TLI Explains: Know About India’s Draft Data Privacy Bill Which Seeks To Prevent Misuse Of Personal Data

Sromona Bhattacharyya India

August 17th, 2018 / 3:27 PM

Data Protection Bill

After at least a year-long deliberation, the 10-member Justice Srikrishna Committee on July 27 had submitted to the government the draft of The Personal Data Protection Bill 2018 along with a report on the framework on data security in India. The committee report also draws a lot of inspiration from the General Data Protection Regulation (GDPR) that was recently introduced in the European Union.

The government has also sought public feedback on the draft bill. An August 14 notification on The Ministry of Electronics and Information Technology website said, “MeitY solicits comments from the general public on the Draft Personal Data Protection Bill by 10th September 2018.”


Why is the Data Protection Bill 2018 important?

Up until now, Indian laws provided little protection against the misuse of people’s personal data. SPD Rules (Sensitive Personal Data and information, 2011) is the one which governs the transfer of personal data on the internet. However, with the data protection bill, consent of the individual user becomes crucial to data sharing. Stating that the right to privacy is the fundamental right of individuals, the proposed bill says that internet users will have the final word when it comes to data usage and they will also have the right to withdraw consent as well. Therefore, the onus of data sharing lies exclusively with the owner.

The draft bill also noted that the relationship between an individual and the service provider must be viewed as a fiduciary relationship since the individual relies on the service provider to obtain a service, the latter is obliged to process the former’s data in a fair manner. Further, the bill has also defined personal data as information which makes it easier to identify an individual. Whereas, sensitive personal data includes passwords, financial data, biometric data, genetic data, caste, religious or political beliefs etc.


What does the bill mandate?

The draft bill also states that any party who is processing your data is obligated to do so in a fair manner. The Srikrishna Committee draft bill has also prescribed steep penalties for non-compliance as well. According to the Economic Times, if data is misused, then non-compliant parties will have to serve a jail term of three years or a fine of up to Rs 2 lakh, or both. Since the draft bill draws heavily from EU’s GDPR, it has also prescribed differing ranges of penalties for violation of different provisions. “For some other contraventions, including contravening the provisions on cross-border transfers, consent and grounds of processing, penalties extend to Rs 15 crore or 4% of the global turnover in the previous financial year, whichever was higher,” said Nehaa Chaudhari of TRA Law to the daily.

While amendments have been proposed to the Right to Information Act and the Information Technology Act, no amendments to the Aadhaar Act has been proposed yet.  Reportedly, the scope of an individual’s rights is limited in the current draft bill as compared to EU’s laws, however, it still has adopted principles like the right to access and correction, right to portability, and right to be forgotten as well. While noting that obtaining consent is not possible under all circumstances, the bill has identified four different bases under which data can be processed non-consensually. These bases include processing of data for the purpose of the functioning of the Parliament or state legislature,  for responding to a medical emergency or in cases of breakdown of public order among others. The bill also talks about exemptions from compliance with its provisions which include state security, prevention, investigation, or prosecution of any offence and for personal, domestic, or journalistic purposes.

Moreover, the draft bill has also mandated absolute data localisation which is complete storage and processing of critical personal data in India. Apart from this, it has imposed different localisation requirements for different kinds of data. The bill also required a copy of an individual’s personal information to be kept on a server or a data centre in India. However, with the EU’s law, data controllers are allowed to transfer data outside of EU if they fulfil certain conditions.


The challenges

Recently, Facebook’s admission that personal data of 87 million users including five lakh Indian users was shared with Cambridge Analytica, has revealed the extent to which data can be misused over the internet. India lacks any substantial law that would tackle some of the burning questions related to the sharing of data on the internet. Even though this seems to be a step forward in the right direction, several media reports and experts have expressed concerns over the provisions of the Personal Data Protection Bill 2018.

The first problem is the bill’s data localisation norms. To meet the norm, companies would be obliged to set up local servers in India. This will make it difficult for existing companies to operate in the country. Nasscom in an email statement said, “Mandating localisation of all personal data as proposed in the bill is likely to become a trade barrier in the key markets.” It further expressed concerns over Indian startups that are going global.

The draft bill also mandates the creation of a Data Protection Authority of India, thereby placing immense power in the hands of the central government. The decision of the central government when it comes to matters of policies will also be final and binding on the authority.

Moreover, unlike the GDPR which empowers the users by allowing them to completely delete their data which has been shared, the Personal Data Protection Bill 2018 does not mandate the same for Indian users. Instead, it’s “right to be forgotten’’ principle only allows users to restrict companies from using their data. Thereby, making it very crucial for the users to determine what is important data and what is not.

While misuse of personal data on the internet has become a burning issue and a reason for concern all over the world, authorities in India should aim to make the law more industry-friendly while keeping in mind the rights of individual users.


Also Read: Government Plans To Make Two Amendments In FRDI Bill, To Be Tabled At The Parliament Soon


Contributors

Edited by : Abhinav Joshi

Share your thoughts..

Related Stories

Nepal India Military Drill

TLI Explains: Nepal Says No To India For Military Exercise, To Participate With China Instead

NRI Proxy Voting

TLI Explains: Lok Sabha Passes Bill Allowing Proxy Voting For NRIs, Is It A Good Move?

TLI Explains: SC Adjourns Hearing On Article On 35A; Know What 35A Is

Inflation Causes

TLI Explains: India’s Inflation At 5.77%, A Four Year High

No Confidence Motion

TLI Explains: All You Need To Know About The No-Confidence Motion

Narendra Modi App Shares Users’ Personal Data With US Firm, Discreetly Changed Privacy Policy After Allegations Of Breach

Latest on The Logical Indian

Awareness

Made In India Stents Just As Good As Their International Counterparts, Study From Germany Shows

Exclusive

This Website Needs Your Personal Details For NaMo T-Shirts. Here’s Why It’s Worrisome

News

Monkey Menace: Two People Killed In Agra On Same Day; Monkey Population Reaches 50,000

Exclusive

My Story: “I Saw A Kid Staring At The Ferris Wheel, He Didn’t Have Money Or Courage To Go Up”

News

On Family’s Request Kathua Victim’s Lawyer Removed From Case Over “Non-Appearance” In The Case

Awareness

Low IQ Among Indian Children, Is Iodine Deficiency The Secret Reason?

x

Stories that deserve attention, delivered to your inbox!

Handpicked, newsworthy stories which deserve the attention of a rational generation.