<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=654132&amp;fmt=gif">

India's Joint Parliamentary Committee Announces Recommended Changes to Privacy Bill

Last month, the Indian Joint Parliamentary Committee submitted its report on the 2019 Personal Data Protection Bill after two years of consideration, research, and analysis. The bill, while not a certainty but likely to pass, would replace what some consider to be archaic data protection regulations. Although not finalized, the biggest obstacle if implemented as envisioned is strict data localization. India has been in the group of countries legislating data privacy for decades, culminating in the 2021 JPC report submission. Here’s a look at the history of data privacy legislation in India.


The History of Data Privacy Legislation in India

  • 2000 – Information Technology Act is passed by parliament and signed by President K.R. Narayanan addressing electronic documents, e-signatures, and record authentication.
  • 2017 – The Indian Supreme Court hears Justice KS Puttaswamy vs Union of Indiaand passes a historic judgment affirming the constitutional right to privacy.
  • 2019 – Introduction of the Personal Data Protection Bill and immediately sent to the JPC to be examined.
  • 2021 – JPC submits report on PDP to Indian Parliament revisions.


The long-awaited report submitted December 16, 2021 by the JPC has provided necessary clarification and modifications that seek to enhance the syntax and governance of the bill.


The recommended amendments are as follows:

  • Scope – The bill has a proposed name change to Data Protection Bill and will cover both personal and non-personal data which is unusual as distinction of data type can be difficult when managing mass amounts of data. Clauses also address the deceased and transfer of minor rights (see Clause 16 below).
  • Implementation Timeline – The report outlines a timeline with a 24-month implementation period for data processors to comply.
  • Definitions – The following terms have been defined or revised: consent manager, data auditor, data breach, data fiduciary, data processor, data protection officer, harm, and non-personal data.
  • Clauses 13 & 14 – These clauses apply to consent of personal data processing for employment and legitimate interest, marrying the interests of both the data principal and data fiduciary.
  • Clause 16 – Entities dealing with the data of children must register with the DPA and are required to communicate with the subject 3 months prior to adult age to regain consent and “must continue providing the services to the child unless the child withdraws consent.”


The implementation timeline for the Data Protection Bill is still unknown but will likely be a phased approach. Like California, there is discussion of an oversight committee called the Data Protection Authority of India that would supervise compliance with the proposed law. With the notable amendments to the bill, it’s unlikely we’ll see this come to fruition quickly. Not unlike most proposed privacy legislation, it has been met with dissent and opposition and will have to make its way through the courts of India before becoming law.


All Posts

8 Key Steps for CCPA Compliance

The General Data Protection Regulation (GDPR) wasn't the only consumer privacy bill signed into law in 2018.

That same year, Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into action, setting an effective date of January 1, 2020. 

Like the GDPR, the CCPA aims to protect privacy rights and consumer protection. It's designated to help residents of California control how businesses get and share their personal information.

Even if your company doesn't have a physical location in this state, the CCPA could still apply to you. Today, we're sharing eight steps you can take to help you become compliant with all of its measures.

Ready to learn more? Let's get started!

1. Know How the CCPA Affects Your Organization

The CCPA protects any natural person who is a California resident. As opposed to a "legal person" which could encompass private businesses or public governments, a "natural person" is an individual human being.

The law mandates that California consumers have a right to know what personal information companies are collecting on them, and how they plan to use that data. In addition, they must be able to opt-out of that information being sold and can receive a copy of their personal information upon request. 

If they fall victim to an information breach, these residents can also sue for damages.

Who must comply with these regulations? Any for-profit organization that meets any of the following criteria:

  • Collects the personal information of consumers
  • Conducts any form of business in California (including e-commerce)

In addition, the CCPA covers any organization that meets at least one of the following metrics each year:

  • Gross revenue of $25 million or more
  • Collects personal data for 50,000 or more consumers, devices, or households
  • Obtains half of its yearly revenue by selling personal data

Your first step is to understand if and how the law affects you. The only exception made is for information subject to the Gramm-Leach-Bliley Act (GLBA).

Financial institutions should keep in mind, however, that the CCPA is much broader than the GLBA. There will be types of personal information not covered by the GLBA, such as data obtained through webpage tracking, which will now fall under CCPA protection.

2. Map Consumer Data

Once you confirm that the CCPA applies to your organization, your next step is to begin mapping the customer data you collect. 

Start by gathering answers to the following questions in writing:

  • What personal data do you currently collect?
  • What are your methods for data collection?
  • Where and how do you store this data?
  • Do you share the data you collect? If so, with whom?
  • Do you sell the data, provide in exchange for a service, or used for a different purpose?

Understand that beginning on January 1, 2020, California consumers may ask how your company collects and uses their personal information. You should be able to respond to these types of questions as they arise. 

Remember to also obtain this same information from any third-party vendors that hold personal data on your behalf. They may need to perform this same data-mapping exercise and inform you of the results. 

3. Fine-Tune Your Privacy Disclosures

As soon as the GDPR went into effect, companies around the world began including a comprehensive privacy disclosure on their website, informing all virtual visitors about their data collection procedures. 

The CCPA will require similar actions. If you're under its jurisdiction, you must provide a disclosure "at or before" the point of data collection. Specific points to mention include things like:

  • The categories of personal information your organization collects
  • Any specific pieces of information collected
  • Where you gather that personal information from
  • The types of third parties you share the information with
  • The purposes for which you will use the information

Post your disclosure in a public location, commit to updating it every year, and be ready to provide more details on it upon customer request. 

4. Allow Customers to Opt Out

In addition to posting your public privacy disclosure, you should also give consumers the opportunity to make sure your company doesn't sell their personal information. 

Do so by creating a privacy link on your home page that's clearly titled "Do Not Sell My Information." Visitors can press on the link and go to a different landing page, where they can request to be exempt from this process. 

As this link must be visible by January 1, 2020, it's wise to go ahead and initiate the IT change management request for your website now. This may help ensure the link is live and bug-free by the required deadline. 

5. Decide How to Handle Customer Requests

Your organization should be able to field and respond to customer requests about how it uses personal data. You can't do so unless you have a step-by-step process in place that dictates how your teams will handle these inquiries. 

The CCPA states you need to provide your answers within 45 days, free of charge. Work with your in-house personnel to decide how you will provide these types of services:

  • Provide consumers copies of their personal information
  • Delete the personal information of customers who request such action
  • Explain what categories of personal information your company sells
  • Opt-out customers 16 years old and over from the sale of personal data
  • Opt-in customers between 13 and 16 for sale of their personal data
  • Get guardian consent to sell personal data of consumers under 13 years old

Make sure you read the CCPA guidelines to understand your legal obligations under each of these tasks, paying close attention to the listed age requirements. 

6. Update Your Software and Systems

It's likely that meeting the requirements under the CCPA will require your organization to make updates to its software and computer systems. As such internal updates can take months to complete and implement, a best practice would be to go ahead and issue all required IT change requests now.

The same applies to recording new procedures. Write them down and store them in a shared, accessible location as soon as possible so all team members are up to speed when January rolls around. 

7. Train Your Teams

It's important to write down all of the new steps required under the CCPA. Yet, in addition to recording them, you should also make sure your teams, especially those in public-facing roles, know how to respond.

Hold employee training sessions that cover the following key points of the new regulation:

  • What CCPA coverage entails, and how your organization fits into it
  • Whether the law applies to your entire footprint or only California customers
  • How the CCPA defines a consumer (as a resident of California)
  • How to direct or process customer inquiries about their personal data

Make sure this training occurs before January 1, 2020.

8. Protect Against Data Breaches

As stated, California consumers can take legal action if a data breach occurs at your company as a result of your inability to maintain security procedures and practices. This can create a devastating blow to your finances, as well as your reputation.

As such, it's important to strengthen your data security measures. Review your current strategies in place and brainstorm ways to further safeguard personal data to mitigate this risk. If you don't have a robust privacy rights management platform in place, now is the time to invest in one.

Prepare Now for CCPA Changes

Though we are still months away from official CCPA implementation, future-focused companies should begin preparations now. 

With so many fine-print details to remember, it can be difficult to keep up with the organizational processes your company should enact.

That's where we come in. 

Our platform makes it simple to automate and streamline all of your individual rights compliance requirements, including CCPA, GDPR, and others. Request a demo today to learn more about how it works. We'll help you prepare for tomorrow, starting today.

About Truyo
Powered by IntelⓇ, Truyo is the automated answer for enterprises seeking to deploy truly integrated SAR, consent, and other data privacy rights processing capabilities that scale with your needs, deliver conspicuous compliance, and adapt to new privacy regulations as they emerge.
Recent Posts

India's Joint Parliamentary Committee Announces Recommended Changes to Privacy Bill

Last month, the Indian Joint Parliamentary Committee submitted its report on the 2019 Personal Data Protection Bill after two years of consideration, ...

Log4J Vulnerability Update

At Truyo we take data privacy and security very seriously. Recently a security vulnerability was reported in the open-source Java library “Log4J” that...

Forrester Wave Announcement: Truyo Named Strong Performer

Report notes Truyo’s “management and fulfillment of individual privacy rights capabilities are some of the best in the market ” PHOENIX (Dec. 09, 2021...

Human Error: The Pitfalls of Manual SAR Response

In the age of information, organizations have increased the amount of consumer data housed in structured and unstructured environments. As consumers b...