After almost two years of deliberations, the spotlight is back on the Personal Data Protection Bill, 2019 against the backdrop of the Parliament’s ongoing winter session.
A 30-member Joint Parliamentary Committee (JPC), headed by BJP MP PP Chaudhary, tabled its report with recommendations to the Bill in the two houses of the Parliament on Thursday.
While privacy advocates have been opposing the Bill, some Opposition MPs, too, have flagged concerns through their dissent notes. Let’s take a look at where we stand, the road ahead and why India needs a law to protect data.
How is personal data regulated currently?
At present, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, which falls under the Information Technology Act, 2000, is used to protect personal data. The rules state that in case of any negligence in maintaining security standards while dealing with the data, companies using the data will be held liable for compensation.
The IT Act, however, is full of loopholes with respect to the regulation of sensitive personal data, the ability to override some of the provisions by a contract and the Act being applicable only to the companies, not to the government or any other foreign entity.
The new Bill looks to cover those.
What does the Bill and JPC recommendations entail?
The Bill was first proposed by the government back in 2018. It was introduced in the Lok Sabha in 2019 by former Union Minister Ravi Shankar Prasad. Since then, several changes have been made to the original draft.
One of the recommendations by the JPC to the final draft of the Bill is the inclusion of non-personal data within its scope. That would change the nature of the Bill from personal data protection to just data protection.
The JPC recommends considering all social media platforms as publishers and to hold them accountable for the content on their platform. These platforms will also have to set up their offices in India and a statutory regulatory authority, on the lines of the Press
Council of India, will be established.
Its other recommendations include setting up an alternative to the internationally accepted SWIFT payment system and handing the government wide-ranging powers like exempting any company from the application of the law.
The draft is also said to have regulations for organisations that deal only with children's data which say that they’ll have to register with the Data Protection Authority (DPA)—a regulatory body that will have the authority to decide how various aspects of the
law will be implemented.
How will compliance work?
As per the Bill, an individual whose personal data is being processed will be referred to as data principal and the entity or individual who decides the means and purposes of data processing will be known as data fiduciary. The registration of data fiduciaries
starts within nine months and the appellate tribunal will begin work within 12 months of the notification of the Act.
The JPC has said that the DPA will commence its operations within six months and thel provisions of the Bill will be implemented no later than 24 months from notification.
The DPA will consist of members who are experts in fields such as data protection and information technology. Any person who is unsatisfied with the redressal by the data fiduciary can appeal to the DPA. Furthermore, orders of the DPA can appeal to an Appellate
Tribunal and appeals from the Tribunal will go to the Supreme Court.
Since it isn’t possible to differentiate between personal and non-personal data when dealing with mass data, the committee has said that there should be only one DPA who deals with privacy and personal data as well as non-personal data. “To avoid contradiction, confusion,
and mismanagement, a single administration and regulatory body is necessitated,” the committee said in the report.
It further states that if there is a data leak, the DPA is to be notified within 72 hours of the company becoming aware of the breach. The DPA shall then “take into account the personal data breach and the severity of harm that may be caused” to the persons whose
data has been leaked and accordingly ask the company to report it and “take appropriate remedial measures”.
If the data fiduciary does not take prompt actions or does not follow the regulations laid down or does not appoint a data protection officer as per the rules, it could attract a penalty of up to Rs 5 crore or 2 per cent of the total worldwide turnover of the
preceding financial year, whichever is higher.
In addition to that, any entity violating the regulation for processing personal data or data of children or even transferring data outside India against the prescribed rules shall be liable to a fine of up to Rs 15 crore or 4 per cent of its total worldwide turnover
of the preceding financial year, whichever is higher.
There are provisions laid down for government departments as well. In case of any offense, the head of the department is to first conduct an in-house probe to rule out those responsible for the said violation and only then will the liability be decided.
If somebody intentionally and without the consent of data fiduciary re-identifies personal data which has been de-identified, a jail term of up to 3 years or a fine of up to Rs 2 lakh or both shall be imposed.
However, even though a timeline has been laid down with regards to the implementation of the Bill, it is possible that it could get pushed to the next Parliamentary session due to time shortage.
Why is the Bill important for India?
India is advancing as a digital economy and needs a vigorous data protection law to safeguard the privacy of its citizens.
As there is no proper data protection regulation in place, it is hard to tell what rights citizens have, rendering the fundamental right to privacy largely meaningless. A data protection law will provide a legal basis to the citizens’ entitlement as it will help
in describing the extent of the fundamental right to privacy as well as what data fiduciaries, who gather personal data, can and cannot do with it.
Furthermore, personal data includes potentially sensitive information such as phone numbers, addresses, religious beliefs, political opinions and so on. Right now, there are no regulations in place that stop companies from storing these datasets.
The companies are also not responsible if sensitive information like browsing patterns and online behaviors, often stored without taking the consent of the users, is leaked. This Bill will, therefore, have safeguards against the exploitation of such data.