People’s engagement in the digital economy has expanded as a result of the epidemic. Sadly, the incidence of personal data breaches from major digital service providers has grown alarmingly during the same time period.
With the data of 9.9 crore customers at danger, the current claimed data breach at MobiKwik might be India’s largest. Given the importance of data in today’s world, strong data protection policies are required to avoid such incidents and safeguard users’ interests.
The Information Technology Act, 2000 governs how different businesses gather and process users’ personal data in India, yet this data protection system falls short of providing appropriate protection to consumers and their personal data.
The transfer and security of data are at the centre of today’s global disputes. In this regard, India’s first attempt to domestically legislate on the problem of data privacy is the Personal Data Protection (PDP) Bill, 2019.
The Bill was modelled after a prior draught version issued by a committee led by retired Justice B N Srikrishna. The current draught, however, departs from the Justice B N Srikrishna committee’s recommendations.
Mr. Ravi Shankar Prasad, Minister of Electronics and Information Technology, presented the Personal Data Protection Bill, 2019 in the Lok Sabha on December 11, 2019. The bill aims to ensure that personal data of persons is protected, and it establishes a Data Protection Authority to do so.
The Bill regulates the processing of personal data by the following entities: I the government, (ii) Indian corporations, and (iii) foreign firms dealing with personal data of Indian citizens. Personal data is information about an individual’s qualities, features, or attributes of identification that may be used to identify them. Certain personal data is classified as sensitive personal data under the bill. Financial data, biometric data, caste, religion or political opinions, or any other category of data established by the government in collaboration with the Authority and the relevant sectoral regulator are all examples of this.
Fiduciary data obligations:
A data fiduciary is an institution or person who chooses how and why personal data is processed. Certain constraints on purpose, collection, and storage will apply to such processing. Personal data, for example, can only be handled for particular, unambiguous, and legitimate purposes. Furthermore, all data fiduciaries must take specific transparency and accountability steps, including I adopting security protections (such as data encryption and avoiding data abuse), and (ii) establishing grievance redressal systems to handle individual concerns. When processing sensitive personal data of minors, they must additionally have measures for age verification and parental permission.
Individual rights are protected :
Individual rights are outlined in the bill (or data principal). These rights include the ability to: I obtain confirmation from the fiduciary that their personal data has been processed, (ii) request correction of inaccurate, incomplete, or out-of-date personal data, (iii) have personal data transferred to any other data fiduciary in certain circumstances, and (iv) limit the continued disclosure of their personal data by a fiduciary if it is no longer necessary or consent has been withdrawn.
Justifications for handling personal data :
The bill only permits fiduciaries to process data with the agreement of the individual. Personal data can, however, be handled without consent in some instances. These include I if the state requires it for the individual to receive benefits, (ii) judicial processes, and (iii) responding to a medical emergency.
Intermediaries on social media:
These are defined in the bill as middlemen that facilitate online contact between users and information sharing. All such intermediaries with more than a specific number of users and whose activities have the potential to affect electoral democracy or public order are required to meet certain requirements, including offering an optional user verification tool for users in India.
Authority for Data Protection:
The Bill establishes a Data Protection Authority that has the authority to: I defend individual interests, (ii) prohibit abuse of personal data, and (iii) verify that the Bill is followed. It shall be chaired by a chairperson and comprised of six members having at least ten years of experience in data security and information technology. The Authority’s orders can be challenged in front of an Appellate Tribunal. The Supreme Court will hear appeals from the Tribunal.
Data transfer outside of India:
Sensitive personal data may be sent outside of India for processing provided the individual has given their explicit agreement and certain additional requirements have been met. Such sensitive personal data, on the other hand, should continue to be stored in India. Certain personal data that the government has designated as important personal data can only be processed in India.
The central government has the authority to exempt any of its agencies from the Act’s provisions: I in the interests of state security, public order, India’s sovereignty and integrity, and friendly relations with foreign states; and (ii) to prevent incitement to commit any cognisable offence (such as arrest without warrant) relating to the above matters. Personal data processing is also exempt from the Bill’s rules for a variety of additional objectives, including I the prevention, investigation, or prosecution of any crime, (ii) personal, domestic, or (iii) journalistic purposes. Such processing, however, must be carried out for a specified, explicit, and legitimate purpose, with appropriate security precautions in place.
Offenses under the Bill include I processing or transferring personal data in violation of the Bill, which is punishable by a fine of Rs 15 crore or 4% of the fiduciary’s annual turnover, whichever is higher, and (ii) failing to conduct a data audit, which is punishable by a fine of Rs 5 crore or 2% of the fiduciary’s annual turnover, whichever is higher. Without consent, re-identification and processing of de-identified personal data is punishable by up to three years in prison, a fine, or both.
Sharing of non-personal data with government:
For improved service targeting, the central government may require data fiduciaries to give it with any of the following: I non-personal data; and (ii) anonymized personal data (where the data principal cannot be identified).
Amendments to other laws:
The bill repeals the parts of the Information Technology Act of 2000 that require firms to pay compensation if they fail to secure personal data.
The right to privacy is a fundamental right, according to the Supreme Court in the Puttaswamy decision (2017), and it is necessary to protect personal data as an essential facet of informational privacy, while the growth of the digital economy is also necessary to open new vistas of socio-economic growth.
Data is a wonderful resource in the digital era that should not be abused. In this environment, India’s data protection regime is in desperate need of strengthening.
In the Monsoon Session of Parliament in 2021, the Joint Parliamentary Committee that is reviewing the Bill is anticipated to present its final report. This interim phase will be used to make adjustments to the Bill in order to address various concerns and create a more robust and effective data protection system.