Nithyakalyani Narayanan
‘Personal Data’ refers to the identity, attributes, etc, of an individual and ‘sensitive personal data’ refers to the data regarding finance, health, sexual orientation, biometric data, genetic data, caste, religious or political beliefs, etc, of a person. The PDPB aka the Personal Data Protection Bill, 2019 was introduced in the Lok Sabha so as to protect these data of people, to create a method for looking into the privacy of an individual, and establish an authority for Data Protection to look after the same. It was put forward by the Minister of Electronics and Information Technology, Ravi Shankar Prasad in December 2019.
Currently, the handling and transfer of personal data of people are regulated by the IT Rules, 2011. The Act holds the companies liable for using the data for compensating the person, in case of any negligence in maintaining the security standards while dealing with the data. The Expert Committee stated that although the IT rules were an attempt at data protection while introducing, the pace of development of the digital economy has displayed its flaws. For example, sensitive personal data has a vague definition, some of the provisions can be easily overridden by a contract, and the Rules apply only to companies, not to the Government.
In 2017, the Apex Court gave out a verdict that the right to privacy is a fundamental right which is discussed under Section 21 that deals with the personal liberty of an individual of the Indian Constitution, and hence the privacy of personal data must be considered under this Section. So as to look into the issue, a committee of experts was formed with Justice B. N. Srikrishna as its chairperson. The committee drafted the PDPB and presented it to the Ministry of Electronics and Information Technology in 2018. After adding social media intermediaries and stating that the Government may direct the data fiduciaries to provide non-personal or anonymized data, the Bill was renewed. The Bill put forward will overthrow Section 43 (A) of the Information Technology Act, 2000, which deals with the penalty of damaging computer systems without the permission of the in-charge of the system. The Bill discussed matters regarding how the private data of an individual is to be collected, processed, and used.
Applicability of the Bill
Section 2 of the Bill deals with the application of the data that has been collected, disclosed, shared, or otherwise processed by the Government or by the companies that are incorporated in India or by foreign companies that deal with the private data of an individual in India. The Bill shall not apply to the processing of anonymized data; the non-anonymized or non-personal data for better targeting of delivery of services and formulating evidence-based policies by the Central Government.
Obligations of Data Fiduciary
A data fiduciary is an institution or an individual who decides the means and purposes of processing personal data. The processing will be subjected to specific purposes and storage limitations. For example, personal data can be processed only for lawful purposes. Prior notice is to be given to the individual for the collection or processing of data. Personal data shall be retained only for the purpose for which it is processed and shall be deleted at the end of the processing. Consent is required to be taken from the data principal at the start of data processing. All data fiduciaries must undertake certain measures for transparency and accountability like implementing security safeguards like data encryption and set up grievance redressal mechanisms so as to address the complaints of people along with instituting mechanisms for proper age verification and parental consent while processing data of children.
Processing Personal Data without Consent
PDPB sets some rights for the data principal including obtaining confirmation from the fiduciary regarding the personal data to be processed, seeking correction of inaccurate data, transferring personal data to any data fiduciary and restricting the disclosure of personal data by any fiduciary if no longer necessary or with withdrawn consent. PDPB suggests fiduciary data processing only if consent is given by the person. There are certain exceptions for processing personal data without consent. For instance, if the data is required by the State for providing benefits to the individual, for legal proceedings, for responding to a medical emergency, related to employment, for reasonable motions like preventing fraud, for mergers and acquisitions, etc.
Rights of a data principal
PDPB states certain rights of a data principal, including the right to get confirmation from the fiduciary regarding the processing of their personal data, seeking correction of the inaccurate data or update data, data portability, and the right to be forgotten.
Authority for Data Protection
The Bill suggests about ‘Data Protection Authority of India’ which will work towards protecting the interests of people, preventing the misuse of personal data, and ensuring compliance with PDPB along with promoting awareness about data protection. The orders of the Authority can be appealed to an Appellate Tribunal and the appeals against those orders can be filed at the Apex Court.
Restrictions on Data Transfer outside India
Sensitive personal data can be transferred outside India for processing with the consent of the individual and is subjected to certain other conditions. But the data should be stored in India as well. Certain personal data that is stated as critical personal data by the Government can only be processed in India.
Exemptions
The Central Government has the power to exempt any Government agency from the applicability of the Act if it is needed for the interest of sovereignty of India, security of the State, friendly relations with foreign states, and for preventing incitement to the commission of any cognizable offence relating to the above matters. Data processing is exempted from the provisions of the Bill for purposes such as prevention/investigation or prosecution of any offence or personal/domestic/journalistic/for research archiving or statistical purposes.
Non-compliance with the Bill
There are two layers of compensation:
1. On failing to fulfil the data obligations of data fiduciary protection is punishable which may extend up to Rs.5 crores or 2% of its total worldwide turnover of the preceding financial year, whichever is higher.
2. If the data that is being processed is violated of the provisions of the Bill, it is punishable with a fine of Rs.15 crore or 4% of the annual turnover of the data fiduciary, whichever is highest.
3. Re-identification and the processing of de-identified personal data with no consent are punishable with an imprisonment of up to three years and/or a fine.
Views are Personal.
(Author is a law student at Amity Law School, Noida)