#PrivacyBill Companies may have to get their privacy-by-design policies certified by the Data Protection Authority. 
Right to be Forgotten under India's #PrivacyBill? A data principal can appeal Right to be Forgotten orders to an Appellate Tribunal, if he/she is unsatisfied with the Adjudicating Officer's review of the RTBF order. In the 2018 draft bill, the review process ended with the AO.
There's now going to be a "Consent Manager" thanks to #PrivacyBill.
Users can use the consent manager to give or withdraw consent to the data fiduciary (app/site). Consent manager is defined as
Users can use the consent manager to give or withdraw consent to the data fiduciary (app/site). Consent manager is defined as
Comment in from @udbhav_tiwari of @mozilla , which talks about exceptions for government and verification of social media users.
@udbhav_tiwari @mozilla Blue ticks if you want them!
Under the #PrivacyBill, social media entities (significant data fiduciaries) will have to give account verification options to willing users.
(thankfully this is VOLUNTARY, not mandatory)
Under the #PrivacyBill, social media entities (significant data fiduciaries) will have to give account verification options to willing users.
(thankfully this is VOLUNTARY, not mandatory)
@udbhav_tiwari @mozilla Exemptions for government under #PrivacyBill: The Indian government can exempt any government agency from the Act for national security, integrity & sovereignty, public order, friendly relations with foreign states, and for preventing any cognizable offence relating to the above.
More exemptions from privacy in #PrivacyBill: certain rights of users will be suspended if personal data is processed for law enforcement, judicial reasons, journalism, and for personal reasons.
The #PrivacyBill provisions will not apply when personal data is processed for research, archiving, or statistical purposes.
Swadeshi Jagran Manch right now:
Why? Because data localisation is not mandatory for all data. Nor is mirroring. Two screenshots of applicable provisions from the bill:
So, @ambersinha07 , from @cis_india , writes in to share his views on exemptions to government agencies:
@ambersinha07 @cis_india Interestingly, @wikipedia does not fall under the definition of a 'social media intermediary' under the #PrivacyBill, since it specifically states that online encyclopedias are not social media intermediaries.
@ambersinha07 @cis_india @Wikipedia Some parts of #PrivacyBill won't apply to "small entities". Data Protection Authority will decide what a small entity is based on: turnover, purpose of data collection, volume of personal data processed.
Old version: small entities were with Rs 20 lakh turnover and <100 users.
Old version: small entities were with Rs 20 lakh turnover and <100 users.
@ambersinha07 @cis_india @Wikipedia Regulatory sandboxes find a mention in the #PrivacyBill : The DPA will create a sandbox for innovation in AI, ML, or “any other emerging technology in public interest” that can be used by a data fiduciary, whose privacy-by-design policy has been certified by the DPA.
@ambersinha07 @cis_india @Wikipedia What if there's a data breach?
Data fiduciary (website/app) will inform Data Protection Authority of any personal data breach. Info: nature of the breach, number of users, possible consequences of the breach, and action taken by the app/site.
More 👇
Data fiduciary (website/app) will inform Data Protection Authority of any personal data breach. Info: nature of the breach, number of users, possible consequences of the breach, and action taken by the app/site.
More 👇
After that, it's up to the DPA to decide whether a user should be informed of the breach, based on severity, and whether some action is required on the part of the data principal to mitigate such harm.
So users might not be informed in case of breach. 🙄
So users might not be informed in case of breach. 🙄
Dear @rsprasad , some typos in the #PrivacyBill . Cant figure out how many members. Please do let us know.
@rsprasad Re-identification of personal data & its processing is an offense under the new #PrivacyBill
Old draft had 3 kinds of offences: re-identification of personal data and its processing, as well as obtaining, transferring & selling of personal data & sensitive personal data
Old draft had 3 kinds of offences: re-identification of personal data and its processing, as well as obtaining, transferring & selling of personal data & sensitive personal data
@rsprasad How #PrivacyBill deals with consent:
1. The new bill has removed the definition of explicit consent. In the draft 2018 bill, consent was considered explicit only when free, informed, specific, clear, and capable of being withdrawn.
More 👇
1. The new bill has removed the definition of explicit consent. In the draft 2018 bill, consent was considered explicit only when free, informed, specific, clear, and capable of being withdrawn.
More 👇
How #PrivacyBill deals w consent:
2. Personal data can only be processed w users consent at commencement of processing
3. New bill explicitly states: personal data can be processed without consent in some cases: medical emergency and carrying out a state function, etc.
More 👇
2. Personal data can only be processed w users consent at commencement of processing
3. New bill explicitly states: personal data can be processed without consent in some cases: medical emergency and carrying out a state function, etc.
More 👇
How #PrivacyBill deals with consent:
4. Non-sensitive personal data can be processed without consent for employment-related purposes
5. Personal data can be processed without consent for some “reasonable purposes”, including for operation of search engines.
More 👇
4. Non-sensitive personal data can be processed without consent for employment-related purposes
5. Personal data can be processed without consent for some “reasonable purposes”, including for operation of search engines.
More 👇
How #PrivacyBill deals with consent:
6. Children's personal data cannot be processed w/o consent of parent/guardian,age verification also needed
7. Guardian data fiduciary can provide counselling/child protective services without obtaining consent of parent/guardian
More 👇
6. Children's personal data cannot be processed w/o consent of parent/guardian,age verification also needed
7. Guardian data fiduciary can provide counselling/child protective services without obtaining consent of parent/guardian
More 👇
Note: these consent requirements for how Children's personal data is processed is significantly going to impact gaming companies. How will they do age verification, and get parental consent?
Interesting times for Google Search?
Under the new bill –
1. Search engines can process personal data without obtaining consent.
2. Search engines are not social media intermediaries
Under the new bill –
1. Search engines can process personal data without obtaining consent.
2. Search engines are not social media intermediaries
Impact on apps with lots of users: Some can be classified as significant data fiduciaries on basis of: volume & sensitivity of personal data processed, turnover, risk of harm from processing, use of new tech for processing, and any other factor causing harm from such processing.
Critical personal data shall only be processed in India, as was said in 2018 draft bill.
As per Section 33, sensitive personal data may be transferred outside India, but such sensitive personal data shall continue to be stored in India.
Question for @GoI_MeitY: is this data mirroring? How can data be transferred out of India and also be stored in India?
Question for @GoI_MeitY: is this data mirroring? How can data be transferred out of India and also be stored in India?
@GoI_MeitY Critical personal data can be transferred outside India if such a transfer is:
@GoI_MeitY Conditions for transfer of sensitive personal data:
1. Consent by data principal and either of the following two provisions
2. Contract of intra-group scheme approved by the DPA that has the following provisions:
1. Consent by data principal and either of the following two provisions
2. Contract of intra-group scheme approved by the DPA that has the following provisions:
3. Central government and the DPA have ascertained the following:
Data Protection Authority – powers & functions
The Data Protection Authority has the power to conduct search and seizures
Sensitive personal data includes:
We're waiting for the Lok Sabha to update its List of Business. We'll let you know when there's a update!
If you have any questions based on the thread above, let us know and we'll try and answer them tomorrow/day-after.
If you have any questions based on the thread above, let us know and we'll try and answer them tomorrow/day-after.
