All you need to know about the Personal Data Protection Bill, 2018

Bydeb

All you need to know about the Personal Data Protection Bill, 2018

With the advancement in technology and the revolutionary increase in the use and dependability of internet, a lot of data is being created and shared by us through mobile applications and websites, including personal information. A lot of this data is also stored in hard disk, cloud, database, memory disk, internet, computer, etc. and the same continues to grow at limitless rates leading some sensitive information to enter the “Public Domain”. Once the data enters the public domain it is subjected to various threats such as the threat from hackers, software threats, misuse or misrepresentation of information, data breaches and leaks creating a need for data protection.
 

What is Data Protection?

The term Data Protection means legal control over access to and use of data stored. In other words, it refers to a series of continuous and repetitive processes, sound policies and privacy laws to reduce intrusion in one’s privacy.
 

Data Protection in India

Up until now, privacy laws in India offer little protection against misuse of one’s personal information. The transfer of personal data is currently governed by the Sensitive Personal Data and Information Rules, 2011, which has been proven to be inadequate. With the mounting concerns worldwide regarding the protection and need for legal regulation of an individual’s personal data in the face of various scandals, the need for a similar legislation is of greatest importance in India, where the data-driven services and transactions in the digital economy are ever increasing but apparently, the personal data of Indian nationals sees very little protection.

Recently, an admission was made by Facebook that the data of 87 million users, including 5 lakh Indian users, was shared with Cambridge Analytica, a British political consulting firm which combined data mining, data brokerage, and data analysis with strategic communication during the electoral processes. The very thought of personal data being used for unknown intentions sent ripples across the world. In furtherance to this, the European Union, in order to protect the personal data of individuals had enacted the General Data Protection Regulation (GDPR) which establishes the right to privacy as a Fundamental Right. Following the implementations of the GDPR and taking examples from the legal frameworks of other countries on the subject, the Personal Data Protection Bill 2018 has been introduced by the Justice B.N. Srikrishna Committee to prevent “Personal Data” of individuals from being misused.
 

What are the key aspects of the draft bill?

The Personal Data Protection Bill has introduced concepts which are the essence of data protection, such as:

  • Data Fiduciary– The Bill defines every entity (a state, a company, any juristic entity or any individual) which determines the purpose and means of processing the personal data as the “Data Fiduciary”.
  • Data Processor– It refers to every entity (a state, a company, any juristic entity or any individual) which actually processes the personal data on behalf of a data fiduciary as a “Data Processor”.
  • Data Principal– It means every entity including an individual, a Hindu Undivided Family, a company, a firm, a state, an association of persons or a body of individuals and every artificial judicial person.

The proposed Data Protection Bill states that unless explicit consent is given, your personal data cannot be shared or processed, which means that the onus lies on you to make an informed choice. It also states that any person processing your personal data is obligated to do so in a fair and reasonable manner and it shall not be processed for the purposes it was not intended for in the first place. It makes the data fiduciary responsible for complying with the obligations in respect of any processing undertaken by it or on its behalf.
 

Grounds for processing personal data under the Bill

The Bill makes consent an essential part of processing data. No data shall be processed without the consent of the data principal. However, the data shall be processed without consent only on certain grounds specified in the draft bill, such as:

  • If processing is necessary for any function of Parliament or any State Legislature or for any service or benefit to the data principal.
  • For compliance with any order or judgment of any Court or Tribunal in India.
  • To respond to any medical emergency involving a threat to life, a severe threat to the health or outbreak of disease.
  • Recruitment or termination of employment of a data principal by data fiduciary.
  • Prevention and detection of any unlawful activity, mergers, and acquisition, credit scoring, recovery of debt and whistleblowing.
     

Grounds for processing sensitive personal data under the Bill

The term ‘Sensitive Personal Data’ includes passwords, financial data, health data, biometric data, genetic data, and data on caste or tribe or religious and political beliefs. The sensitive personal data may be processed on the basis of explicit consent for:

  • Any function of Parliament or any State Legislature,
  • For any service or benefit to the data principal.
  • For compliance with any order or judgment of any Court or Tribunal in India.
  • To respond to any medical emergency involving a threat to life, a severe threat to the health or outbreak of disease.
     

Rights of Data Principal

Under the Personal Data Protection Bill, the Data Principal are granted certain rights such as:

  • Right to confirm whether the data fiduciary is processing or has processed the personal data and access to the data.
  • Right to correction of inaccurate, misleading or incomplete personal data.
  • Right to data portability.
  • Right to be forgotten, i.e., the right to restrict or prevent continuing disclosure of personal data by a data fiduciary.
     

Transfer of personal data outside India

Personal data other than those categorized as sensitive personal data may be transferred outside the territory of India under the following conditions:

  • Transfer is made subject to standard contractual clauses or inter-group schemes that have been approved by the Authority.
  • The Central Government has prescribed that transfers to a particular country or sector within a country is permissible.
  • The Authority approves a particular transfer or set of transfers as permissible.
  • In furtherance to the above, the data principal has consented to such transfer of personal data.
     

Exemptions

Processing of personal data in the interests of prevention, detection, investigation, and prosecution of any offense or any other contravention of law is permitted, provided it is authorized by a law made by Parliament and State Legislature.

The Ministry of Electronics and Information Technology has announced that before the Draft Bill is passed by the Parliament, it will undergo intensive parliamentary consultation. The Ministry solicits comments from General Public on the Draft Bill in order to ensure that it is indeed the need of the hour and beneficial to the interests of the individuals. The Draft Bill, when enacted will give way to new data privacy regime, which is based on trust and efficient mechanism between the Data Fiduciary and Data Principal. The Draft Bill imposes series of obligations on the State and makes it accountable for processing the personal data of an individual, thereby protecting both – the personal data and the constitutionally guaranteed right to privacy.

About the author

deb administrator

Leave a Reply