Why in news?
The draft personal data protection Bill 2018 was submitted by the Justice B.N. Srikrishna-headed expert panel.
What are the key provisions?
- The draft takes into account three aspects in terms of data - the citizens, the state and the industry.
- The draft bill notes that "the right to privacy is a fundamental right".
- It thus makes it necessary to protect personal data as an essential facet of informational privacy.
- Data - Critical personal data of Indian citizens should be processed in centres located within the country.
- Central government will notify categories of personal data that will be considered as critical.
- Other personal data may be transferred outside the territory of India with some conditions.
- However, at least one copy of the data will need to be stored in India.
- For data processors not present in India, the Act will apply to those carrying on business in India.
- It may also include other activities such as profiling which could cause privacy harms to data principals in India.
- 'Data principal' refers to the individual or the person providing their data.
- Violation - The draft also provides for penalties and compensation for violations of the data protection law.
- The penalty would be Rs.15 crore or 4% of the total worldwide turnover of any data collection/processing entity, for violating provisions.
- Failure to take prompt action on a data security breach can attract up to Rs.5 crore or 2% of turnover as a penalty.
- Consent - Processing of sensitive personal data should be on the basis of “explicit consent” of the data principal.
- The consent should be given before the commencement of the processing.
- The law will not have retrospective application.
- Anonymisation - It is the irreversible process of transforming personal data to a form in which a data principal cannot be identified.
- Notably, the provisions of the draft shall not apply to processing of anonymised data.
- However, anonymisation should meet the standards specified by the Authority.
- Right to be forgotten - The data principal will have the right to restrict or prevent continuing disclosure of personal data by a data processor.
- But the bill does not allow for a right of total erasure as the European Union does.
- Also, it gives a data processor considerable space in deciding on this ‘right to be forgotten.’
- The data holder may charge a reasonable fee to be paid for complying with such requests.
- Implementation - The law will come into force in a structured and phased manner.
- The draft has recommended setting up a Data Protection Authority to prevent misuse of personal information.
- The draft Bill also provides for setting up an Appellate Tribunal.
What next?
- Srikrishna committee on Data protection has submitted the report and draft Bill to the Ministry of Electronics and Information Technology.
- The Bill is expected to be put to widest parliamentary consultation.
- It will go through inter-ministerial discussions and the Cabinet as well as parliamentary approval.
- The government is not bound to accept the recommendations, but the final bill could be close to the panel’s version.
Source: The Hindu, Indian Express