As a result of Internet technology, transactions processing has undergone remarkable changes. On the positive side, e-commerce, m-commerce, and l-commerce have become a reality in the electronic marketplace. However, one of the undesirable outcomes of the Internet is its use for criminal acts. This is when the government of India introduced the Personal Data Protection Bill, 2019 in Lok Sabha by the Minister of Electronics and Information Technology, Mr Ravi Shankar Prasad, on December 11, 2019.
What exactly is Personal Data Protection Bill, 2019?
As the Personal data breaches have emerged as one of the most presiding categories of security incidents across the globe. The Bill seeks to provide protection of personal data of individuals and establishes a Data Protection Authority for the same.
Applicability of the Bill:
The Bill governs the processing of personal data by:
- Companies incorporated in India, and
- Foreign companies that are dealing with the personal data of individuals residing in India.
Personal data is which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual. Bill categorises specific personal data as sensitive data; which includes financial data, biometric data, caste, religious or political beliefs, or any other category of data stipulated by the government. Government has consulted the concerned authority and sectoral regulator.
Obligations of data fiduciary:
A data fiduciary is an entity or individual who decides the methods and purpose of personal data processing. Such processing will be subject to a specific purpose, collection and storage limitations.
For example, data can be processed only for specific, explicit and lawful purpose. Furthermore, all data fiduciaries must undertake absolute transparency and accountability measures such as follows:
- Implementing security protection (such as data encryption and preventing ill-usage of data)
- Instituting grievance redressal mechanisms to address the grievances of individuals.
They must also establish mechanisms for age verification and parental consent when processing sensitive data of children.
Rights of the individual:
The Bill specifies certain rights of the individual (or data principal). These include the right to:
- Obtain consent from the fiduciary on whether their data has been processed.
- Seek rectification of inaccurate, incomplete, or outdated data.
- To transfer personal data to any other data fiduciary under certain circumstances.
- Restrict continuing disclosure of their such data by a fiduciary, if it is no longer required or consent is withdrawn.
Grounds for processing personal data:
The Bill allows the processing of data by fiduciaries only if the individual provides consent. Though, in certain circumstances, such data can be processed without consent. These situations include:
- If required by the State for granting benefits to the individual
- Legal proceedings
- Acknowledge to a medical emergency.
- Processing or transferring personal data by the violation of the Bill is punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher.
- Failure to conduct a data audit, punishable with a fine of rupees five crore or 2% of the annual turnover of the fiduciary, whichever is higher.
Re-identification and processing of de-identified data without consent are punishable with imprisonment of up to three years, or fine, or both.
The Bill amends Information Technology Act, 2000 whereby to delete the provisions related to compensation obligatory by companies under the failure of protection of data.