Personal Data Protection Bill, 2019 introduced in Parliament

newsroom

Acknowledging that the right to privacy is a fundamental right and it is necessary

to protect personal data as an essential facet of informational privacy, the
Ministry of Electronics and Information Technology in India has introduced the
Personal Data Protection Bill, 2019 in the Lok Sabha (lower house of the Indian
Parliament) on 11th of December, 2019.

The 2019 Bill seeks to,

provide for protection of the privacy of individuals relating to their personal

data,
specify the flow and usage of personal data,
create a relationship of trust between persons and entities processing the personal
data,
protect the rights of individuals whose personal data are processed,
create a framework for organisational and technical measures in processing of data,
lay down norms for social media intermediary, cross-border transfer, accountability
of entities processing personal data, remedies for unauthorised and harmful
processing, and
establish a Data Protection Authority of India for the said purposes.
The provisions of the Act, once it is enacted, will be applicable in respect of,

processing of personal data where such data has been collected, disclosed, shared
or otherwise processed within the territory of India,
processing of personal data by the State, any Indian company, any citizen of India
or any person or body of persons incorporated or created under Indian law, and
processing of personal data by data fiduciaries or data processors not present
within the territory of India, in specified cases.
According to the provisions of the Bill, “personal data” means data about or
relating to a natural person who is directly or indirectly identifiable, having
regard to any characteristic, trait, attribute or any other feature of the identity
of such natural person, whether online or offline, or any combination of such
features with any other information, and shall include any inference drawn from
such data for the purpose of profiling.

The Bill also provides for setting up of Data Protection Authority of India in
order to protect the interests of data principals, prevent any misuse of personal
data, ensure compliance with the provisions of this Act, and promote awareness
about data protection. The functions of the authority also include monitoring and
enforcing application of the provisions of the new Act (once it comes into force),
taking prompt and appropriate action in response to personal data breach, and
maintaining a database on its website containing names of significant data
fiduciaries.

It may be noted that in 2018 the Srikrishna Committee had submitted a report along
with a copy of the draft legislation namely ‘The Personal Data Protection Bill,
2018’, and in a major change as introduced in 2019, the new Bill seeks to empower
the government to seek from businesses anonymized and non-personal data to enable
better delivery of services and formulation of evidence-based policies.

Further, as per the provisions, data may only be retained for longer periods if
explicit consent of the data principal is obtained. Explicit consent of data
principal is also necessary for the collection and processing of Sensitive Personal
Data. The order of the adjudicating authority with respect to the data principal’s
right to be forgotten has been made appealable.

According to the 2019 Bill, sensitive personal data can be transferred across
borders provided a copy is retained in India. However, explicit consent of the data
principal will be required for such transfer/processing which may occur cross
border. Further, Critical Personal data will have to be retained and processed in
India alone. What may constitute critical personal data will be notified by the
government at a later date.

The 2019 Bill proposes significant changes in the procedure for search and seizure,
and such activities are not to be performed at the discretion of the Data
Protection Authority but upon the directions of a designated court.

Once the provisions come into effect, business and industry will have to work
towards increasing intra-organisation awareness and appoint a Data Protection
Officer to ensure compliance with this legislation. They would also be required to
internally audit all existing contractual obligations to ensure compliance relating
to protection of personal data.