The Personal Data Protection Bill (PDP Bill ) was tabled in the Indian Parliament by the Ministry of Electronics and Information Technology on 11 December, . As of March, 2020 the Bill is being analyzed by a Joint Parliamentary Committee (JPC) in consultation with experts and stakeholders. The JPC, which was set up in December, , is headed by BJP Member of Parliament (MP) Meenakshi Lekhi. While the JPC was tasked with a short deadline to finalize the draft law before the Budget Session of 2020, it has sought more time to study the Bill and consult stakeholders.
The Bill covers mechanisms for protection of personal data and proposes the setting up of a Data Protection Authority of India for the same. Some key provisions the Bill provides for which the 2018 draft Bill did not, such as that the Central government can exempt any government agency from the Bill and the Right to Be Forgotten, have been included. Following are the main provisions of the bill :
● The Bill removes the requirement of data mirroring (in the case of personal data). Only individual consent for data transfer abroad is required.
● The Bill requires sensitive personal data to be stored only in India. It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA).
● Critical personal data must be stored and processed in India.
● The Bill mandates fiduciaries to provide the government any non-personal data when demanded.
● The Bill also requires social media companies, which are deemed significant data fiduciaries based on factors such as volume and sensitivity of data, to develop their own user verification mechanism.
● The Bill includes exemptions for processing data without an individual’s consent for ‘reasonable purposes’, including the security of the state, detection of any unlawful activity or fraud, whistleblowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.
Also Read: Who is Hamas in Palestine
● Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
● The Bill calls for the creation of an independent regulator Data Protection Authority, which will oversee assessments and audits and definition making.
● The Bill stated the penalties as : Rs. 5 crores or 2 percent of worldwide turnover for minor violations and Rs. 15 crores or 4 percent of total worldwide turnover for more serious violations.
● Finally, it legislates on the right to be forgotten. With historical roots in European Union law, General Data Protection Regulation (GDPR), this right allows an individual to remove consent for data collection and disclosure.
● It also grants individuals the right to data portability and the ability to access and transfer one’s own data. It also grants individuals the right to data portability, and the ability to access and transfer one’s own data.
● The Bill proposes limitation’ ‘Purpose and ‘Collection limitation’ clause, which limit the collection of data to what is needed for ‘clear, specific, and lawful’ purposes.
Positive Aspects of the Data Protection Bill
● Data localisation can help law-enforcement agencies access data for investigations and enforcement.
● A strong data protection legislation will also help to enforce data sovereignty.
● Data localisation will also increase the ability of the Indian government to tax Internet giants.
● Social media is being used to spread fake news, which has resulted in lynchings, national security threats, which can now be monitored, checked and prevented in time.
● Instances of cyber-attacks and surveillance will be checked.
Negative Aspects of the Data Protection Bill
● Many contend that the physical location of the data is not relevant in the cyber world. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
Also Read: PM-CARES for Children' Scheme
● National security or reasonable purposes are open-ended terms; this may lead to intrusion of the state into the private lives of citizens.
● Technology giants like Facebook and Google have criticised the protectionist policy on data protection (data localisation).
● Protectionist regime suppresses the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
● Also, it may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India.