India Personal Data Protection Bill, 2019
This information is provided by the Supreme Court of India & Delhi High Court.
Key Provisions of the bill
The bill seeks to replace the India’s current data protection scheme which is governed by the Information Technology Act, 2000. It proposes to regulate the processing of personal data of individuals which is processed by the Government, Companies registered in India and Foreign Companies. There are provisions which regulate the personal data of individuals.
Definition of Personal Data
Personal Data under the bill is defined as the data relating to a natural person with regard to the characteristic, trait, attribute or any other feature which helps in the identification of that person. The bill also distinguishes between Sensitive Personal Data and Critical Personal Data.
- Sensitive personal data includes financial data, health data, sex life, sexual orientation, biometric data, transgender status, caste or tribe, religious and political affiliations etc.
- Critical personal data means any such data which will be notified by the Central Government as critical personal data.
Data fiduciary means any entity or any individual which determines the purpose and means of processing personal data. The bill enumerates certain obligations relating to the Data fiduciary, such as the following
- Personal Data should be processed only for clear and lawful purposes.
- The privacy of Data Principal i.e. the person to whom the data belongs, should be ensured
- The Data Fiduciary is required to furnish a notice to the Data Principal for the purposes of collecting personal data.
- The bill imposes restriction on the Data Fiduciary with respect to the retention of the personal data collected.
- The Data Fiduciary is also made accountable to comply with the provisions of the bill in relation to the processing of data.
Data processing without consent
The bill provides provisions for processing of data after consent is obtained from the Data Principal, however data can also be processed without consent in the following circumstances
- For performance of any function of the state authorised by law.
- For compliance with any order or the judgement of the court.
- For employment or related purposes.
- For any other reasonable purposes, the reasonable purposes include whistle blowing, prevention and detection of any unlawful activity, mergers and acquisition, credit scoring, recovery of debt etc.
Rights of the Data Principal
The bill also provides for rights that can be exercised by a data principal such as the right to seek information regarding the manner or processing activities undertaken by the data fiduciary with respect of the personal data. The bill also gives an opportunity to the data principal to correct and erasure any personal data.
Social Media Intermediaries
The bill defines Social Media intermediaries as intermediaries which allow 2 or more users to share, upload, disseminate, create information using its services. This will allow the government to notify them as data fiduciary subjecting them to comply with the provisions of the Bill.
Data Protection Authority
The bill provides for the establishment of a Data Protection Authority to protect the interest of data principal, prevent misuse of personal data, ensure compliance and promote awareness regarding data protection. The authority will have the power to maintain a database on its website containing names of significant data fiduciaries with a rating in the form of a data trust score which will indicate the compliance to the provisions of the bill.
Transfer of Personal Data outside India
The bill imposes certain restrictions on the transfer of sensitive and critical personal data outside India. Sensitive personal data may be transferred outside India based on certain conditions such as –
- The transfer is made pursuant to a contract or intra-group scheme which should be approved by the Data Protection Authority (Authority).
- The transfer is allowed by Central Government after consultation with the Authority.
The data protection authority is required to create a sandbox to promote and encourage artificial intelligence, machine learning or any other such emerging technology. The entities which will be included under the sandbox will be excluded from complying to the provisions of the Bill.
Offences and Penalties
The bill imposes hefty penalties. A fine of INR 15 crores or 4% of the annual turnover of the data fiduciary, whichever is higher is imposed for processing or transferring personal data which is in violation of the Bill. In case, the data fiduciary fails to conduct data audit a fine amounting to INR 5 crores or equivalent to 2% of the annual turnover of the data fiduciary, whichever is higher is imposed.
General Data Protection Regulation (GDPR) and Personal Data Protection Bill, 2019
GDPR was adopted by the European Commission and ensures protection of personal data in relation to individuals. The Personal Data Protection Bill, 2019 is modelled after the GDPR. There are certain key difference present between the two, such as
- The GDPR does not govern non-personal or anonymized data at all. However, the under clause 91 of the bill, the government is permitted to ask data fiduciary and data principal to provide non-personal data for policy making decisions.
- The definition of sensitive personal data under GDPR does not include financial information. However, the same is included in the definition of sensitive personal data under clause 2(36) of the bill. This makes the definition of sensitive personal data given under the bill broader than GDPR.
- Under the GDPR there is no parallel provision for classification of ‘critical personal data’. The central government is empowered to classify what will constitute as ‘critical personal data’ under the bill.
- The GDPR provides for data to be kept in an identifiable form and the exception for increasing the storage period are provided. The bill requires explicit ‘consent’ of the data principal in case data is to be retained for longer period.
The Personal Data Protection Bill, 2019 is driven by the underlying objective to protect data relating to individuals. The bill broadly categorizes personal data into three categories which allows for greater accountability in relation to processing of data by data fiduciaries. The creation of a regulatory sandbox will help technology driven startups immensely in their initial stage since it will exempt them from the complex procedure and compliance of the provisions of the bill. The bill, when enacted, will have far reaching impact on the India-businesses and MNCs since they will have to ensure that the data processing done by them is in compliance with the provisions of the bill.