DATA PROTECTION BILL, 2019

DATA PROTECTION BILL, 2019

Context

• The Personal Data Protection Bill, 2019 has been introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019.
• The Bill seeks to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same.

About the Bill

• The Personal Data Protection bill, drafted by a panel headed by a former Supreme Court judge and submitted to the government last year, is key for how firms including global tech giants Amazon, Facebook, Alphabet's Google and others process, store and transfer Indian consumers' data.
• Broad guidelines on collection, storage and processing of personal data, consent of individuals, penalties and compensation, code of conduct and an enforcement model is likely to be a part of the law.
• Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual.
• The Bill categorises certain personal data as sensitive personal data. This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.

Applicability

The Bill governs the processing of personal data by:

1. government,
2. companies incorporated in India, and
3. foreign companies dealing with personal data of individuals in India

About the Rights of the individual

The Bill sets out certain rights of the individual (or data principal). These include the right to:

1. obtain confirmation from the fiduciary on whether their personal data has been processed,
2. seek correction of inaccurate, incomplete, or out-of-date personal data,
3. have personal data transferred to any other data fiduciary in certain circumstances, and
4. restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.

Why companies are worried?

1. The proposed law may have a considerable impact on MNCs operating in India, whether with or without a physical presence, due to its data localisation requirements and cross-border data transfer restrictions.
2. The Reserve Bank of India had, in April last year, issued a data localisation directive, mandating all authorised payment system operators and banks to store payment systems data only in India.
3. This led to various ambiguities in the requirements as well as industry pushback on the strict requirements imposed, especially by global payment companies.

Grounds for processing personal data-

• The Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent.
• These include: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.

Conclusion

• The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data. The central government may direct data fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised personal data (where it is not possible to identify data principal) for better targeting of services.