Source: The Hindu
Manifest pedagogy: Data protection, storing and sharing are very important aspects as far as India’s voluminous data is concerned. In the era of huge mobile and internet users there should be a law, which takes care of all above aspects. The provisions (For both Prelims and Mains) and the concerns (For Mains) of the bill should be studied in detail.
In news: Union cabinet has given its approval to the Personal Data Protection Bill.
Placing it in syllabus: Data security
Dimensions: Key provisions of the bill & Concerns regarding the bill
Content: Data protection refers to policies and procedures seeking to minimise intrusion into the privacy of an individual caused by collection and usage of their personal data. In India, usage of personal data or information of citizens is regulated by the Information Technology Rules, 2011 and under Section 43A of the Information Technology Act, 2000.
In August 2017, a nine-judge bench of the Supreme Court declared privacy as a fundamental right of Indian citizens. The Court also observed that ‘informational privacy’, or the privacy of personal data and facts, is an essential facet of the right to privacy.
The Personal Data Protection Bill, 2018, was prepared by a high-level expert group headed by former Supreme Court judge B.N. Srikrishna.
It is the first step in developing a privacy framework to preserve the sanctity of “consent” in data sharing and penalize those breaching privacy norms.
Provisions of the bill:
- The bill categorizes data into three categories – critical, sensitive and general.
- Sensitive data – financial, health, sexual orientation, biometrics, transgender status, religious or political beliefs and affiliation can be stored only in India.
- Such sensitive personal data can be processed only with the explicit consent of the person which is informed, clear, and specific.
- Critical data will be defined by the government from time to time and has to be stored and processed in India.
- Any data that is non-critical and non-sensitive will be categorized as general data with no restriction on where it is stored or processed.
- It has a provision for the right to be forgotten, where the person “shall have the right to restrict or prevent continuing disclosure of personal data”.
- The government is entitled to direct a fiduciary (entity or individual who decides the means and purposes of processing data) to get access to non-personal data to provide better services to citizens. E.g. the government can use non-personal or anonymous data for research.
- It provides for the appointment of data protection officers and the creation of an independent national-level Data Protection Authority (DPA) to supervise and regulate data fiduciaries.
- The DPA shall have a separate adjudication wing to impose penalties and award compensation.
- The DPA may levy penalties on the fiduciary for various contraventions to the law like failure to comply with (i) data processing obligations, (ii) directions issued by the DPA, and (iii) cross-border data storage and transfer requirements.
- In certain circumstances, processing of data may be permitted without the consent of the individual. These include (i) any function of Parliament or state legislature (ii) compliance with any court judgement, (iii) to respond to a medical emergency, or a breakdown of public order, (iv) purposes related to employment, (v) for reasonable purposes specified by the DPA.
- In the interest of national security, certain government agencies can have access to personal data for any investigation pertaining to offences.
- It proposes social media platforms to create a voluntary verifiable account mechanism for every user who registers or uses their service from India.
- Personal data is to be stored in India, but can be processed outside with the consent of the person.
- Penalties for data breach will be ₹5 crore or 2% of turnover, whichever is higher.
- In case of major violations such as data processed or shared without consent, there will be a penalty of ₹15 crore or 4% of global turnover.
- Any person who obtains, discloses, transfers, sells or offers to sell personal and sensitive personal data shall be punishable with imprisonment ranging up to five years or a fine of up to three lakh rupees.
- While processing the data, the fiduciary is obligated to ensure that data is processed ‘in a fair and reasonable manner that respects the privacy of the individual’. The bill does not specify any guidelines for what constitutes a ‘fair and reasonable’ manner of personal data processing. The absence of guiding principles may allow fiduciaries in the same industry to develop and follow different standards.
- As per the bill, wherever the government finds it is necessary it can direct that all or any of the provisions of this Act shall not apply to any agency of the government in respect of the processing of such personal data.
- It seeks to allow the use of personal and non-personal data of users in cases where data is processed for the purposes of (i) national security, (ii) prevention, investigation and prosecution of violations of a law, (iii) legal proceedings, (iv) personal or domestic purposes and (v) research and journalistic purposes. It is unclear whether the requirements laid out by the Supreme Court in Puttaswamy vs UoI case are met by the exemptions for research and journalistic purposes.
- Localisation of data will likely make India an infeasible market for services that cannot offset the financial or logistical costs of localisation. It may prevent Indian start-ups or the services industry from expanding globally. Additional costs may be passed down to consumers for certain digital services.
- The Bill mandates storage of a copy of personal data within India to expedite law enforcement’s access to data. This purpose may not be served in some cases, such as when the fiduciary is registered as an entity in a foreign country.
- DPA has powers to arrest and detain violators of the law in prison, without approval or order of a court.
- The Bill states that every data fiduciary shall keep a ‘serving copy’ of all personal and sensitive personal data in a server in India. The government may notify certain ‘critical personal data’ which shall be processed only in servers located in India. However, the definitions of ‘serving copy’ and ‘critical personal data’ are not provided.