Personal data protection bill
Written by: Piyush Bhardwaj, Student, Lloyd law college, Greater Noida
A draft of the Personal Data Protection Bill, 2019 (“Bill”) has been introduced before the Lok Sabha on December 11, 2019. The bill is based on the draft legislation submitted to the Ministry of Electronics and Information Technology by a nine-member Committee of experts headed by justice B.N Srikrishna in July 2018. The Bill has been referred to a Joint Parliamentary Committee for detailed examination, and the report is expected by the Budget Session, 2020. The Bill seeks to provide for the protection of personal data of individuals, create a framework for processing such personal data, and establishes a Data Protection Authority for the purpose.
The Bill is based, in large part, on the proposed draft of the Personal Data Protection Bill, 2018 (“Draft Bill”) which was attached to the report submitted to the Government by the Committee of Experts constituted under the Chairmanship of Justice Srikrishna. That being said, the Bill also includes several modifications and changes in scope and intent. At its core, the Bill continues to require that Personal Data be processed fairly and reasonably while ensuring the privacy of the Data Principal, for purposes that are consented to by the Data Principal, or purposes incidental or connected thereto.
This law has been two years in the making, and will lead to the creation of a Data Protection Authority in India, the imposition of norms on collecting and processing of data, as well as the cross-border transfer of data.
KINDS OF PERSONAL DATA
The Bill regulates 3 categories of data – Personal Data, Sensitive Personal Data, and Critical Personal Data.
Personal data: Under the bill, no localization or data transfer restriction apply to personal data that is not considered “sensitive” or “critical”. This type of personal may be stored entirely outside of India and no transfer restriction would apply.
Sensitive personal data: It may be transferred for processing outside India with the user’s explicit consent and the Data Protection Authority’s or Central government’s permission, but needs to be stored only in India. Sensitive personal data includes financial data, health data, sexual orientation, transgender status, case/tribe, and religious or political beliefs. The Central government and DPA can together also notify further kinds of data as sensitive personal data. “Passwords” have been removed from the list of sensitive personal data listed in the bill.
Critical personal data: As with the 2018 draft, the bill permits the government to define certain personal data as a “critical personal data” without providing anu limitation on the government’s power to make such designation, which generally may not be transferred outside the India. However, the bill would create an exception to this strict localization requirement for transfers to countries or organizations deemed to provide an adequate level of protection, or in limited circumstances to protect vital interest.
The Bill dilutes data localisation requirements, as envisaged in the Srikrishna draft bill, and mandatory mirroring of personal data has also been removed.
In August 2017, the Supreme Court held that privacy is a fundamental right, flowing from the right to life and personal liberty under Article 21 of the Constitution. The Court also observed that privacy of personal data and facts is an essential aspect of the right to privacy. In July 2017, a Committee of Experts, chaired by Justice B. N. Srikrishna, was set up to examine various issues related to data protection in India. The Committee submitted its report, along with a Draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology in July 2018. The Statement of Objects and Reasons of the Personal Data Protection Bill, 2019 states that the Bill is based on the recommendations of the report of the Expert Committee and the suggestions received from various stakeholders.
The Bill has made several changes from the draft Bill. For instance, the Bill has added a new class of significant data fiduciaries, as social media intermediaries. These will include intermediaries (with users above a notified threshold) which enable online interaction between users. Further, the Bill has expanded the scope of exemptions for the government, and additionally provided that the government may direct data fiduciaries to provide it with any non-personal or anonymised data for better targeting of services.
The Bill regulates personal data related to individuals, and the processing, collection and storage of such data. Under the Bill, a data principal is an individual whose personal data is being processed. The entity or individual who decides the means and purposes of data processing is known as data fiduciary. The Bill governs the processing of personal data by both government and companies incorporated in India. It also governs foreign companies, if they deal with personal data of individuals in India.
Currently, the usage and transfer of personal data of citizens is regulated by the Information Technology (IT) Rules, 2011, under the IT Act, 2000. The rules hold the companies using the data liable for compensating the individual, in case of any negligence in maintaining security standards while dealing with the data. The Expert Committee in its report, held that while the IT rules were a novel attempt at data protection at the time they were introduced, the pace of development of digital economy has shown its shortcomings. For instance, (i) the definition of sensitive personal data under the rules is narrow, and (ii) some of the provisions can be overridden by a contract. Further, the IT Act applies only to companies, not to the government.
The bill allows the government to notify certain companies as significant data fiduciaries based on factors like the volume of personal data they process, the sensitivity of such data, their turnover etc. once classified as significant data fiduciaries, companies will have to comply with heightened obligation like conducting data protection impact assessment, appointing data protection officers, and in the case of social media companies, enabling their users to voluntarily verify their accounts. This means that large companies process large volumes of personal data and enjoy high turnovers can be notified as significant data fiduciaries which will have to comply with these heightened obligations.
The Bill also provides for certain obligations of data fiduciaries with respect to processing of personal data. Such processing should be subject to certain purpose, collection and storage limitations. For instance, personal data can be processed only for specific, clear and lawful purpose. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as implementing security safeguards and instituting grievance redressal mechanisms to address complaints of individuals. Certain fiduciaries would be notified as significant data fiduciaries (based on certain criteria such as volume of data processed and turnover of fiduciary). These fiduciaries must undertake additional accountability measures such as conducting a data protection impact assessment before conducting any processing of large scale sensitive personal data (includes financial data, biometric data, caste, religious or political beliefs).
The data protection authority will be responsible for the enforcement of the bill once it is enacted. It has wide ranging powers including the powers to require certain entities to conduct mandatory data protection impact assessment and the powers to permit cross border transfers in certain cases. Non- compliance with the bill can attract penalties of up to INR 15 crores or 4% of worldwide turnover, whichever is higher.
Opinions expressed in the blogs are the sole responsibility of the author(s) and do not necessarily reflect the views of The L Word Blog.