Prohibition of processing of personal data
Clause 4 seeks to prohibit processing of personal data without any specific, clear and lawful purpose. Earlier, the concept of reasonable processing was categorically prescribed, which could have resulted in possible processing of data without consent. The amended draft does away with that provision.
Restriction on retention of personal data
Clause 9 of the Draft Bill prescribes that the data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it was processed and shall delete the personal data at the end of processing. The personal data may be retained for a longer period only after the data fiduciary gets consent from the data principal.
Processing of personal data for other reasonable purposes
Clause 14 seeks to provide for other reasonable purposes for which personal data may be processed. One such newly introduced purpose is the operation of search engines. This is a new insertion and was not present in the previous bill.
Right to correction and erasure
As part of chapter V on the Rights of Data Principal, under Clause 18, the data principal has been provided the right to erasure of personal data which is no longer necessary for the purpose for which it was processed. This has been added in the Draft Bill over and above the other data principal rights, such as the right to correction of inaccurate data, completion of incomplete personal data and right to updating of personal data that is out of date.
Privacy by design policy
Clause 22 seeks to list out the constituents of privacy by design policy. Though the concept itself is not new (as it was already included in the previous bill), the mandatory requirement for a certification of the privacy by design policy by the data protection authority has been newly added. Such a policy is required to be published on the organisation and the authority’s website.
Transparency in processing of personal data
Clause 23 seeks to bring in transparency in the processing of personal data by requiring the fiduciary to inform the data principal and make information available. This clause introduces a new term − ‘consent manager’ − which is defined as a data fiduciary through which a data principal can give, withdraw, review and manage his/her consent through an accessible platform.
Prohibition on processing of sensitive personal data and critical personal data outside India
Clause 33 seeks to prohibit processing of sensitive personal data and critical personal data outside India. Though these concepts were included in the previous bill, the new provisions are clearer, and restrictions are imposed on transferring sensitive and critical data.
The new provisions state that:
sensitive personal data may be transferred outside India, subject to conditions for transfer of sensitive personal data and critical personal data, but shall continue to be stored within India
critical personal data (the definition of which is to be notified by the Central Government) can only be processed in India.
Conditions for transfer of sensitive personal data and critical personal data
Clause 34 seeks to list out conditions under which sensitive personal data and critical personal data could be transferred outside India. Sensitive personal data may only be transferred outside India for the purpose of processing, when explicit consent is given by the data principal for such transfer, and where such transfer is made pursuant to a contract or intra-group scheme approved by the authority. Previously, intra-group scheme related approval was provided only for the categories of personal data, not being sensitive data. However, the Draft Bill extends this provision to sensitive data as well.