Personal Data Protection (PDP) Bill, 2019 – Part I

Governance

Topic: General Studies 2:

• Government policies and interventions for development in various sectors and issues arising out of their design and implementation. 
• Statutory, regulatory and various quasi-judicial bodies.

Personal Data Protection (PDP) Bill, 2019 – Part I

The bill was introduction of in Lok Sabha during the winter session of Parliament. The Bill was referred to a joint parliamentary committee, which is currently engaged in a process of public consultation.

The draft law is a comprehensive piece of legislation that seeks to give individuals greater control over how their personal data is collected, stored and used. 

The Bill also establishes a Data Protection Authority for the same. 

Some of the other features of the bill are:

Applicability: The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India. 

Obligations of data fiduciary:

• Personal data can be processed only for specific, clear and lawful purpose.  
• All data fiduciaries must undertake transparency & accountability measures such as: 
  • Implementing security safeguards (such as data encryption and preventing misuse of data), and
  • Instituting grievance redressal mechanisms to address complaints of individuals.  
  • Institute mechanisms for age verification and parental consent when processing sensitive personal data of children.

Rights of the individual: This includes Right to

• Obtain confirmation from the fiduciary on whether their personal data has been processed
• Seek correction of inaccurate, incomplete, or out-of-date personal data
• Restrict continuing disclosure of their personal data by a fiduciary

Grounds for processing personal data

• Data Processing only if consent is provided by the individual. 
• However, in certain circumstances, personal data can be processed without consent.  These include: 
  • If required by the State for providing benefits to the individual
  • Legal proceedings 
  • To respond to a medical emergency.

Social media intermediaries:

• The Bill defines these to include intermediaries which enable online interaction between users and allow for sharing of information. 
• All such intermediaries which have users above a notified threshold, and whose actions can impact electoral democracy or public order, have certain obligations, which include providing a voluntary user verification mechanism for users in India.

Transfer of data outside India: 

• Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. 
• However, such sensitive personal data should continue to be stored in India.  
• Certain personal data notified as critical personal data by the government can only be processed in India. 

Sharing of non-personal data with government: 

• The central government may direct data fiduciaries to provide it with any non-personal data and anonymised personal data (where it is not possible to identify data principal) for better targeting of services.

Exemptions: The central government can exempt any of its agencies from the provisions of the Act in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states,

Amendments to other laws: The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.

Part –II – Will cover the criticism of the bill with focus on data localisation

Connecting the dots

• Justice B.N.Srikrishna Committee report
• EU data regulations