Recently, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the minister of Electronics and Information Technology, Mr Ravi Shankar Prasad, on December 11, 2019.
The Bill has been referred to a Parliamentary Committee for further examination. The Bill provides for the protection and safety of personal data of individuals, creates a framework for processing such personal data, and establishes a Data Protection Authority for the purpose. In this article, we provide a background and analysis of the Bill and explain some of its key provisions.
WHAT IS DATA PROTECTION?
Data protection is the process of shielding important information from corruption, compromise or misfortune. Data anonymization is the process of protecting private or sensitive data by erasing or encoding identifiers that connect an individual to stored data. The BILL itself defines personal data as, – data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or 35 any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.
WHAT IS PERSONAL DATA?
Personal data is any info that relates to any identified or identifiable living individual. Different pieces of information, when collected together can lead to the identification of any individual, also constitute personal data. Basically we can that personal data is any information about any person which is maintained by any company or by anybody which gives many personal and secret information about that personal it can be sensitive data also like in case of children.
AWAKENING OF DATA PROTECTION IN INDIA
In that only court it was observed that protection of personal data is also an essential part of the Right to Privacy.
The case was brought by retired High Court Judge Puttaswamy, who challenged the Government’s proposed scheme for a uniform biometrics-based identity card which would be compulsory for access to government services and advantages provided by it. The Government contended that the Constitution didn’t give explicit protection for the right to privacy. The Court contemplated that privacy is an incident of fundamental freedom or liberty ensured under Article 21 which gives that: “No person shall be deprived of his life or personal liberty except according to procedure established by law”. Spectators likewise anticipated that the Indian Government shall build up an information insurance system to ensure the protection of the individuals. The Supreme Court held that the right to privacy which is also a fundamental right is guaranteed under the constitution of India.
After which a committee was set-up under the chairmanship of Justice B.N. Srikrishna to examine the issue related to data protection in India. There is an immediate need of this bill and this provides a high priority for individuals on data protection.
THE ANATOMY OF THE DATA PROTECTION BILL
At present data protection of the individual is regulated under, IT rules 2011 and under IT Acts 2000. Which says the data if individuals regulate by companies and it only covers the data of companies, not the government, and if any negligence happens the company will compensate for that standard of negligence? But many minus points are there which allows the companies and other bodies to get rid of their liabilities. And so there was a need for this bill.
The right to security is a crucial right and it is important to ensure an individual’s data as a basic facet of informational privacy. What is more, the development of the digital economy has implied the utilization of data as a critical means of correspondence between people. It was important to make a collective culture that encourages a free and reasonable digital economy, regarding the informational privacy of individuals, and guaranteeing empowerment, progress and development. And this is the most important purpose and feature of the bill.
The act goes on to say that, It was expedient to make provision to protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is correct, to create a relationship of trust and reasonableness between persons and entities processing their personal information, to specify the rights of individuals whose personal data are processed, to create a framework for executing managerial and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide solutions for illegal and harmful processing, and to set up a Data Protection Authority for overseeing processing activities.
The governance of the bill can be done by
(2)- Companies incorporated in India
(3)- Foreign companies dealing with the data protection incorporated in India.
The bill defines a lot of terms in accordance with the digital economy these days and also for the purpose of better and affluent understanding of the bill like: data, data fiduciary, consent, child, data principal, data processor, financial data, genetic data, personal data etc.
The bill also imposes certain obligations on the authorities processing personal data like fair and reasonable processing, collection limitations, purpose limitations, lawful processing, accountability etc. It also prescribes certain grounds for processing of personal data and sensitive data.
It categories the data basically in two types
(1) Personal data
(2) Non-personal data.
Personal data may contain biometric, location, financial data, etc.
The duty of a data fiduciary is very crucial; it will be the person or body which manages the whole personal data of an individual, its means and purposes mainly. All the personal data will be used in process to some extent. The use of personal data should be for lawful purposes only. Data principals should be ensured with the privacy of their data. A notice will be provided to the data principal at the time of the collection of data. Personal data cannot be used or kept beyond a particular time of period. Sensitive data of children will be used by the special permission of children as well as the guardian.
The data principals have certain rights regarding the use of their personal information. They have rights to whom the data has been transferred if it has done. For whose aim data is being used.
Data can be used without consent also by central authority for benefits of an individual, in case of any emergency.
Bill says there will be some Data protection authorities which will work to
(1) Prevent misuse of data
(2) Protect the interest of the individuals.
The authority will consist of a chairman and six members with at least experience of more than 10 years in the field of data protection and information technology. In case of any miss happening the individual can complain to the authority and to the Appellate tribunal if then also a cure is not found then they can appeal to the Supreme Court.
The central government can exempt any of its agencies because of national security, public order etc. the personal data cannot be used in the investigation, domestic, prosecution of any offences, journalism, etc.
The bill gives a special consideration to the children and minors and defines it as well according to its perspective. The bill elucidates a child as a data principal below the age of eighteen years. The bill says every data fiduciary will process personal data of a child in such a manner that protects the rights of children. Before processing any personal data of a child, the data fiduciary will need to verify his age and obtain the consent of his parent or guardian. Those violating norms using children’s data will be barred. It also throws light on the concept of consent specifically. It defines consent and explicit consent in its section 12 and 18.
Offences are described under chapter XIII of the Bill which include:
(i) Processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and
(ii) Failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.
As the United Nations also don’t have high data privacy as well it also doesn’t have any strict laws on data protection but after seeing the present scenario people are getting aware about privacy and taken so many steps to protect their data. But in the United Kingdom the legislature passed the bill called Data Protection Act of 1998 which is a revised or copy of 1984. Now India has taken steps to protect and secure data of individuals and use them in the right direction and for the benefit of people. A bill has been drafted and presented in the parliament. The draft bill is another step taken by GOI in its initiative towards implementing data privacy laws in India. Further this bill went for review and the government also asked the public, ministers, stakeholders to seek advice on it and what things should be added in it or changes as well.
The Bill incorporates important aspects like consent, reasonable purpose, and sensitive data by consent. We hope that the Draft Bill is being recognized as a law in the forthcoming budget session.