The Personal Data Protection Bill, 2019
Ravi Shankar Prasad, the minister of Electronics and Information Technology, government of India, introduced the Personal Data Protection Bill in the Lok Sabha on December 11, 2019. It has been referred to a Joint Parliamentary Committee consisting of members from both houses of parliament, and its chairperson is Meenakshi Lekhi, a member of parliament from the New Delhi constituency.
The Bill makes provisions for protecting the privacy of individuals relating to their personal data; specifying the flow and usage of personal data; creating a relationship of trust between persons and entities processing such data; protecting the rights of individuals whose personal data are processed; creating a framework of organisational and technical measures to process data; formulating norms for social media intermediaries, for cross-border transfers, the accountability of entities processing personal data, and for remedies for unauthorised and harmful processing; and establishing a Data Protection Authority of India for these purposes.
What will the Bill apply to?
The Bill concerns the processing of ‘personal data’ that has been collected, disclosed, shared or otherwise processed – by the Indian State, company, citizen, or ‘a person or body of persons incorporated or created under Indian law’ – within India. Personal data is defined as that which relates to “..a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.”
The Bill also proposes to apply to the processing of personal data by ‘data fiduciaries’ or ‘data processors’ outside India – if such processing concerns business carried on in India, any systematic activity of offering goods or services to ‘data principals’ within India, or activities involving profiling ‘data principals’ within India. A ‘data fiduciary’ is defined as any person – including the State, a company, juristic entity, or individual (alone and in conjunction with others) – that determines the means and purpose of processing personal data. A ‘data processor’ is defined as any person that processes personal data on behalf of a data fiduciary. A ‘data principal’ means “…any natural person to whom the personal data relates.”
The Bill does not apply to the processing of ‘anonymised data’. ‘Anonymisation’ of personal data refers to the irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, and it must meet the standards of irreversibility specified by the Data Protection Authority of India – which this Bill proposes to establish.
What does this Bill stipulate as the obligations of data fiduciaries?
The following are some of the obligations of data fiduciaries:
Personal data can be processed only for a specific, clear and lawful purpose. Data fiduciaries shall process personal data of a data principal in a fair and reasonable manner and ensure the privacy of the data principal, and for the purpose consented to by the data principal. Personal data shall be collected only to the extent that is necessary for the purposes of processing of such data.
Every data fiduciary shall give a notice to the data principal when the personal data is collected, and it should contain details including the purposes for which the data is collected; the nature of the data being collected; and the identity and contact details of the data fiduciary, among other details. The data fiduciary shall take steps to ensure that the personal data processed is complete, accurate, not misleading and updated. The fiduciary shall have regard to whether the personal data is likely to be used to make a decision about the data principal, or be disclosed to other individuals or entities, including other data fiduciaries or processors, or “…kept in a form that distinguishes personal data based on facts from personal data based on opinions or personal assessments.” Where personal data is disclosed to any other individual or entity, the data fiduciary shall take reasonable steps to notify such individual or entity of this fact.
The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed, and shall delete the personal data at the end of the processing. The personal data may be retained for a longer period if explicitly consented to by the data principal, or necessary to comply with any obligation under any law in force for the time being.
When can personal data be processed without consent?
Personal data may be processed without consent if it is necessary for the State to perform any function authorised by law to provide a service to the data principal, and to issue a certification, licence or permit for any action of the State. It may be processed under any law passed by the Parliament or state legislature; to comply with an order or judgement of any court of tribunal in India; to respond to a medical emergency involving a threat to life or a severe threat to health of the data principal or any other individual; to undertake any measure to provide medical treatment or health services to an individual during an epidemic, outbreak of disease or any other threat to public health; or to undertake measures to provide services to any individual during a disaster or breakdown of public order.
What are some of the rights of data principals under this Bill?
A data principal has the right to obtain confirmation from the data fiduciary on whether their personal data is being processed, to seek the correction of inaccurate, misleading, incomplete or out-of-date personal data, and the erasure of such data that is no longer in use. Where the processing of personal data has been carried out through ‘automated means’, the data principal has the right to receive in a readable format the personal data provided to the fiduciary, data that has been generated in the course of providing services to the data principal, and data that forms part of any profile of the data principal.
What is the Data Protection Authority of India?
The Bill authorises the establishment of a Data Protection Authority of India. Its duty includes protecting the interests of data principals, preventing the misuse of personal data, ensuring compliance with the provisions of this Bill, and promoting awareness about data protection.
Its functions include monitoring and enforcing the application of the Bill’s provisions; taking prompt action in response to a personal data breach; maintaining a database with the names of significant data fiduciaries and a ‘data trust score’ for each on its website; examining data audit reports; specifying the qualifications, code of conduct, practical training and functions of data auditors; classifying data fiduciaries; monitoring cross-border transfer of personal data; specifying ‘codes of practice’; promoting the awareness of risks, rules, safeguards and rights concerning the protection of personal data among data fiduciaries and principals; monitoring technological developments and commercial practices that may affect the protection of personal data; promoting measures and undertaking research for innovation in the field of protection of personal data; advising central and state governments on measures required to promote protection of personal data and ensuring consistency in the enforcement of this Bill; specifying fees and other charges for carrying out the purposes of this Bill; and receiving and inquiring complaints.
Focus and Factoids by Pratik Dixit.
Ministry of Electronics and Information Technology
Government of India, New Delhi
11 Dec, 2019