The Personal Data Protection Bill 2019, represents a positive step towards realizing data protection and privacy law for Indians. It was tabled in Parliament on December 11th, 2019.
Fast forward to 2021, India has witnessed a deadly global pandemic.
Came along a series of privacy breach cases and marathon bans on popular mobile apps over data security. High-profile unauthorized data harvesting scandals became a part of the pandemic.
All this brings us to a rather fundamental question:
Is the Right to Privacy a fundamental right in reality? Is Individual the real owner of his data?
Information Technology Act, 2000 and current regulations under the act did not provide an effective bulwark against unethical personal data processing
- firstly due to no restriction placed on data fiduciaries, and
- secondly, even the cases with limitations placed can easily be breached through a contract.
The 2019 Bill intends to protect the privacy rights of individuals with respect to their personal data and governs and regulates the organizations processing such personal data.
It encompasses various principles like the right to erasure, protocols regarding the collection limitation, and retention of data, although with broader exemptions to government data.
While the legislation prohibits the sharing and processing of critical data outside India, in addition, it places limitations on data processing in case of sensitive data, requiring the consent of the user.
Key powers and obligations of the Central Government under the Personal Data Protection Bill:
Grounds for processing personal data without consent:
This bill stays away from the principle of necessary consent and lays down the grounds where personal data can be processed without consent.
This includes the provision of any service or benefit, issuance of permits, and licenses to the data principal.
Right to Data Portability :
The state has been exempted from the requirement to convert automated data into structured, commonly used, machine-readable format where the processing is necessary for functions of the State or in compliance with the law.
Conditions for transfer of sensitive personal data and critical personal data :
Cross-border transfer of sensitive personal data is possible when the central government has allowed the transfer to a country or an international organization if they deem fit under the conditions laid down in Sec.34(b)(i)- 34(b)(ii).
Power of central government to exempt any agency of government from the application of the Act:
The central government has the power to exempt “any” government agency from all or any provisions of the Act regarding the processing of specified personal data.
The government can take such steps if –
- it is in the interest of the sovereignty and integrity of India
- the security of the state, friendly relations with foreign states
- public order.
Exemption of certain provisions for certain processing of personal data:
This Personal data protection bill exempts the central government from the application of certain provisions of the bill in the interest of
- and prosecution of any offense
- any other contravention of any law for the time being in force.
Power of central government to exempt certain data processors:
The central government can exempt data processors from applying this act to process the personal data of data principals, not within the territory of India.
Power of central government to issue directions:
The central government issues directions to the authority in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order, and the decision of the central government whether a question of policy or not shall be final.
Act to promote framing of policies for the digital economy:
Under the bill, the central government can frame a policy for the digital economy.
The policy does not govern personal data and can also direct any data fiduciary and data processor to provide any personal, or non-personal data for evidence-based policy formulation.
RIGHT OVER PERSONAL DATA
The Bill provides the data principal with certain rights with respect to their personal data. These include seeking confirmation on whether their personal data has been processed, seeking correction, completion, or erasure of their data, seeking transfer of data to other fiduciaries, and restricting continuing disclosure of their personal data, if it is no longer necessary or if consent is withdrawn.
The Personal Data Protection Bill provision
- The Bill regulates personal data related to individuals, and the processing, collection, and storage of such data.
- An individual whose personal data is being processed is data principal.
- The entity or individual who decides the means and purposes of data processing is known as data fiduciary.
- The Bill governs the processing of personal data by both government and companies incorporated in India.
- It also governs foreign companies, if they deal with the personal data of individuals in India.
Considering the instances of Data theft and its misuse by foreign organizations, India is in dire need of reforms and legislation in the sector of Data Processing.
The Bill must equally balance the intervention of government in the process and maintain proper checks to keep everyone accountable.
So, it is not the legislation but its implementation that guarantees that it serves its purpose.