Analysis of the draft law on the protection of personal data in digital technologies, 2022

2. Obligations of the data trustee – The draft law imposes some significant responsibilities on data trustees to ensure that personal data is processed, stored or deleted in a safe and appropriate manner. These duties include:

a. Security measures – The Data Trustee must ensure that it takes the necessary measures to protect personal data, failing which it may be subject to severe penalties (discussed below). In any case, if there is a breach, the data trustee or data processor (who processes data on behalf of the data trustee) must inform the Board and the data principal. This provision is critical as it ensures transparency in the event of a breach and allows affected individuals to take corrective action to prevent further damage. However, it may be worth setting a specific timetable for notifying the data principal once the data trustee or data processor becomes aware of a breach.

b. Data deletion (Right to be forgotten?) – The bill provides for deletion of personal data when the purpose of collection is no longer fulfilled or retention is no longer necessary. This is in addition to the right of opt-out granted to data principals (as mentioned above) and implies that personal data should not be kept for longer than necessary. The right to erasure is recognized as an obligation for data trustees and also (separately) as a right of data principals.

° C. Appointment of Data Protection Officer (DPO) – Each data fiduciary must appoint a DPO to respond to the data principal’s inquiries and concerns. However, the bill also offers no time frame for that response.

e. Personal data of children – The bill provides for additional obligations when processing personal data of children, which also includes requesting consent from parents/guardians.

e. Trustee of significant data – Although the bill does not actually define what a material data trustee is, it seeks to preserve the central government’s right to identify a data trustee as a material data trustee if it handles a large volume of sensitive personal data, involves a risk of harm to essential data and the impact on India’s sovereignty and integrity, state security, public order, etc.

These significant data trustees must appoint an independent data auditor (to ensure compliance with the provisions of the proposed Bill) and carry out a data protection impact assessment and periodic audit to ensure compliance.