Decoding The Personal Data Protection Bill, 2019
Do you remember the Abode data leak that happened in October 2013? More than 153 million user records with username and password got leaked and nearly 3 million encrypted customer credit card records, plus login data for an undetermined number of user accounts, were stolen by hackers.
Data privacy and protection has been the concern over the past couple of years in the whole world. Many nations are building newer laws and amending existing ones to meet the vulnerabilities associated with personal data for their citizens. India has also followed the suit by introducing the Personal and Data Protection Bill 2018 – 2019, which is awaiting fortification into a law.
An agreement in August 2015 called for Adobe, to pay a sum of $1.1 million in legal fees and an undisclosed amount to users to settle claims of violating the Customer Records Act and unfair business practices. In November 2016, the amount paid to customers was reported at $1 million.
The draft bill for collective Data Privacy was built with the essence of fair and reasonable processing at its core. It is good to assume that the bill was drafted to determine what would be considered as the rightful and lawful processing of personal data. As most of the global data privacy and protection laws, this bill also places the responsibility of compliance with its requirements by the “data fiduciary.” ‘
Let me explain for your reference, data fiduciary is the entity responsible directly or indirectly for collecting personal data. The data processor or the entity responsible for processing or acting on the personal data to extract any meaningful information although not directly responsible for compliance to the bill would be bound by contractual obligations by the data fiduciary.
- The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019. The Bill seeks to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same.
- Applicability: The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India. Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual. The Bill categorises certain personal data as sensitive personal data. This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.
- Obligations of data fiduciary: A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitations. For instance, personal data can be processed only for specific, clear and lawful purpose. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as: (i) implementing security safeguards (such as data encryption and preventing misuse of data), and (ii) instituting grievance redressal mechanisms to address complaints of individuals. They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.
- Rights of the individual: The Bill sets out certain rights of the individual (or data principal). These include the right to: (i) obtain confirmation from the fiduciary on whether their personal data has been processed, (ii) seek correction of inaccurate, incomplete, or out-of-date personal data, (iii) have personal data transferred to any other data fiduciary in certain circumstances, and (iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
- Grounds for processing personal data: The Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent. These include: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.
- Social media intermediaries: The Bill defines these to include intermediaries which enable online interaction between users and allow for sharing of information. All such intermediaries which have users above a notified threshold, and whose actions can impact electoral democracy or public order, have certain obligations, which include providing a voluntary user verification mechanism for users in India.
- Data Protection Authority: The Bill sets up a Data Protection Authority which may: (i) take steps to protect interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure compliance with the Bill. It will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology. Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.
- Transfer of data outside India: Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Certain personal data notified as critical personal data by the government can only be processed in India.
- Exemptions: The central government can exempt any of its agencies from the provisions of the Act: (i) in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, and (ii) for preventing incitement to commission of any cognisable offence (i.e. arrest without warrant) relating to the above matters. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as: (i) prevention, investigation, or prosecution of any offence, or (ii) personal, domestic, or (iii) journalistic purposes. However, such processing must be for a specific, clear and lawful purpose, with certain security safeguards.
- Offences: Offences under the Bill include: (i) processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and (ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.
- Sharing of non-personal data with government: The central government may direct data fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised personal data (where it is not possible to identify data principal) for better targeting of services.
- Amendments to other laws: The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.
Personal Data Protection Bill referred to 30-member Joint Committee of Parliament headed by Ms. Meenakashi Lekhi MP from the BJP ; On 13th Dec.19 , GOI introduced the Personal Data Protection Bill, 2019, in the Lok Sabha.
The bill was circulated yesterday among members of parliament. This bill lays out a data protection framework for India, and lays down limits of usage, collection, and processing of personal data, along with the setting up of a data protection regulator.
It is the first step in developing a privacy framework for India. Drafted by the Justice BN Srikrishna-led committee, the first version of the bill was made public in August 2018, and became available for public comments. Both Houses have agreed to refer the Bill to the Joint Committee.
The Committee’ will give its first report before the end of the Budget Session 2020.