The Personal Data Protection Bill, 2019 has been referred to a join select committee of Parliament amid criticism that privacy provisions had been diluted.
The Personal Data Protection Bill, 2019, which was introduced in Lok Sabha by Ravi Shankar Prasad, minister for electronics and information technology, on Wednesday, has been referred to a join select committee of Parliament amid criticism that privacy provisions had been diluted. The joint panel will have 20 members from Lok Sabha and 10 from Rajya Sabha. Speaker has been vested with the authority to recommend a Member of Parliament (MP) to be the panel's chairman. The panel is likely to submit its report before the end of the budget session, which usually begins in late January. The Bill seeks to provide for protection of personal data of individuals, and establishes a data protection Authority for the same. The aim of the Bill is to plug loopholes and inadequacies presently plaguing the country's information ecosystem.
Why is it important?
The PDP Bill 2019 governs the processing of personal data by government, companies incorporated in India and foreign companies dealing with personal data of individuals in the country.
The Bill envisages and regulates largely three categories of data – personal data, sensitive personal data (SPD), and critical personal data. SPD consists of existing categories of sensitive information such as financial data, health data and biometric data, and also includes new categories such as official identifiers, sex life, sexual orientation, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation.
The Bill does not define critical personal data and instead leaves it to the Government of India to formulate a definition by way of rules. Notably, the Bill does not regulate anonymised data and exempts such data from its purview.
Significance of the new legislation
The Bill replaces the traditional terms "Data Controller" and "Data Subject" with "Data Fiduciary" and "Data Principal”. A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitations. For instance, personal data can be processed only for specific, clear and lawful purpose.
All data fiduciaries must undertake certain transparency and accountability measures such as implementing security safeguards (such as data encryption and preventing misuse of data); and instituting grievance redressal mechanisms to address complaints of individuals. They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children, the Bill says.
How it protects the rights of individuals?
On rights of the individual, it sets out certain rights of the individual (or data principal). These include the right to: obtain confirmation from the fiduciary on whether their personal data has been processed; seek correction of inaccurate, incomplete, or out-of-date personal data; have personal data transferred to any other data fiduciary in certain circumstances; and fourth, restrict continuing disclosure of their personal data by a fiduciary if it is no longer necessary or consent is withdrawn.
While the Bill allows processing of data by fiduciaries only if consent is provided by the individual. But, in certain circumstances, personal data can be processed without consent if it is required by the state for providing benefits to the individual, for legal proceedings and to respond to a medical emergency.
On social media intermediaries, the Bill defines these to include intermediaries which enable online interaction between users and allow for sharing of information. All such intermediaries which have users above a notified threshold, and whose actions can impact electoral democracy or public order, have certain obligations, which include providing a voluntary user verification mechanism for users in India.
Who will oversee its implementation?
An independent authority called the ‘Data Protection Authority of India’ is empowered to oversee the enforcement of the Bill. The authority will have the power to, among other things, temporarily suspend or discontinue the business activity of the Data Fiduciary or Data Processor, cancel any registration or suspend or discontinue any cross-border flow of personal data.
The authority, where it has reasonable grounds to believe that any contravention of any provisions of the Bill has occurred, has the power to enter and search any building, access any computer resource or seize all books and records of a data fiduciary.
How it intends to ensure data localisation?
The Bill places specific restrictions on cross-border transfers of SPD and critical personal data. SPD may be transferred outside India for the purpose of processing, with the explicit consent of the Data Principal and if such transfer is made subject to standard contractual clauses or intra-group schemes that comply with requirements prescribed by the Authority. However, the Bill mandates storing a copy of or ‘mirroring’ all SPD within the territory of India.
The Bill further mandates the storage and processing of all critical personal data exclusively within India.
What penalties or punishment the Bill prescribes for violations?
The Bill lays down financial penalties for non-compliance ranging from Rs 5 crores or 2 percent of total worldwide turnover to Rs 15 crores or 4 percent of the total worldwide turnover. The Bill also provides for compensation for Data Principals for any harm caused to them due to contravention of the provisions of the Bill.
The Bill recognises the right of a class action suit, where an identifiable class of Data Principals have suffered harm. There are certain cases which have criminal liabilities prescribed under the Bill, such as obtaining, transferring or selling Personal Data knowingly or intentionally in contravention of the Bill or re-identification and processing of de-identified Personal Data.
Any person who knowingly or intentionally re-identifies anonymised data and processes the same without due consent is punishable with imprisonment for a maximum term of three years and/or a fine extendable to Rs 2 lakhs.
What do legal experts sayThe Personal Data Protection Bill, 2019?
“The draft proposed to be tabled before Parliament does take into account concerns raised by multinationals on the issue of data localisation. While flexibility has been introduced another issue of criminal liability has been tempered down with a further exception. What is definitely interesting are some new provisions relating to intermediaries and platforms," Sajai Singh, Partner, J. Sagar Associates, Advocates & Solicitor, said on the Bill in a statement.
"It will be relevant to understand the thinking of the Government behind certain exceptions to personal data processing which were not there in the earlier drafts. Overall, the Data Protection Bill does seem more palatable from an industry perspective than earlier proposals,” said Singh.
First Published: IST