Draft Personal Data Protection Bill, 2019

In News

• Facebook India’s policy head appeared before the 30-member Joint Committee of Parliament which is examining the draft Personal Data Protection Bill, 2019.

Personal Data Protection Bill, 2019

• • It is commonly referred to as the Privacy Bill. 
  • It intends to protect individual rights by regulating the collection, movement, and processing of data that is personal, or which can identify the individual.
  • In December 2019, Parliament approved sending it to the joint committee.
  • The Bill gives the government powers to authorise the transfer of certain types of personal data overseas. 
  • It has also given exceptions allowing government agencies to collect personal data of citizens.
  • The Bill divides the data into three categories: 
    • Personal Data: Data from which an individual can be identified like name, address, etc. 
    • Sensitive Personal Data: Personal data like financial, health-related, sexual orientation, biometric, caste, religious belief, etc.; 
    • Critical Personal Data: Anything that the government at any time can deem critical, such as military or national security data.
  • It removes the requirement of data mirroring in case of personal data.
  • Only individual consent for data transfer abroad is required.
  • The Bill requires companies and social media intermediaries to enable users in India to voluntarily verify their accounts.

Other Key provisions:

• Data principal: As per the bill, it is the individual whose data is being stored and processed.
• Exemptions: The government is qualified to order any data fiduciary to acquire personal and non-personal/anonymised data for the sake of research and for national security and criminal investigations.
• Social media companies, which are deemed significant data fiduciaries based on factors such as volume and sensitivity of data as well as their turnover, should develop their own user verification mechanism.
• An independent regulator Data Protection Agency (DPA) will oversee assessments and audits and definition making.
• Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
• The bill also grants individuals the right to data portability, and the ability to access and transfer one’s own data.
• The right to be forgotten: this right allows an individual to remove consent for data collection and disclosure.

Personal Data Protection Bill – Impact on Organisations

• Private organisations will have a lot to do, from making technical changes in engineering architecture to modifying business processes. At the core, they need to place limits on data collection, processing and storage, but there’s a lot more.
• Technical security safeguards, including de-identification—preventing an individual’s identity to be inadvertently revealed—and encryption needs to be built-in. Any instance of data breach needs to be reported to the regulator.
• Larger organizations—depending on the volume of data, annual turnover and other factors—and social media companies with users above a defined threshold will have additional responsibilities. This includes conducting data protection impact assessments for specific tasks defined by the regulator, periodic security audits and appointing a data protection officer. Additionally, social media platforms would be required to enable users to voluntarily verify their accounts, similar to the “blue tick” on Twitter.