The contentious Personal Data Protection Bill 2019, (PDP Bill) which was introduced in the Lok Sabha on December 11 by IT and Communications Minister Ravi Shankar Prasad, has been referred to the joint select committee of Parliament for scrutiny.
The select committee will comprise of 20 members of the Lok Sabha and 10 members of the Rajya Sabha. The committee is expected to submit its report before the end of Parliamentâs budget session.
A draft of the PDP bill was prepared by the Justice BN Srikrishna Committee, in 2018. However, the government made some changes in the Srikrishna draft before tabling the PDP bill in the Lok Sabha.
Highlights Of The Bill
1. The bill defines data as âa representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means.â
2. The bill has called data thatâs stored and processed of an individual as data principal.
3. It has laid down the procedure to govern the processing of personal data, by the (i) government, (ii) foreign companies that deal with the personal data of individuals living in India, and (iii) any Indian company.
4. The bill has designated certain personal data as sensitive personal data, which includes financial data, biometric data, data on political beliefs, or any other data as specified by the govt. in consultation with the Data Protection Authority (DPA), and the concerned sectoral regulator.
5. Data Protection Authority of India â The DPA will take steps to ensure the compliance of the bill by the data processing entities, in order to ensure that the personal data of an individual is not being misused. The authority will comprise of a chairperson and six members, all having at least 10 years of experience in the field of data protection and Information Technology.
6. It specifies the purpose and obligations of the data fiduciary. A data fiduciary is an entity (govt. or company) or an individual who decides the means and purpose of processing personal data. Any personal data will only be processed when there is a clear and lawful purpose.
Itâs the data fiduciaryâs responsibility to ensure that personal data of the data principal thatâs processed is complete, accurate, non-misleading and updated. They will also have to undertake certain transparency and accountability measures for personal data.
The bill says that personal data of data principal will only be processed by data fiduciary after their consent. However, there are exceptions in certain cases where the consent is not required, (i) if required by the state to provide benefits to the individual, (ii) for a medical emergency, (iii) if required for legal proceedings.
7. The bill requires social media companies, called significant data fiduciaries, based on the volume of their data and turnover, to develop their own user verification mechanism.
8. The bill exempts agencies of the central govt. from the provisions of the act, if the govt. feels necessary that personal data processing is necessary for the purpose of (i) national security, (ii) friendly relations with the foreign states, and (iii) for public order. This processing shall also entail taking safeguard measures.
9. The bill gives the central govt. the authority to direct data fiduciaries to provide it with (i) non-personal data, and (ii) anonymised personal data as it will help the govt. in better targeting of services.
How PDP Bill Differs From Srikrishna Draft
1. The Srikrishna draft didnât specify the significant data fiduciaries to develop their own user verification mechanism. The process of verification will reduce the anonymity of users and prevent trolling, officials told The Indian Express.
2. The Srikrishna draft in Section 42 allowed the govt. agencies to access the personal data of individuals for the reason of national security, with respect to the principle of proportionality and necessity.
However, as per the PDP bill, the govt. can make any of its agency completely exempt from all the provisions of the bill. The bill in Section 35 doesnât provide any clarity on what âsafeguards and oversight mechanismsâ will be undertaken.
3. The right to the erasure of data was not applicable under the Srikrishna draft, but the PDP bill has given the data principal the right to request the data fiduciary for the erasure of data, which is no longer needed for the purpose of processing.
4. The Srikrishna draft recommended the appointment of a judicial member â Chief Justice of India or a Supreme Court judge â to the selection committee which will be empowered to give recommendations to the central govt. for appointments of the members of the DPA. But, the PDP bill has removed the need for the appointment of a judicial member. The recommendation panel will comprise of, (i) the Cabinet Secretary, (ii) Secretary, Department of Legal Affairs, (iii) Secretary, Ministry of Communications and IT.
…
