On December 11, 2019 the Personal Data Protection Bill 2019 was introduced in Parliament where different ways to process data in India including protection for transfer of personal data, restrictive conditions for transfer of personal data and penalties come into picture. In this article we will outline the impact of Data Protection Bill on private companies.

  • Data Mirroring

Data mirroring is an act of copying data from one location to a storage medium in real time. So now the data mirroring requirement for personal data has been removed and restricted to Sensitive Personal Data (SPD). Therefore a copy of data related to religious, biometric, financial data and others will need to be stored in India.

  • Cross border data transfers

Now for transferring SPD outside India, there are two requirements which must be fulfilled. Firstly, consent of data principal and secondly a cross border data transfer measure must be in place. This is a positive step for companies in respect of compliances. Also, transfer of data to a country with inadequate protections is a risk factor.

  • Critical personal data

There is restriction on processing of critical personal data, which means no activity such as sharing, analysis, storage etc. can be done. However 2019 Bill clarifies that if the other country’s privacy laws are adequate and if there is no harm in sharing such information then relaxation in such cases can be granted.

  • Consent managers

The 2019 Bill introduces “consent managers”. They are intermediary which will serve the role of helping a data principal give, withdraw and otherwise manage consent with a data fiduciary and to exercise any of his data subject rights according to the law. For companies, it is a huge compliance burden in terms of integrating with multiple consent managers.

  • Optional certification privacy by design policies

Companies may have their privacy by design policies certification and certain standards will be prescribed for the policy to be certifiable.

  • Central government right to Anonymous & non-personal data

According to Bill 2019, Central Government has right to ask any fiduciary to give any anonymous and non-personal data. This can create an issue for the company’s confidential business data and with no clarity as to how the rights of companies over such data will be protected.

  • Personal data

For national security reasons the government could require or intercept any personal data in their possession, that affects private companies.

  • Provisions on social media intermediaries

The Data Protection Bill 2019 includes certain provisions on social media intermediaries (SMIs) for which special requirements are to be prescribed for classification as a significant data fiduciary. SMIs must provide users with the option to verify themselves and verification must be demonstrable and visible.

  • Compliance burden

The Bill implies that companies around India and the world will have to a significant compliance burden. Where reduction of compliances is possible such steps must be considered but there should be no compromise with the rights of the people.

Therefore, the Data protection Bill 2019 plays a major role for the companies to protect the personal data of the client and to ensure that company had made all compliances according to the Bill 2019.