The Union Cabinet approved the Personal Data Protection Bill on Wednesday. Among a host of things the bill proposes broad guidelines on the management of personal data by public and private corporations. It has also proposed penalties for the violation of the same.
Information and Broadcasting Minister Prakash Javadekar has said that the bill has been approved by the Cabinet and would be introduced in the Parliament. The bill comes after a Supreme Court judgment in August 2017 declared the 'Right to Privacy' a fundamental right. The apex court also upheld in a subsequent judgment in September 2018 the need for a strong personal data protection regime.
Here's what the Data Protection Bill entails:
The bill states that critical data of individuals by internet companies must be stored within the country. Sensitive data can be transferred overseas only after approval of the data owner, as per news agency PTI. Moreover, the data to be transferred overseas can only be for purposes permissible under the proposed legislation.
Critical data would be defined from time to time by the government and would include data related to health, religious or political orientation, biometrics, genetic, sexual orientation, health, financial etc.
If found guilty of violation, a penalty of up to Rs 15 crore or 4 per cent of an entity's global revenue would be imposed on the violator. When it comes to minor violations, the Data Protection Bill proposes penalty of Rs 5 crore or 2 per cent of the global turnover. The bill also proposes jail term for officers of the entity found violating the provisions.
If a company's executive in-charge is found guilty of knowingly matching anonymous data with publicly available information to find out the identity of an individual, then that individual would face jail term of up to three years.
Social media companies would need to frame a mechanism to identify users who are willing to be identified on a voluntary basis. "Under the provision, a social media fiduciary will have to give users on its platform an option to get verified. It will be voluntary for individuals if they want to get verified or not," a source informed the news agency.
The right to be forgotten has also been proposed for data owners in the bill. Users have the right to erase, correct or port their data, the bill states.
The Data Protection Bill also encourages entities to process data in India for lawful purposes. Processing of personal data in case of national security issues or court orders have been exempted.
"Any data which can identify an individual has been defined as personal data. While all entities will need to obtain the explicit consent of the data owner, in some cases like the security of the state, providing relief in case of a medical emergency, detection of unlawful activity, whistleblowing etc an explicit consent may not be required," the source said.
Entities involved in the data processing business must register with the government as data fiduciary for the purpose of data processing. "The government will have the right to direct data fiduciary to share anonymised or non-personal data for better targeting of service, policymaking, relief work, etc," said the source as mentioned in a report in the news agency.
(With PTI inputs)