The Personal Data Protection Bill, 2019
________________________________________________________________________________
This Blog is written by Priyank Sudhir Shah from Gujarat Law Society Law College. Edited by Prakriti Dadsena.
________________________________________________________________________________
INTRODUCTION
The Personal Data Protection Bill, 2019 (“PDPB”) was introduced in Lok Sabha by the Minister of Electronics and Information Technology, on December 11, 2019. The purpose of this Bill is to provide for protection of privacy of individuals relating to their Personal Data and to establish a Data Protection Authority of India for the said purposes and the matters concerning the personal data of an individual. The Bill proposes to supersede the Information Technology Act, 2000 (Section 43-A) deleting the provisions related to compensation payable by companies for failure to protect personal data. The PDPB inter alia, prescribes the manner in which personal data is to be collected, processed, used, disclosed, stored and transferred. The PDPB proposes to protect “Personal Data” relating to the identity, characteristics trait, attribute of a natural person and “Sensitive Personal Data such as financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political beliefs [1]. At its core, the Bill continues to require that Personal Data be processed fairly and reasonably while ensuring the privacy of the Data Principal, for purposes that are consented to by the Data Principal, or purposes incidental or connected thereto. The following is a summary of the key changes relevant to private Data Fiduciaries. The Bill has also made certain changes to the provisions relating to the processing of Personal Data by Central and State Governments [2].
CONTENTS OF THE BILL
Applicability:
The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India. Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual. The Bill categorises certain personal data as sensitive personal data. This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator [3].
Obligations of data fiduciary:
A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitations. For instance, personal data can be processed only for specific, clear and lawful purpose. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as: (i) implementing security safeguards (such as data encryption and preventing misuse of data), and (ii) instituting grievance redressal mechanisms to address complaints of individuals. They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.
Rights of the individual:
The Bill sets out certain rights of the individual (or data principal). These include the right to: (i) obtain confirmation from the fiduciary on whether their personal data has been processed, (ii) seek correction of inaccurate, incomplete, or out-of-date personal data, (iii) have personal data transferred to any other data fiduciary in certain circumstances, and (iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
Data Protection Authority:
The Bill sets up a Data Protection Authority which may: (i) take steps to protect interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure compliance with the Bill. It will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology. Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.
Transfer of data outside India:
Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Certain personal data notified as critical personal data by the government can only be processed in India.
Exemptions:
The central government can exempt any of its agencies from the provisions of the Act: (i) in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, and (ii) for preventing incitement to commission of any cognizable offence (i.e. arrest without warrant) relating to the above matters. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as: (i) prevention, investigation, or prosecution of any offence, or (ii) personal, domestic, or (iii) journalistic purposes. However, such processing must be for a specific, clear and lawful purpose, with certain security safeguards.
Offences:
Offences under the Bill include: (i) processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and (ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.
CONCLUSION
The bill is the first step towards personal data protection, but the same is to be faced by a lot of hurdles, since this legislation is one of a kind, there may be many issues that would be faced during this process, one such issue is the consent of the party. Now depending on the data, the policies and rules would have to be framed, codes to be framed to ensure that these are consistent with the revised principles such as updating their internal breach procedures, to implement appropriate measures in order to prevent the misuse of the data and the challenge regarding appointing of the authority and the final blow would be setting up the justice delivery mechanism in order to address the complaints by the inviduals.
REFERENCES
[3] https://www.prsindia.org/billtrack/personal-data-protection-bill-2019