Context: A Joint Parliamentary Committee (JPC) has finalised and adopted the draft report on The Personal Data Protection Bill, 2019 by a majority.
About this Bill
- The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology.
- The Bill seeks to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same by collection, movement, and processing of data that is personal, or which can identify the individual.
- It is commonly referred to as the ‘Privacy Bill’.
Who comes under the ambit of Data Protection Bill?
- Companies incorporated in India
- Foreign companies dealing with personal data of individuals in India
Clause 35 or Exemption Clause
- The committee has retained the clause with minor change.
- It allows the Government to keep any of its agencies outside the purview of the law.
- The Clause in the name of ‘sovereignty’, ‘public order’, ‘friendly relations with foreign states’ and ‘security of the state’ allows any agency under the Union Government exemption from all or any provisions of the law.
What is Personal Data?
Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual. The Bill categorises certain personal data as sensitive personal data. This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.
Features of the Bill
Obligation of the Data Fiduciary: A data fiduciary is an entity or individual who decides the means and purpose of processing personal data.
- Implementing security safeguards (such as data encryption and preventing misuse of data),
- Instituting grievance redressal mechanisms to address complaints of individuals.
Rights of the individual:
- Obtain confirmation from the fiduciary on whether their personal data has been processed,
- Seek correction of inaccurate, incomplete, or out-of-date personal data,
- Have personal data transferred to any other data fiduciary in certain circumstances, and
- Restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
Merits of the bill
- All personal data shall require the consent of the individual whom it belongs to before being collected or subjected to any form of analysis.
- According to Section 6 of the bill, any data collected should only be to the extent necessary for the processing of such personal data.
- According to Section 7 of the bill, a notice be given to the person whose data is being collected, of the nature and categories of personal data, and the purposes for which the data is to be processed, among other things.
- As of now, much of data cross-border data transfer is governed by individual bilateral mutual legal assistance treaties. Data localisation will help the law enforcing agencies to access data for investigations and enforcement.
- Data localisation will also increase the ability to tax the internet giants by the Indian government.
Concerns with the bill
- National security is an umbrella term; in the name of it state may lead to intrusion into the private lives of the citizens.
- The appointment of DPA members will be made mostly from the bureaucrats selected by the government. Therefore, the appointment will not be made through an independent body.
- Any government agency can be exempted from the provision of the law and can access personal data without consent citing public order, national security, investigation and prosecution of any offence.