‘Personal Data Protection Bill’ - journey so far and way forward!

‘Personal Data Protection Bill’ - journey so far and way forward!

India's digital economy is growing at a very fast pace and it is important that we have a comprehensive personal data privacy governance framework backed by robust surveillance systems, without hindering the economic growth.

After four years of deliberations, on 03rd August 2022, the government of India withdrew the Personal Data Protection (PDP) Bill, 2019. As per reports, this bill will be replaced in near future with one that has a “comprehensive framework” and is in alignment with “contemporary digital privacy laws”

In 2017, the Supreme Court recognized the right to privacy as a fundamental right within the ambit of the Constitution. The top court had directed the Centre to come up with a data protection framework for the country. The Personal Data Protection Bill was then introduced in the parliament on December 11, 2019. The bill was prepared and modelled by an expert group headed by former Supreme Court Judge, Hon'ble Justice BN Srikrishna.

Brief highlights of the bill?

The brief highlights of the bill are as given below ;

  • Applicability: The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India. Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual.?The Bill categorizes certain personal data as sensitive personal data.?This includes financial data, bio metric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.
  • Obligations of data fiduciary: A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitations.?For instance, personal data can be processed only for specific, clear and lawful purpose.?Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as: (i) implementing security safeguards such as data encryption and preventing misuse of data, and (ii) instituting grievance redressal mechanisms to address complaints of individuals.?They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.
  • Rights of the individual: The Bill sets out certain rights of the individual. These include the right to: (i) obtain confirmation from the fiduciary on whether their personal data has been processed, (ii) seek correction of inaccurate, incomplete, or out-of-date personal data, (iii) have personal data transferred to any other data fiduciary in certain circumstances, and (iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
  • Grounds for processing personal data: The Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent.?These include: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.
  • Social media intermediaries: The Bill defines these to include intermediaries which enable online interaction between users and allow for sharing of information. All such intermediaries which have users above a notified threshold, and whose actions can impact electoral democracy or public order, have certain obligations, which include providing a voluntary user verification mechanism for users in India.
  • Transfer of data outside India: Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India.?Certain personal data notified as critical personal data by the government can only be processed in India.?
  • Data Protection Authority: The Bill sets up a Data Protection Authority which may: (i) take steps to protect interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure compliance with the Bill. It will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology.?Orders of the Authority can be appealed to an Appellate Tribunal.?Appeals from the Tribunal will go to the Supreme Court.
  • Exemptions: The central government can exempt any of its agencies from the provisions of the Act: (i) in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, and (ii) for preventing incitement to commission of any cognisable offence (i.e. arrest without warrant) relating to the above matters. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as: (i) prevention, investigation, or prosecution of any offence, or (ii) personal, domestic, or (iii) journalistic purposes.?However, such processing must be for a specific, clear and lawful purpose, with certain security safeguards.
  • Offences: Offences under the Bill include: (i) processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and (ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher.?Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.
  • Sharing of non-personal data with government: The central government may direct data fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised personal data (where it is not possible to identify data principal) for better targeting of services.
  • Amendments to other laws: The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.

Why the bill was withdrawn?

In a note circulated to Members of Parliament, Union IT Minister Ashwini Vaishnaw explained the reason behind the withdrawal of the Bill: “The Personal Data Protection Bill, 2019 was deliberated in great detail by the Joint Committee of Parliament. 81 amendments were proposed and 12 recommendations were made towards a comprehensive legal framework on the digital ecosystem. Considering the report of the JCP, a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw ‘The Personal Data Protection Bill, 2019’ and present a new Bill that fits into the comprehensive legal framework.”

It looks very evident that in a bill with total 98 sections got 81 amendment recommendations would definitely require a more comprehensive rework. ?

The Bill was also seen as being too “compliance intensive” by start-ups of the country and the government may not want to disturb the digital economy which is growing at a massive pace at the moment and the new bill needs to be easier for the start-ups to comply with.

Why is it tough for Social Media Companies to Comply ?

The media reports seem to suggest that tech giants especially large social media companies feared that the legislation could restrict how they manage sensitive information while giving government broader powers to access it.

The social media companies use data about people in incredibly complex ways, including for modelling and predicting attributes and individual or group behaviors, making statistical correlations between individuals. Also most large social media companies currently run their technology infrastructure from their home countries and it be a huge cost intensive exercise for them to create regional infrastructure and host them locally. ?Moreover, doing so can pause challenges in offering a single unified platform to subscribers across the world.

Meta, Google, Amazon, Twitter and other social media companies had expressed concerns about some of the recommendations by the joint parliamentary committee on the proposed bill since it clashed with many of their cyber policies regarding data collection. JCP proposed that social media companies that do not act as intermediaries should be treated as content publishers and making them liable.

What could happen next?

After going through a long five years journey of crafting the bill and deliberations at all levels, the government has chosen to withdraw the bill makes it evident that?the bill requires a major rework. It is also important that we have very strong surveillance mechanisms to monitor and govern the personal data space. Government has not indicated any clear timelines or structure for the new bill. However we can expect the new law to come in the near future.

Conclusion

While it may take some time for the new law to come, businesses can adopt some healthy practices and act more responsibly when it comes to acquisition, management and consumption of personal information of its customers. Some of such good practices include seeking consent while sourcing, storing data in India, securing customer information, etc.?

ROBIN JOY

Independent Director, Independent Technology Consultant, Former VP and CIO at V Guard Industries Limited, ex-ITC, ex-TNPL. Nearly four decades of technology experience covering ERP, Project mgmt, DC & Cloud.

2 年

Interesting to read and get a brief on the topic. On withrdrawing the bill, I thought instead a primary version where most agree could have been put in force with a timeline to comply. This gives times for corporates to think, be aware and incorporate parts of it. In another way a potential tech business opportunity would have also got created as an increment to current cyber security practices.

Lalit Kumar Sharma

Head Technology & IT Portfolio Management

2 年

??

Adv. Bishwajit Kumar, BE, MBA, LL.B, MS, CISSP, LL.M, Cybersecurity

A Helping Hand, IT infra expert and Data Protection Lawyer & PDP Act compliance Services @ Delhi, J&K, HP, UK, Lucknow, Ranchi, Patna, Bhubaneswar, Kolkata, Guwahati, Imphal.

2 年

First when I was creating the first draft of PDP, I was hopeful that within a year it will pass but later lots of modification gave government agencies a wildcard to just bypass all the litigation. Now opposition is questioning that move, so Government just sent this bill to back bench without even thinking about the impact.

要查看或添加评论,请登录

Jijy Oommen的更多文章

社区洞察

其他会员也浏览了