The Minister of Electronics and Information Technology introduced the Personal Data Protection Bill (further, “the Bill”) on December 11, 2019, to enable the protection of personal data of individuals. The said proposal provided for the constitution of a Data Protection Authority of India (further, “DPA”) to consider all matters on the concern of personal data. Though Section 43-A of the Informational Technology Act, 2000 (further, “IT Act”) provided for compensation in matters of infringement of personal data, the said proposal aims to negate such provisions and create comprehensive legislation solely for data protection. The PDP Bill is currently being referred to a joint committee consisting of both Parliamentary houses and the report is expected to be submitted by early 2020. After the Bill is brought to effect, Section 43 of the IT Act will be repealed and the Bill is intended to supersede all other legislation in this concern.
The newly proposed Bill is intended to be applied to personal data processing by the Government, all companies incorporated in the country and any foreign entities which function with individuals personal data. It refers to three primary categories of data including (i) Personal Data: which is connected to any natural person, (ii) Sensitive Personal Data: which is a subset of the former category and relates to inter alia the sexual orientation, genetic information, caste, religions etc of the person and (iii) Critical Personal Data which will constitute any other personal data categories recognised by the Government.
The Data fiduciary is the body which recognises the purpose and the methods through which the data will be processed. At the time of collecting the data, this body is mandated to serve a notice to the concerned person which ought to include the intent behind the collection of data and all relevant identification details of the fiduciary and the concerned officer. Further if required, all other sensitive information included the process used to deal with the concerned data, the right to withdraw consent and all possible transfer of data ought to be shared with the concerned individuals. The fiduciary functions with the consent of the concerned individuals, as such, any sensitive personal data especially requires the explicit consent of the person. Failure of this will cause the fiduciary to act in violation of the principles of the Bill.
The Bill also lays down rights on the concerned individuals which include the authority to receive confirmation from the fiduciary on the status of their data, apply for rectification of personal data, enable the transfer of data to other fiduciary bodies and finally, apply restrictions in revealing their data by the fiduciary by withdrawing consent. The underlying trend throughout the Bill is the priority of the consent of the individuals whose personal data is being processed. The Bill only provides for three urgent situations wherein any data on an individual may be utilised without their prior consent. These situations include firstly, State necessity if it is for the upliftment of the concerned person, secondly, any proceedings in law, and thirdly, any urgent medical requirement. Further, the Bill envisages provisions which ascertain that the principles of the Bill can be negated for the protection of interest of the integrity and sovereignty of the country, protection of State security and maintaining public order. This power is not subject to any limitation and is solely vested on the Central Government.
The Bill also provides for the establishment of the DPA which will be responsible for the protection of the interests and concerns of persons and protect them from any possible misuse of the personal data. Any decision rendered by this authority is subject to the appeal to an Appellant Tribunal and such appeal from the Tribunal can go before the Supreme Court. As such, the DPA is not the final authority in rendering decisions but simply provides a quasi-legislative forum to solve concerns related to compliance with the Bill. To further this cause, the Bill pens down grave penalties for default in complying with its provisions. Any transfer or processing of data which infringes the principle contained in the Bill is sought to be punished with either 4% of the annual turnover of the concerned fiduciary of Rs. 15 crore, whichever amount is higher. Further, any process of personal data without obtaining the prior consent of the individuals, except in exceptional situations, is subject to three-year imprisonment or a fine or even both. The concerned person inherits the authority to challenge any misuse by the PDP to the recognises adjudicating forum to claim the necessary compensation.
The Bill furthers the need to protect personal data in the country and provides for a comprehensive structure which will increase the efficiency of data protection forums. The Bill provides rules, regulations and categorisation of data into subsets which enables professional steps towards creating a data protection regime. As such, the Bill is a vital imitation to develop an accurate and efficient data protection framework in the country.
