ntroduced in India’s parliament in 2019, the Personal Data Protection Bill sets rules for how personal data should be processed and stored, and lists people’s rights with respect to their personal information. It also proposes to create an independent new Indian regulatory authority, the Data Protection Authority (DPA), to carry out this law.
Provisions of the Bill
- Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual.
- The Bill categorises certain personal data as sensitive personal data. This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government.
- The Bill governs the processing of personal data by: government; companies incorporated in India and foreign companies dealing with personal data of individuals in India.
- A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitations.
- All data fiduciaries must undertake certain transparency and accountability measures by:
. implementing security safeguards (such as data encryption and preventing misuse of data)
. instituting grievance redressal mechanisms to address complaints of individuals.
. institute mechanisms for age verification and parental consent when processing sensitive personal data of children.
Rights of Individual
- The Bill sets out certain rights of the individual (or data principal). These include the right to:
. obtain confirmation from the fiduciary on whether their personal data has been processed
. seek correction of inaccurate, incomplete, or out-of-date personal data
. have personal data transferred to any other data fiduciary in certain circumstances
. restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
- In certain circumstances, personal data can be processed without consent:
. if required by the State for providing benefits to the individual
. legal proceedings
. to respond to a medical emergency
Data Protection Authority
- The Bill sets up a Data Protection Authority which may:
. take steps to protect the interests of individuals
. prevent misuse of personal data
. ensure compliance with the Bill.
- It will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology.
- Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.
- Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Certain personal data notified as critical personal data by the government can only be processed in India.
- The central government can exempt any of its agencies from the provisions of the Act:
. in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states
. for preventing incitement to commission of any cognizable offence (i.e. arrest without warrant) relating to the above matters.
. prevention, investigation, or prosecution of any offence.