|Demand of the question
Introduction. Contextual introduction.
Body. Key Features of Personal Data Protection Bill, 2019. Various issues and analysis of the bill.
Conclusion. Way forward.
Data protection refers to policies and procedures seeking to minimise intrusion into the privacy of an individual caused by collection and usage of their personal data. In India, usage of personal data or information of citizens is regulated by Information Technology Act, 2000. Over the years, rapid technological advances have led to large volumes of data which is at risk of increasing cyber crimes. An example of this is the biometric identification and verification system of Aadhaar that enables the government to ensure targeted delivery of State benefits, such as LPG subsidies. For safeguarding Indian citizen’s interest government has introduced ‘Personal Data Protection Bill, 2019’.
Key Features of Personal Data Protection Bill, 2019:
- Personal data definition: The Bill defines ‘personal data’ as any information which renders an individual identifiable. Also it definesdata ‘processing’ as collection, manipulation, sharing or storage of data.The Bill defines ‘data principal’ as the individual whose personal data is being processed and ‘data fiduciary’ as the entity or individual who decides the means and purposes of processing data.
- Territorial applicability: The Bill include the processing of personal data by both government and private entities incorporated in India, and also the entities incorporated overseas, if they systematically deal with data principals within the territory of India. The central government may exempt Indian entities exclusively dealing with data principals outside the territory of India by a notification.
- Grounds for data processing: The Bill allows data processing by fiduciaries if consent is provided by the individual. However, in certain circumstances, processing of data may be permitted without the consent of the individual.
- Sensitive personal data: Sensitive personal data is defined in the Bill to include passwords, financial data, biometric and genetic data, caste, religious or political beliefs. The Bill specifies more stringent grounds for processing of sensitive personal data, such as seeking explicit consent of an individual prior to processing.
- Obligations of the data fiduciary: The Bill lays down certain obligations on the data fiduciary who is processing personal data. These include:
- Processing personal data in a fair and reasonable manner.
- Notifying the data principal of the nature and purposes of data collectionand their rights among others.
- Collecting only as much data as is needed for a specified purpose, and storing it no longer than necessary.
- Data Protection Authority: The Bill provides for the establishment of a Data Protection Authority (DPA). The DPA is empowered to:
- Draft specific regulations for all data fiduciaries across different sectors.
- Supervise and monitor data fiduciaries.
- Assess compliance with the Bill and initiate enforcement actions.
- Receive, handle and redress complaints from data principals.
- Cross-border storage of data: The Bill states that every fiduciary shall keep a ‘serving copy’ of all personal data in a server or data centre located in India. The central government may notify certain categories of personal data as exempt from this requirement on grounds of necessity or strategic interests of the State.
- Transfer of data outside the country: Personal data (except sensitive personal data which is ‘critical’) may be transferred outside India under certain circumstances.
Key issues and analysis:
- No guidelines for processing of data:While the Bill places this obligation on all data fiduciaries, it does not specify any principles or guidelines for what constitutes a ‘fair and reasonable’ manner of personal data processing. The Justice Srikrishna Committee Report had suggested that courts of law and regulatory authorities should be allowed to evolve principles of fair and reasonable processing.
- Conflict of interest: Selective reporting of data breaches will avoid the DPA from being burdened with high volume of low-impact data breach reports, and also not make the burden of reporting too onerous on the fiduciary. However, there may be a conflict of interest while determining whether a breach is to be reported, as the fiduciary is regulated by the DPA.
- Exemptions: The Bill lays down certain obligations on all data fiduciaries for processing the data principal’s information. However, the above obligations and safeguards do not apply if data is processed for the purposes of national security, prevention, investigation and prosecution of violations of a law, legal proceedings etc.
- Data processing for State functions does not require consent: The Bill allows for processing of an individual’s personal data without their consent if it is necessary for any function of the Parliament or state legislature. It is unclear what functions of the Parliament would necessitate such processing of data without the consent of the individual.
- Storage of data within the territory of India: The Bill states that every data fiduciary shall keep a ‘serving copy’ of all personal and sensitive personal data in a server in India. The definitions of ‘serving copy’ and ‘critical personal data’ are not provided. It is unclear what is meant by a ‘serving copy’ of data.
- Powers and functions of the Data Protection Authority: Enforcement of penalties and compensation orders of the DPA does not require a court order.The Bill does not specify that a court order would be required for the enforcement actions.
- It is important to strike a right balance between digital economy and privacy protection. The law should encompass all the aspects- data collection, processing and sharing practices.
- Privacy of individual is important for which data should be secured.
- Government must incorporate suggestions from various stake holder over the draft bill.
- Privacy should not be used to undermine government transparency. Data protection law should be framed such that it does not make government opaque and unaccountable
Data protection is must in the age of digital era. With right to privacy being a fundamental right and recent rise in risks to privacy of the individuals, data protection law is need of the hour. The the state must prevent and investigate digital crimes, prevent misuse of data and encourage data security through legislation. It is important to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state.