Personal Data Protection Bill, 2019

The Personal Data Protection (PDP) Bill, 2019 introduced in Lok Sabha by the Minister of Electronics and Information Technology on December 11, 2019, has been referred to a joint select committee. The Bill seeks to provide for protection of personal data of individuals.

• The bill governs the processing of personal data by government, companies incorporated in India, and foreign companies dealing with personal data of individuals in India.
• Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual. The bill categorises certain personal data as sensitive personal data. This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.
• It sets out certain rights of the individual (or data principal) like the right to:
  1. obtain confirmation from the fiduciary on whether their personal data has been processed,
  2. seek correction of inaccurate, incomplete, or out-of-date personal data,
  3. have personal data transferred to any other data fiduciary in certain circumstances, and
  4. Restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
• It allows processing of personal data by fiduciaries only if consent is provided by the individual.
• Social Media Intermediaries which enable online interaction between users and allow for sharing of information and which have users above a notified threshold, and whose actions can impact electoral democracy or public order; have certain obligations, like providing a voluntary user verification mechanism for users in India.
• It sets up a Data Protection Authority (DPA) consisting of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology.
• Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Certain personal data notified as critical personal data by the government can only be processed in India.
• The central government can exempt any of its agencies from the provisions of the Act in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, and for preventing incitement to commission of any cognisable offence relating to the above matters.
• Processing of personal data is also exempted for certain other purposes such as: prevention, investigation, or prosecution of any offence, or personal, domestic, or journalistic purposes. However, such processing must be for a specific, clear and lawful purpose, with certain security safeguards.

Offences under the Bill

• Processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and
• Failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher.
• Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.
• The central government may direct data fiduciaries to provide it with any non-personal data and anonymised personal data (where it is not possible to identify data principal) for better targeting of services.
• The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.

Significance of the Bill

• Strikes a Balance: It is designed to fall between the laissez faire approach of US law and the much stricter regimen of the General Data Protection Regulation in force in the European Union, striking a balance between the imperatives of privacy and security.
• Conducive for Digital Economy: It includes features like the right to be forgotten, a much-needed stepping stone towards a mature digital economy and society.