Recently, the Union Cabinet approved the introduction of the Personal Data Protection Bill in Parliament. The draft bill was prepared by the B.N. Srikrishna committee.
Need for Data Protection Bill:
- Although the Supreme Court upheld the right to privacy as a fundamental right, currently there are no laws on the use of personal data and preventing its misuse.
- Lack of a legal framework to preserve the sanctity of “consent" in data sharing and penalize those breaching privacy norms.
- There were no broad guidelines on the collection, storage, and processing of personal data, the consent of individuals, penalties and compensation, and a code of conduct.
- No check mechanism for social media trolling.
- Various countries came-up with their own data protection mechanism. Like the USA’s CLOUD Act, EU’s GDPR etc.
- The government and its agencies have access to Citizen’s biometric data after the Aadhar Judgement. It is necessary to protect these data from possible misuse.
Key features of Data Protection Bill:
- Categorization of data into three categories: critical, sensitive and general.
- Classification of ‘sensitive personal data (SPD)’: It includes passwords, financial data, health data, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, and religious or political belief or affiliation.
- Processing of Sensitive Personal Data (SPD): It can be processed only with the explicit consent of the person.
- Critical personal data (CPD): The central government will notify categories of personal data as critical personal data. The CPD will then be processed in a server or data center located in India only.
- General Personal Data (GPD): Any data that is non-critical and non-sensitive will be categorized as general data. The GPD can be stored or processed outside India with the consent of the person.
- Access of General Personal Data (GPD): In the interest of national security, certain agencies can have access to personal data for investigations. Eg. for any investigation pertaining to offenses.
- The right to be forgotten (RTBF): The person “shall have the right to restrict or prevent continuing disclosure of personal data”.
- Creation of Mechanism by Social Media Platform: Every user who registers their service from India or uses their service from India, a voluntary verifiable account mechanism has to be made by the Social Media Platform.
- Penalty Provisions: It specifies penalties for not following its provisions. It includes a penalty of ₹5 crore or 2% of turnover, whichever is higher if no action is taken on a data leak. It will also have a jail provision.
- Major violations: Violations such as data processed or shared without consent will lead to a penalty of ₹15 crores or 4% of global turnover. It will also have a jail provision.
- Direction to data-fiduciary: The government is entitled to direct a fiduciary (any person or entity that processes data) to get access to non-personal data to provide better services to citizens. Eg. Data to be used for research purpose.
Importance of the Data Protection Bill:
- The country is expected to become one of the world’s biggest centers of data refinery.
- It will encourage entities to start processing data in India.
- The bill allows the processing of data for lawful purpose only.
- The data processing within India will bring possible job creation in data analytics technology such as Big Data, Informatica and DevOps, etc.
- It will help to boost the IT Start-Ups as they may get outsourced data from the Financial Firms for processing.
- Categorization of data will sensitize the citizens for meaningful use.
Criticism of the Data Protection Bill:
- The Personal Data Protection Bill only lists a set of broad principles that lay down the contours of privacy in the country.
- It offers neither a clear road map for governance nor any of the details that data principals, and fiduciaries alike, would need in order to understand their rights and obligations.
- Without skilling the data fiduciary, it is difficult to stop data misuse.
- There is no provision regarding the safeguard mechanism from the possible cyber attack.
The government should include the provisions raised by various stakeholders. Data fiduciary must be skilled for proper uses of their data. Creating awareness in this regard will give more fruitful results.
Also read: Consumer Protection Bill 2019