Government Withdraws Data Protection Bill, 2021
- Posted By
Polity & Governance
4th Aug, 2022
The government has withdrawn the Personal Data Protection Bill from Parliament as it looks to come up with a “comprehensive legal framework” for regulating online space including separate legislation.
What is Personal Data?
- Data can be broadly classified into two types: personal and non-personal data.
- Personal data pertains to characteristics, traits or attributes of identity, which can be used to identify an individual.
- Non-personal data includes aggregated data through which individuals cannot be identified.
- For example, while an individual’s own location would constitute personal data; information derived from multiple drivers’ location, which is often used to analyse traffic flow, is non-personal data.
What is Data Protection?
- Data protection refers to policies and procedures seeking to minimise intrusion into the privacy of an individual caused by collection and usage of their personal data.
Why was a bill brought for Personal Data Protection?
- In August 2017, the Supreme Court had held that Privacy is a fundamental right under Article 21 of the Constitution.
- The Court also observed that privacy of personal data and facts is an essential aspect of the right to privacy.
- In July 2017, a Committee of Experts, chaired by Justice BN Srikrishna, was set up to examine various issues related to data protection in India.
- The committee submitted its report, along with a Draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology in July 2018.
Personal Data Protection Bill Features
- The Bill seeks to provide for the protection of personal data of individuals.
- The Bill governs the processing of personal data by-
- Companies incorporated in India
- Foreign companies dealing with personal data of individuals in India
- Obligations of data fiduciary: Personal data can be processed only for a specific, clear and lawful purpose. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as:
- Implementing security safeguards (such as data encryption and preventing misuse of data).
- Instituting Grievance Redressal Mechanisms to address complaints of individuals. They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.
- Rights of the individual: Seek correction of inaccurate, incomplete, or out-of-date personal data.
- Have personal data transferred to any other data fiduciary in certain circumstances.
- Restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
- Grounds for processing personal data: The Bill allows the processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent. These include-
- If required by the State for providing benefits to the individual
- Legal proceedings
- To respond to a medical emergency
How is personal data regulated currently?
- Currently, the usage and transfer of personal data of citizens is regulated by the Information Technology (IT) Rules, 2011, under the IT Act, 2000.
- The rules hold the companies using the data liable for compensating the individual, in case of any negligence in maintaining security standards while dealing with the data.