Personal Data Protection Bill, 2019
- Posted By
10Pointer
- Categories
Polity & Governance
- Published
13th Feb, 2020
-
-
Context
- A Joint Parliamentary Committee of both Houses headed by Lok Sabha Member Meenakashi Lekhi on Personal Data Protection Bill, 2019 has invited views and suggestions on the bill from individuals and association or bodies concerned.
-
Why was the committee appointed?
- Recognizing the importance of data protection and keeping personal data of citizens secure and protected, Ministry of Electronics and Information Technology (MeitY), Government of India constituted a Committee of Experts under the Chairmanship of Justice B N Srikrishna, Former Judge, Supreme Court of India.
- The committee submitted its report in 2018 which led to the formation of Personal data Protection Bill.
-
What did the committee suggested?
- The law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India.
- Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India.
- The law will not have retrospective application and it will come into force in a structured and phased manner. The Aadhaar Act needs to be amended to bolster data protection.
- The data protection law will set up a Data Protection Authority which will be an independent regulatory body responsible for the enforcement and effective implementation of the law.
- Penalties may be imposed for violations of the data protection law.
- The state can process data without consent of the user on ground of public welfare, law and order, emergency situations where the individual is incapable of providing consent, employment, and Reasonable purpose.
- The law will cover processing of personal data by both public and private entities.
- Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual.
- Consent will be a lawful basis for processing of personal data.
- Cross border data transfers of personal data, other than critical personal data, will be through model contract clauses containing key obligations with the transferor being liable for harms caused to the principal due to any violations committed by the transferee.
- Personal data determined to be critical will be subject to the requirement to process only in India (there will be a prohibition against cross border transfer for such data).
-
What is Personal Data Protection Bill, 2019?
- The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019. The Bill seeks to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same.
- Applicability: The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India. The Bill categorises certain personal data as sensitive personal data.
- Obligations of data fiduciary: A data fiduciary is an entity or individual who decides the means and purpose of processing personal data.
- Rights of the individual: These include the right to: (i) obtain confirmation from the fiduciary on whether their personal data has been processed, (ii) seek correction of inaccurate, incomplete, or out-of-date personal data, (iii) have personal data transferred to any other data fiduciary in certain circumstances, and (iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
- Grounds for processing personal data: The Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent. These include: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.
- Data Protection Authority: The Bill sets up a Data Protection Authority which may: (i) take steps to protect interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure compliance with the Bill. It will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology. Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.
- Exemptions: The central government can exempt any of its agencies from the provisions of the Act.
- Transfer of data outside India: Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions.
- Sharing of non-personal data with government: The central government may direct data fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised personal data (where it is not possible to identify data principal) for better targeting of services.
Quick Recap
- Committee for Data Protection—Under Justice B N Srikrishna—by Ministry of Electronics and Information Technology.
- Personal Data Protection Bill—introduced by MeitY in 2019—Set up Data Protection Authority having 1 chairman and 6 members.
- Appeals from the Tribunal will go to the Supreme Court.
- Justice B N Srikrishna—retired Judge of Supreme Court
- Joint Parliamentary Committee on Personal Data Protection Bill, 2019—under Lok Sabha Member Meenakashi Lekhi
