Acknowledging that the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy, the Ministry of Electronics and Information Technology in India has introduced the Personal Data Protection Bill, 2019 in the Lok Sabha (lower house of the Indian Parliament) on 11th of December, 2019.
The 2019 Bill seeks to,
- provide for protection of the privacy of individuals relating to their personal data,
- specify the flow and usage of personal data,
- create a relationship of trust between persons and entities processing the personal data,
- protect the rights of individuals whose personal data are processed,
- create a framework for organisational and technical measures in processing of data,
- lay down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and
- establish a Data Protection Authority of India for the said purposes.
The provisions of the Act, once it is enacted, will be applicable in respect of,
- processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India,
- processing of personal data by the State, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law, and
- processing of personal data by data fiduciaries or data processors not present within the territory of India, in specified cases.
According to the provisions of the Bill, “personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.
The Bill also provides for setting up of Data Protection Authority of India in order to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness about data protection. The functions of the authority also include monitoring and enforcing application of the provisions of the new Act (once it comes into force), taking prompt and appropriate action in response to personal data breach, and maintaining a database on its website containing names of significant data fiduciaries.
It may be noted that in 2018 the Srikrishna Committee had submitted a report along with a copy of the draft legislation namely ‘The Personal Data Protection Bill, 2018’, and in a major change as introduced in 2019, the new Bill seeks to empower the government to seek from businesses anonymized and non-personal data to enable better delivery of services and formulation of evidence-based policies.
Further, as per the provisions, data may only be retained for longer periods if explicit consent of the data principal is obtained. Explicit consent of data principal is also necessary for the collection and processing of Sensitive Personal Data. The order of the adjudicating authority with respect to the data principal’s right to be forgotten has been made appealable.
According to the 2019 Bill, sensitive personal data can be transferred across borders provided a copy is retained in India. However, explicit consent of the data principal will be required for such transfer/processing which may occur cross border. Further, Critical Personal data will have to be retained and processed in India alone. What may constitute critical personal data will be notified by the government at a later date.
The 2019 Bill proposes significant changes in the procedure for search and seizure, and such activities are not to be performed at the discretion of the Data Protection Authority but upon the directions of a designated court.
Once the provisions come into effect, business and industry will have to work towards increasing intra-organisation awareness and appoint a Data Protection Officer to ensure compliance with this legislation. They would also be required to internally audit all existing contractual obligations to ensure compliance relating to protection of personal data.