With growing sensitivity around the use of personal data by third parties, many economies around the world have started formulating policies to curtail the data misuse. One such sweeping law is the European “General Data Protection Regulation” which was enforced in May 2018.
It became imperative that one of the fastest growing economies ie India also puts together a law to protect the data of its citizens. This has led the government to appoint the Justice BN Sri Krishna, committed to formulating a data policy for India.
Justice BN SriKrishna committee submitted the report on Data Protection Law or “The Personal Data Protection Bill, 2018” to the central government and it is proposed to be tabled in the Lok Sabha in the Winter Session. The central government had set up this committee under the leadership of retired Supreme Court Judge BN SriKrishna.
The other members of the committee are Unique Identification Authority of India CEO Ajay Bhushan Pandey, National Cyber Security coordinator Gulshan Rai, Vidhi Centre for Legal Policy research director Arghya Sengupta, Telecom secretary Aruna Sundararajan and joint secretary, Ministry of Electronics and IT Gopalakrishnan S.
Highlights of The Personal Data Protection Bill, 2018
The bill defines the entities under consideration and clearly defines the popularly known data subjects or people under the purview of the bill as “Data Principles” and the data processors and controllers as the “Data Fiduciary”. Clear terminology has helped in establishing transparency and accountability between these two entities.
The law will be applicable to both the government and private companies.
The proposed law will have jurisdiction over the processing of personal data which is used, shared, disclosed, collected or otherwise processed in India. It will be applicable to all the companies incorporated under the Indian Law, irrespective of the geographical location of such companies.
The bill provides for the definition of ‘personal data’ and ‘sensitive personal data’ which adds to the applicability of the law. “Personal Data” is information about or relating to a natural person who is directly or indirectly identifiable using a combination of features like characteristic, trait, etc.
Also, the “Sensitive Personal Data” is defined as data related to or constituting as passwords, financial data, health data, official identifier, sexual orientation, biometric and genetic data, transgender status, caste and intersex status, as may be applicable.
The law will cover the processing of data by both public and private entities. The cases of processing of the personal and sensitive personal data are very clearly defined. The state can process data without obtaining the consent of the principle in the instances of law and order, public welfare, emergency situations where the principle is not in the capacity to provide consent or reason.
Processing of the personal, as well as sensitive personal data, requires consent from the principle. The consent should be free, informed, specific, clear and in a manner where it can be withdrawn at a later stage.
Data Principle Rights
The bill mentions that the data principle can obtain from the data fiduciary the following rights –
- Right to confirmation and access
- Right to correction
- Right to Data Portability
- Right to be forgotten
Transparency and Accountability
The bill lists down certain practices which the regulated entities must implement –
- Privacy by design
- Data protection impact assessment
- Record keeping
- Appointment of a data protection officer
- Data audits
These practices are to be executed by the data fiduciaries which can be classified as “significant data fiduciaries” by the Data Protection Authority.
Majority of the IT companies in India can leverage this provision to become compliant and evolve the internal enterprise level IT infrastructure by enhancing their email archival solutions data storage facilities and data security.
Transfer of Data
The bill mandates that a copy of the data be stored in India and the central government has the right to define what is critical personal data and mandate its storage and processing exclusively within India. These transfers will always be initiated under the model contract clauses which secure the data principle’s interests in terms of data security and privacy. The transferor and the transferee are liable for any violations committed.
Authority and Enforcement
The bill calls for the establishment of an independent Authority body corporate in the name of “The Data Protection Authority of India”. The Bill clearly defines the composition, jurisdiction, modus operandi and lawfulness of this Authority.
The Penalties played down in the bill amount to 5 crore rupees or two percent of the worldwide turnover to 15 crore rupees or four percent of the worldwide turnover. The bill lays down the remedy for the data principle to claim compensation for harm suffered as a violation of any provision, by the data fiduciary. Certain offenses are punishable with imprisonment.
The date of provision will be proposed by the central government in certain cases while otherwise, the enforcement date will be 18 months from the date of enactment of the law.
The Bill is a good start for the personal data protection regime in India. It places Indian companies on the global map as, the compliant companies will eventually have systems which are aligned with the principles of “privacy”. There are challenges with regards to data sharing, especially when the majority of the systems work on cloud computing and it is to be seen how companies promote innovation and convert these challenges into market opportunities.