With the ubiquity, and progressive adoption of digital for all transaction and service related aspects, data is increasingly being made available to various entities. The data protection bill of India introduced in 2019 refers to policies and procedures seeking to minimize intrusions in privacy of individual caused by collecting and using their personal data.
The entity which processes data is referred as “data fiduciary” – which could be State, company, juristic entity or an individual who alone or in conjunction with other determine the purpose or means of processing data. Data that is collected by fiduciaries may be classified in following 2 categories –
- Personal Data – The data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person.
- Non-personal Data – The data which does not helps identify individuals.
Thus, individual’s location is a personal data whereas traffic flow in that location derived from multiple drivers in that location is not a personal data.
“The purpose of Bill is to provide for protection of privacy of individuals relating to Personal Data.”
The Need for the Bill
In 2017, Supreme Court of India held that privacy is fundamental right as per Article 21 of Constitution. This also includes privacy of Person Data. In 2018, an expert committee drafted bill, which was submitted to Ministry of Electronics and IT. So far under IT Act 2000, security breaches of sensitive data because of negligence in maintaining security standards were liable for compensation. However, committee noted that definition of personal sensitive data in IT Act is narrow, and some provisions may be overridden by a contract.
The bill governs personal data related to individuals and introduces certain rights for individuals. The natural person whose data is referred is being termed as data principal. The processing, collection, storage and transfer of data of individual of India by Indian and foreign data fiduciaries comes in ambit of this law. The rights that the law provides to data principal include:
- Seeking confirmation whether personal data has been processed.
- Seeking correction to personal data
- Seeking whether personal data is complete and not misleading.
- Seeking transfer of personal data to other fiduciaries.
- Restricting continuing disclosure of personal data
- Any processing of personal data by fiduciary can be done only with the consent of data principal.
The bill brings in certain transparency and accountability measures in terms of data processing by fiduciaries. For example:
- Personal data can be processed for specific, clear and lawful purpose. Fiduciaries shall make certain information available in easily accessible form as specified in bill.
- Data fiduciaries should ensure privacy by design in managerial, organizational, business practices and technical systems.
- Data fiduciaries to implement security safeguards and institute grievance redressal mechanism.
- Fiduciaries to ensure data impact assessment for large scale sensitive personal data processing.
- In case of data breach, fiduciary shall notify the Data Protection Authority.
- Fiduciaries to ensure record keeping and data audits. The bill also requires fiduciary to appoint a data protection officer.
The bill imposes conditions and restrictions on cross border transfer of personal data. For example –
- Data fiduciaries to ensure storage of data on a server or data center located in India.
- Transfer of non-sensitive data under contractual terms with the permission of Authority is allowed subject to adequate data protection level.
In certain cases, bill offers exemption from applicability of provisions for example if processing of personal data is done –
- in the interest of security of State.
- in the interest of prevention, detection, investigation of any offence or any other contravention of law.
- where disclosure of personal data is necessary for enforcing legal right or claim, seeking relief, defending charge or obtaining legal advice.
- for research, archiving or statistical purposes
- for purely domestic or personal purposes by natural person.
- for journalistic purposes.
The bill also mentions that Central Government shall establish Data Protection Authority of India, which shall be responsible for governance and administration of provisions as identified in Data Protection Bill.