The Centre on Wednesday proposed to send the Personal Data Protection Bill, 2019, to a joint select committee of both the Houses of Parliament amid protests by the Opposition. The Opposition had raised objections over the bill, saying it should be referred to a joint panel. The current draft of the bill shows several tweaks from the draft Bill of 2018, with grey areas and ambiguous clauses, which need more clarity from the government. Critics are saying if this bill goes through in the present form, it could mean a significant regulatory burden on large companies.
Here are some of the key highlights of the bill.
Storing, processing of personal data: The Personal Data Protection Bill, 2019, bars storing and processing of personal data by entities without the explicit consent of an individual. Consent is necessary for processing of personal data. The draft bill says the personal data should not be processed, except with the consent given by the data principal at the commencement of its processing. The consent will not be valid unless it is free, informed, specific, clear, and capable of being withdrawn.
Exemptions for 'reasonable purposes': The bill provides exemptions for "reasonable purposes" such as "prevention and detection of any unlawful activity including fraud, whistleblowing, merger and acquisitions, network and information security, credit scoring, recovery of debt, processing of publicly available personal data, and the operation of search engines".
Processing of children's data: The bill says every data fiduciary will process personal data of a child in such a manner that protects the rights of children. Before processing any personal data of a child, the data fiduciary will need to verify his age and obtain the consent of his parent or guardian. Those violating norms using children's data will be barred.
Data on health can be processed without consent: Data concerning health services and for complying with any law or court orders can be processed without the consent of the owner, the draft bill said. Data can also be transferred outside India in case of health or emergency services "where such transfer is necessary for prompt action", and where the government has deemed such transfer to be permissible, says the bill.
Empowers govt to exempt agencies from the law: The legislation empowers the Central government to exempt government agencies from the application of the Act for "certain" processing of personal data. The bill says the government could also exempt certain data processors processing data of foreigners from the Act. The data processed for research, archival or statistical purposes and small entities who are engaged in manual processing of personal data can also be exempted.
Restriction on transfer of data outside India: The draft bill seeks to create a "strong and robust data protection framework for India" as it fixes obligation of data fiduciary (that is entity collecting and processing data) and places a restriction on transfer of personal data outside India. Subject to certain conditions, the sensitive personal data can be transferred outside India with permission but has to be stored in India only. All the critical personal data will only be processed in India, says the bill.
Govt may seek data from companies to frame policies: The bill says the Central Government may direct data processor to provide any personal data to enable better targeting of delivery of services or formulation of evidence-based policies. "Nothing in this Act shall prevent the Central Government from framing of any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse, insofar as such policy does not govern personal data," says the bill.
Right to erase data: The bill empowers citizens to have right over their personal data. They can the correct inaccurate data or erase it. They can update or port the data to other fiduciaries and also have a right to restrict or prevent its disclosure.
Data protection impact assessment: Social media entities that have a user base above a certain threshold will be considered 'significant data fiduciary' if their actions "have, or are likely to have a significant impact on electoral democracy, the security of the State". If companies want to process data involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, it can't be done unless they undertake a data protection impact assessment by the provisions of the law.
Penalty: The bill provides for a penalty of up to Rs 15 crore or 4 per cent of global turnover for companies found violating norms under the Personal Data Protection Bill, while in case of certain minor violations, it proposes a penalty of Rs 5 crore or 2 per cent of the global turnover.