Why new personal data protection bill is the talk of the town??????
What is the necessity to bring this law in existence?
Are present existing laws on Cyber Safety, failing to resolve challenges associated with personal data protection?
Well, the nation is eager to know every inch of this bill, it’s utmost significance and how it will prove to be a helping hand in battling against the issues that originates through cybercrimes. This article is an endeavour to enlighten people around the nation regarding the utmost need to bring this law in public.
In today’s digital era where every day technology proves to be a boon, on the other facet it comes with countless challenges as well. Though there are several governing laws introduced by legislature to combat cybercrimes but with more advancements in technology, there is an extreme need to fill the voids vulnerable to cybercrimes.
The two-decade old Information Technology Act, 2000 (IT Act)
and other allied laws are somewhere lacking to deal with the rapid advancements in technology.
In July 2017, the Ministry of Electronics and Information Technology formed a committee to analyse deep insights into issues associated to data protection. The committee was headed by retired Supreme court judge Justice B. N. shikrishna.
The committee submitted the draft Personal Data Protection Bill, in July 2018. Further, the Bill was approved by the cabinet ministry of India on 4 December 2019, named as the Personal Data Protection Bill 2019 and tabled in the Lok Sabha on 11 December 2019.
What is Personal Data Protection?
Firstly, let’s classify data as personal and non-personal data. Personal data signifies to characteristics, traits or attributes of identity, which can be used to identify an individual. Non-personal data comprises of aggregated data through which individuals cannot be identified. For example, while an individual’s own location would constitute personal data; information derived from multiple drivers’ location, which is often used to analyse traffic flow, is non-personal data. Precisely, data protection refers to rules and regimes seeking to minimise intrusion into the privacy of an individual caused by collection and usage of their personal data.
Objective of the Bill
Objective of the bill is to safeguard a user’s rights in terms of how their data is processed. The bill proposes a framework for organisational and technical measures in data processing, laying down norms for social media intermediaries, accountability of entities processing personal data, cross-border transfer, and remedies for unauthorised processing.
It protects the privacy of individuals by specifying the flow and usage of personal data. Most importantly, it creates a relationship of trust between persons and entities that processes the personal data thereby protects individuals fundamental right i.e., Right to privacy.
Why was a Bill brought for personal data protection?
In August 2017, the Apex Court held that privacy is a fundamental right for survival, though this right is not explicit in the Constitution of India. However, it is implicit under the head of Article 21 which offers innumerable rights.
The Court also observed that privacy of personal data is an integral aspect of the right to privacy that’s why in July 2017, a Committee of Experts, chaired by Justice B. N. Srikrishna, was organised to analyse issues related to data protection in India.
The Committee submitted its report, along with a Draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology in July 2018. The Bill is based on the recommendations of the report of the Expert Committee and the suggestions received from various stakeholders.
Why this bill is the need of the hour?
The massive increase in cyber-attacks demanded new norms to secure public sensitive personal data. The Information Technology Act, nowhere spells about personal data protection. There is no legislation that specifically and comprehensively talks about individual’s protection. Therefore, regulatory authorities took initiative to mitigate challenges suffered by individuals entrusting entities and organisations that process their private data.
The initiative to bring this bill in public domain is a promise to assure public in large that the government is making all efforts to converse the nation into digital India along with providing full security to public on personal data protection.
What PDP Bill include?
This Bill proposes requirements for notice and prior consent from individuals for the use of data. Bill also expresses limitations on the purposes for which data can be processed by companies. Additionally, it includes data localization requirements and the appointment of data protection officers within organizations.
Currently, there is no specific law on individual’s personal data breaching. However, the Indian legislature has amended the Information Technology Act (2000) to include Section 43A and Section 72A, which enunciates a right to compensation for improper disclosure of personal information. This bill is an initiative to include all what are prior acts are failing to write on data privacy.
Formulating Data Protection Law
The journey to formulating data protection law initiated when government of India established a committee under the chairmanship of justice B. N. Krishna in 2017 to formulate laws on personal data protection for the country.
The committee drafted a personal data protection bill, 2018. The bill applies to personal data and classifies the data into sensitive and non-sensitive personal data.
The data protection authority is the special authority, specifically designed to regulate data protection and accountability.
This bill envisaged that personal data should be processed for certain reasons only like if the processing is essential to the functioning of parliament or state legislators, maintenance of law and order, and public interest or in case of any emergency.
Some important Concepts under the bill
Obligations of data fiduciary
A data fiduciary is an entity who decides the purpose of processing personal data. The processing is subject to certain purpose, collection and storage limitations.
Personal data can be processed only for clear, specific, and lawful purpose. Moreover, data fiduciaries must undertake certain transparency and accountability measures such as:
- implementing security such as data encryption and preventing misuse of data.
- establishing grievance redressal methods to address complaints of individuals. They must also institute mechanisms for parental consent and age verification when processing sensitive personal data of children.
Rights of the individuals
The Bill encompasses certain rights of the individual which includes
- the right to obtain confirmation from the fiduciary on whether their personal data has been processed.
- seek correction of incomplete, inaccurate, or outdated private data,
- have personal data transferred to any other data fiduciary in some circumstances, and
- restrict disclosure of individuals personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
Social media intermediaries
The Bill defines social media intermediaries which enable online interaction between users and allow for sharing of information. All intermediaries which have users above a notified threshold, and whose actions can impact electoral democracy or public order, have certain obligations, which include providing a voluntary user verification mechanism for users in India.
Offences under the Bill include:
- transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher.
- failure to conduct a data audit punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.
Amendments to other laws
The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.
Are there any restrictions on an individual’s data?
The Bill laid down obligations of data fiduciaries on processing individuals’ personal data. However, such processing should be subject to certain purpose, collection and storage limitations. Personal data can be processed only for clear, specific, and lawful purpose. All data fiduciaries must undertake some transparency and accountability measures. These fiduciaries must undertake additional accountability measures likewise conducting a data protection impact assessment before conducting any processing of large scale sensitive personal data (includes financial data, caste, religious, biometric data, or political beliefs).
What is the grievance redressal mechanism if the above restrictions are not followed?
The Bill sets up a Data Protection Authority for the individuals who are victims of data breach. The Authority will be comprised of members with expertise in fields such as data protection and information technology.
Any individual, who is not satisfied with the grievance redressal can file a complaint to the Authority. Orders of the Authority are appealable, an be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court
So, there are a lot of expectations from this upcoming personal data protection regime. Public is eager to know how this bill will safeguard their privacy from encroachment and data breach by well-known entities and off course state.
This Act is surely going to bring a revolution in the digital sector and will definitely prove to be in the good interest of public at large.