The Personal Data Protection Bill, 2019 was presented in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad on 11th December, 2019, a year after the draft was created by a committee headed by Justice BN Srikrishna. The bill has been referred to scrutiny by a Joint Parliamentary Committee. The Bill seeks to secure individual’s personal data, and creates a Data Protection Authority for the same purpose. It has broad implications which will help the country achieve a better governance framework in data protection matters. The bill will be instrumental in governing the data driven geopolitical environment in India. The concepts such as data localization, consent requirement and the right to be forgotten were introduced in the bill which increased the power of the common man in the arena of internet use. The bill has some negative aspects also. The biggest concern about the bill is the granting of data collection exemptions to the government which has given enormous power in government hands.
The Supreme Court ruled in August 2017, that privacy is a fundamental right, emanating from the right to life and personal liberty under Article 21 of the Constitution. The Court also acknowledged that personal data and information are an integral part of the right to privacy.
A Committee of Experts, chaired by Justice B. N. Srikrishna, was formed in July 2017, to explore various data security concerns in India. In July 2018, the Committee submitted its report the Ministry of Electronics and Information Technology, along with a Draft Personal Data Protection Bill, 2018. The Personal Data Protection Bill’s Statement of Objects and Reasons, 2019 states that the Bill is based on the recommendations of the Expert Committee’s report and the suggestions received from various stakeholders.
The Bill governs the transmission, compilation and storing of personal data belonging to individuals. Under the Bill, a person whose personal data is being collected is a principal data. The entity or individual that determines on the data processing means and purposes is known as fiduciary data. The Bill regulates the collection of personal data for both government and incorporated business in India. It also controls international companies, whether they work with individual’s personal data in India.
RESTRICTIONS ON PROCESSING OF AN INDIVIDUAL’S DATA
The Bill also lays out other obligations of data fiduciaries with respect to processing of personal data. Such processing should be subject to some restrictions about intent, compilation, and storage. Personal data, for example, can only be processed for specific, clear and lawful purposes. Furthermore, all data fiduciaries shall take other confidentially and compliance steps such as the introduction of protection protocols and the creation of dispute resolution processes to resolve person grievances. Any fiduciaries should be identified as important data fiduciaries (based on certain requirements such as data volume processed and fiduciary turnover). Such fiduciaries will take appropriate transparency steps, such as performing an impact evaluation on privacy security until the large scale collection of confidential personal data (including financial details, bio metric data, caste, religious or political beliefs) takes place.
INDIVIDUAL RIGHTS OVER THEIR DATA
The Bill grants some privileges to the owner of data over their personal details. These include seeking confirmation on whether their personal data has been processed, seeking correction, completion or erasure of their data, seeking transfer of data to other fiduciaries, and restricting continuing disclosure of their personal data, if it is no longer necessary or if consent is withdrawn. Any collection of personal data can only be carried out on the basis of permission provided by principal data.
EXEMPTIONS FOR GOVERNMENT AGENCIES
For some cases the collection of personal data is excluded from the bill’s requirements. For example, in the interest of state security, public order, Indian sovereignty and independence, and friendly ties with foreign states the central government may exempt any of its agencies. The collection of personal data for any other reasons such as prevention, investigation, or prosecution of any crime, or research and journalistic reasons is also excluded from the provisions of the bill. Furthermore, personal data of individuals can be collected without their permission under such situations such as: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) Medical emergency response.
PENALTIES FOR NOT COMPLYING
The bill provides a data privacy agency to maintain consistency with the provisions of the law, and to allow with more regulations on the collection of personal data of individuals. The Authority must be comprised of representatives with experience in such areas as data protection and information technology. Any individual, who is not comfortable with the data fiduciary’s grievance resolution, will lodge a complaint with the Authority. The Authorities decision can be appealed to an Appellate Tribunal. Appeals from the Tribunal must go to the Supreme Court.
THE NEW BILL DIFFER FROM THE OLDER DRAFT BILL
The most significant differences are the exemptions given to government departments, the exemption for small companies (businesses that manually collect data), the criminalization of some acts, and the classification of non-personal data (information that doesn’t include any personal details).
Firstly, the new bill provides much more leeway to the Indian government for exemption. The old bill allowed exemption from the use of personal data for the sake of national security, but only if this was approved by parliament and considered “necessary” and “proportionate.” The new bill allows the government to exempts its agencies from the law for even wider purposes.
Secondly, both versions of the bill allow exemptions for small businesses that manually take care of personal information about customers. Under the old bill, these businesses had to meet three requirements, based on annual turnover; whether they shared personal data; and how much personal data they handled. But the new Data Protection Authority determines which small businesses qualify for exemption under the new legislation.
DIFFERENCES BETWEEN INDIA’S NEW BILL AND THE EU’S DATA PROTECTION LAW, THE GDPR
There are also major differences between the two.
Firstly, the bill grants central government of India the right to exclude any government agency from the provisions of the bill. This exemption can be given for purposes national security, national sovereignty, and public order.
Although the GDPR provides similar escape clauses to EU member states, other EU laws closely control these clauses. Without such protections, India’s bill potentially gives India’s central government the power to access individual data outside established Indian laws such as the Information Technology Act of 2000, which deals with cybercrime and e-commerce.
Second, unlike the GDPR, India’s bill allows the government to compel companies to share with the government all of the non-personal data that they collect with.
The bill says it is to boost government services delivery. It does not clarify how this data will be used, how it will be shared with other private entities, or whether any fee for using this data will be paid.
Thirdly, the GDPR does not allow companies to keep EU data within the EU. They can transfer it overseas, so long as they follow requirements such as standard data protection contractual provisions, codes of conduct, or qualification systems that are accepted prior to transfer.
The Indian bill allows the transfer of certain personal data, but sensitive personal data can only be transferred outside India if it meets conditions that are close to those of the GDPR. However, this data can only be forwarded to be processed outside India; it cannot be stored outside India. This will trigger technical challenges in delineating between categories that have to meet this requirement, and add to the enforcement costs businesses.
According to the PDPB implemented in a statute, there is much compliance to be met by organizations processing personal data to ensure the privacy of individuals relevant to their Personal Data.
Individual Consent to the processing of personal data will be required. Organizations will have to review and amend data security policies on the basis of the f orm of personal data being handled, codes to ensure that they are compatible with updated standards such as reviewing their internal violation notification protocols, introducing effective technology and organizational steps to avoid data misuse, appointing Data Protection Officer to the Significant Data Fiduciary, and establishing grievance redress mechanisms to address individuals complaints.
Author: Kunal Gupta,
Intern at Lawportal,
Author: Kunal Gupta,
Jagran lakecity University