Introduction
Too much digitalisation and acceptance of integration of technology in our lives cannot be denied. Every sector, healthcare, legal, etc., is bombarded with new technological advancements, and our involvement in the same cannot be restricted. This, too much reliance raises concerns as to how the data of the individual, organisation, government department will be regulated. Due to a lack of legal reforms that provide for the regulation of data of users, certain people are sceptical about inculcating technology. To address all the above-mentioned issues, the Personal Data Protection bill, 2019 was introduced in the Lok Sabha by the Ministry of Electronics and Information Technology, on December 11, 2019.
Personal Data Protection Bill, 2019
The PDP bill was introduced with the purpose to regulate the personal data of users, to create a relation of trust between the users and the entity using the data and remedies in case of a breach. The Bill recognises the right to privacy as the fundamental right and therefore, provides for rules that uphold the same. The Bill aims to supersede the Information Technology Act, 2000 and any other law that is inconsistent with the provisions of the Bill, unless otherwise specified. The Bill further proposes for deletion of section 43A and 87 of the IT Act which provides for compensation in case of failure of protection of data and the power of central government to make rules to carry out provisions in the IT Act, respectively.
1. Application: the provisions of the Bill would apply to the data that has been collected, processed, shared or disclosed within the territory of India; such data has been processed by the state, Indian company, individual or body of persons, incorporated in India; this Bill would also be applicable to any foreign company that deals with data of individual in India. This Bill does not apply to anonymised data but would apply to anonymised data or other non-personal data if the central government deems it necessary to enable better targeting of delivery of services or formulation of evidence-based policies.
2. Definitions:
a) Data principals: defined under section 3(14), it means the natural person to whom such personal data relates.
b) Anonymised data: defined under section 3(3), means the data which has undergone the process of anonymisation. Anonymisation means that the process of transforming or converting a data due to which the data principal cannot be identified, and it is an irreversible process. Furthermore, all the data will be considered as anonymised data, if it meets the standard laid down by the authority.
c) Data fiduciary: defined under section 3 (13), which means a state, a company, a juristic entity or any individual who processes or uses the personal data.
d) Data processors: defined under section 3(15) ), which means a state, a company, a juristic entity or any individual who processes the data on behalf of the data fiduciary.
e) Sensitive personal data: this is defined under section 15 which provides that the central government in consultation with authority can notify any data as sensitive personal data if, there is a higher risk of harm that may be caused to the data principal or a group of people if such data is processed if such data requires a higher degree of protection and confidentiality.
3. Grounds for processing personal data
a) Consent is described as most necessary for processing the personal data under section 11 of the Bill. The consent will not be considered valid unless it is free, informed, specific, clear and capable of being withdrawn. The burden of proof lies on the data fiduciary to establish that the consent is free from any encumbrances.
b) Section 12 lays down instances when the personal data can be processed without consent
i) For performance any function of the state
ii) If any law is made by the parliament or any state legislature that requires the processing of such data
iii) To comply with any order of the court or tribunal
iv) Under any medical emergency to data principal or any other individual
v) To assist or ensure the safety of any individual during any disaster or breakdown of public order.
c) The data of a data principal can be processed without his consent in case of employment as provided under section 13 of the Bill.
d) Section 14 lay down that the data can be processed by data fiduciary for reasonable reasons without the consent of data principal. Such data must be processed after considering the interest of data fiduciary in processing the data, rights of the data principal, any public interest in processing such data.
4. Rights of data principal and children
a) Right to confirmation and access: section 17 empowers the data principal with the right to ask the data fiduciary about the data processing activities with respect to his personal data.
b) Right to correction and erasure: section 18 empowers the data principal the right to make changes in the data provided by him to the data fiduciary.
c) Right to data portability: section 19 empowers the data principal the right to obtain personal data in a structured, commonly used and machine-readable format.
d) Right to be forgotten: section 20 empowers the data principal the right to ask the data fiduciary to prevent his data from any further disclosure only after the purpose has been served for which it was collected or the data principal has withdrawn his consent from sharing his personal data.
The rights provide under this Bill are not absolute as the data fiduciary can refuse to uphold such right if it harms the right of other data principals.
Personal data and sensitive personal data of children: Under section 16, the data fiduciary while processing the data of the child must obtain the consent of the guardian or his parents and must make sure that such data processing is in the best interest of the child.
5. Establishment of Data Protection Authority
Chapter IX section 41 provides that the central government, for the purpose of this act, establish an authority called as Data Protection Authority of India. Under section 49, it shall be the duty of the authority to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Bill, and promote awareness about data protection
The authority is given the following powers:
· Power of Authority to issue directions (section 51)
· Power of Authority to call for information (section 52.
· Power of Authority to conduct inquiry (section 53).
· Search and seizure (section 55)
6. Penalties and Adjudicating Authorities
a) Penalties: Chapter X of the Bill provides for strict penalties for the data fiduciaries in case of failure to comply with the provisions of the Bill. Section 57-61 of the Bill provides for penalties for different offences done by the data fiduciary. The Bill provides that the processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher. The Bill further provides that the failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. Processing of de-identified personal information without consent or re-identification is punishable with imprisonment of up to three years, or fine, or both.
Under section 64, if any data principal has suffered harm due to violation of any provision of the Bill by the data fiduciary, then the data principal has the right to seek compensation from the data fiduciary.
b) Adjudicating officer: section 62 provides for the appointment of an adjudicating officer and has the power to summon any person before it and pronounce the penalty to the respective data fiduciary.
c) Appellate Tribunal: under section 67, the central government, for the purpose of this act, may establish an Appellate Tribunal. The primary purpose of this tribunal is to hear appeals from the orders of the adjudicating officer. The powers of the Appellate Tribunal are similar to the power vested with the civil courts under Civil Procedure Code, 1908. The appeal from the order of the appellate tribunal shall lie to the Supreme Court within ninety days.
Conclusion:
The PDP bill is a bill that will make people believe that there is a law that protects the personal data of the individual. The Bill will make people accept digitalisation with open arms due to its strict penalties in case of any infringement of the rights of the users. The Bill also provides for the establishment of an authority that will act as a watchdog to protect the data of the data principal and make sure that the data fiduciary does not act ultra vires.
