India has the second-largest internet userbase in the world. As of July 2020, we were second to only China with 560 million online users.
So when the Supreme Court declared the Right to Privacy as a fundamental right in 2017, the country rejoiced.
And two years later we saw the government introduce the Personal Data Protection Bill in December, 2019 to create a robust data protection framework for India.
Some have lauded it as a big step towards data privacy, while others argue that it’s a step backwards in the fight. Before we touch the two divergent views, here’s a layman’s guide to all you need to know about it.
PDP Bill 2019
The Personal Data Protection Bill 2019 aims to:
- Protect the personal data of individuals
- Establish Data Protection Authority to do the same
Data Principals – Individuals who own the data
Data Fiduciaries – Organisations that decide the purpose and means of processing the collected data. This includes the:
- Companies incorporated in India
- Foreign companies dealing with personal data of Indians
The purpose of PDP
The bill lays down the rules that govern the purpose, collection and storage limitations of the data.
The measures are meant to:
- Give the individual more control over the data that’s getting shared and used by the fiduciaries, recognising the right to privacy as a person’s fundamental right
- Make data fiduciaries more accountable and transparent while using this data
PDP defines three data categories
Personal data – Any data that can be used to identify an individual. This includes data pertaining to traits, characteristics and attributes of identity.
Sensitive Personal data – Some personal data has been characterised as sensitive personal data. This includes financial data, sexual orientation, biometric data, transgender status, health data, caste, religious or political beliefs, or any other category specified by the government.
Critical Personal data – A subset of sensitive personal data and will include categories of personal data as may be notified by the Central Government.
What do data fiduciaries owe us
While collecting, storing, processing or sharing data, all data fiduciaries are required to undertake certain accountability & transparency measures that include:
- Ensure data encryption and prevent the misuse of data
- Inform the users about data collection and take & store their explicit consent
- Address complaints of data misuse by instituting a grievance redressal mechanism
- Have ways to verify age and get parental consent when processing the personal data of children (below 18 years of age)
Significant data fiduciaries – Any fiduciary can be declared so on the basis of the volume and sensitivity of personal data being processed, the turnover, risk of harm, use of new technologies, or any other such factor. They will have to conduct a Data Protection Impact Assessment to carry out data audits and appoint data protection officers.
Social media intermediaries – those who have followers beyond a certain threshold and can impact the electoral democracy & sovereignty of India will have to give account verification options to willing users, and such users will be given a visible mark of verification. Much like the blue tick we have on Twitter.
Your rights as an individual
- Confirm with the data fiduciary whether your personal data has been processed
- Give your explicit consent every time data is getting collected
- Seek correction of personal data that may be inaccurate, out-of-date or incomplete
- Give your consent to have your data transferred to some other data fiduciary (to fill forms or bargain for better experiences etc.)
- Put a hard stop on the use of your personal data by a data fiduciary
The Data Protection Authority
PDP Bill 2019 talks about establishing a Data Protection Authority. It will be set up to:
- Ensure compliance with the Bill
- Prevent misuse of data
- Protect the interests of data principal
In short, the execution of the Bill would rest in the hands of the DPA.
The DPA will have one chairperson and six members with 10+ years of experience in the field of data protection & information technology.
Data transfer to outside the country
It’s allowed as long as:
- Individual gives his/her explicit consent
- The sensitive personal data continues to be stored within India
- The data has not been characterised as critical personal data by the government that is allowed to only be processed within India except in the case of a health service or emergency situation
The PDP Bill specifies strict penalties for the contravention of its provisions. These penalties are prescribed in two brackets, the higher of which extends up to INR 150 million or 4% of the total worldwide turnover of the data fiduciary for the previous financial year, depending on the nature of the offence. Notably, significant data fiduciaries may be subject to a penalty up to INR 50 million or 2% of their total worldwide turnover, whichever is higher, for not complying with the obligations that are specifically applicable to them.
Apart from that, in some contravention cases, data principal will be liable to be compensated by the fiduciary.
Interestingly, the draft bill empowers the Centre to exempt any government agency from application of the proposed legislation.
The Act would give the government rights to process the personal data of any individual without seeking consent if the data is deemed to:
- Be in the interest of the security of state, public order, sovereignty and integrity of India and friendly relations with foreign states
- Provide benefit to the individual
- Be required for legal reasons
- Be necessary in case of a medical emergency
Apart from exemptions to government agencies, certain rights of users will be suspended if personal data is processed for law enforcement, judicial reasons, journalism, and for personal reasons.
The road ahead
The PDP Bill is set to be tabled in the next budget session of the Parliament in February 2021.
While the PDP Bill provides some clarity on the compliances and obligations applicable to data fiduciaries, a large number of compliances remain subject to the determination of the DPA, and the full impact of this legislation therefore may only be measured once these regulations are released.
In the coming weeks, we’ll take a closer look at consent managers and how data fiduciaries & data principals will adapt to this new reality of data privacy.