being
collected,
• the intended recipients of the information,
• the name and address of
• the agency that is collecting the information;
and
• the agency that will retain the information
11
 Regulation of Processing of Personal Data
• Mandatory Consent of Data Principal
• Free Consent (to be established as per Section 14 of the Contract Act, 1872)
• Informed Consent (must give Notice as per Section 8 of the Bill 2018)
• Specific Consent (the scope of consent in respect of the purposes of processing)
• Clear Consent (indicated through an affirmative action in a given context)
• Capable of being withdrawn (with the same ease as comparable to the ease with which consent
may be given)

• Provision of any goods or services or the quality thereof, or the enjoyment of any legal
right or claim can not be conditional for the consent (i.e. No combined consent) (e.g.
terms of website use requiring consent to privacy policy for use of website will not be
proper consent.)

© Vertices Partners 12
 Regulation of Processing of Personal Data
Under the Bill, 2018
• Purpose for which processing allowed without
Consent of Data Principal
• Functions of the State (Section 13)
Under the IT Rules 2011
• Proviso to Rule 6 - Information may be shared
• with Government agencies mandated under the
law, without obtaining prior consent .

• Compliance with Law or any order of any Court • With any third party by an order under the law
or Tribunal (Section 14)
• Necessary for Prompt Action (Section 15)
• For purposes related to employment (Section
16)
• Other reasonable purposes (Section 17)

© Vertices Partners 13
 Regulation of Processing of Sensitive Personal Data

• Mandatory Explicit Consent of Data Principal

• All element of Consent for Personal Data
• Informed consent (the attention of the Data Principal to be drawn to purposes of or
operations in processing that may have significant consequences for the data principal);
• Clear consent (explicit and without inference from conduct in a context); and
• Specific consent (data principal is given the choice of separately consenting to the
purposes of, operations in, and the use of different categories of sensitive personal data
relevant to processing).

© Vertices Partners 14
 Regulation of Processing of Sensitive Personal Data

• Purpose for which processing allowed without Consent of Data Principal

• Functions of the State (Section 19)
• Compliance with Law or any order of any Court or Tribunal (Section 20)
• Necessary for Prompt Action (Section 21)
• Other purposes as may be specified by Data Protection Authority for which the
Sensitive Personal Data may be processed without consent (Section 22(1))

© Vertices Partners 15
 Location of Data Centre
• Section 40- Restrictions on Cross-Border Transfer of Personal Data. —
• Data Fiduciary to ensure the storage of at least one serving copy of Personal Data on a server or data centre
located in India
• The Central Government shall notify categories of personal data as critical personal data that shall only be
processed in a server or data centre located in India.

• Section 41 – Condition for Cross Border Transfer of Personal Data –

• Personal Data other than Sensitive Personal Data as notified, may be transferred outside the territory of
India where—
• transfer is made subject to standard contractual clauses or intra-group schemes (and if Data Principal consent to
such transfer).
• The Central Government may permit transfers to a particular country or to a particular international organization
(and if Data Principal consent to such transfer).
• Data Protection Authority approves particular transfer or set of transfer permissible

© Vertices Partners 16
 THANK YOU

© Vertices Partners 17
 PROACTIVE | PEDIGREE | PERFORMANCE

VIANAYAK BURMAN ARCHANA KHOSLA

Founder Partner – Corporate Founder Partner – Corporate
vinayak@verticespartners.com archana@verticespartners.com
+91-9939355775 +91-9987717230

JEET SENGUPTA
Partner – Structured Finance / Stressed AMIT VYAS
Assets / Banking Founder Partner – Dispute Resolution
jeet@verticespartners.com amit@verticespartners.com
+91-9820366892 +91-9820366892

62&63A – A Wing | Mittal Court, 6th Floor, Nariman Point | Mumbai 400021 | India
Tel.: +91 22 43472375/ 76/ 78