HIGHLIGHTS OF PERSONAL DATA PROTECTION BILL, 2018

The Government of India has recently released the Personal Data Protection Bill, 2018 as well as a report by Justice B.N. Srikrishna Committee of Experts on data protection (Report) on 27.07.2018, which would ensure regulation of personal data collected by various entities and protection of privacy of people.

The Supreme Court of India has recently recognized right to privacy as a fundamental right under Article 21 of the Constitution of India, in Justice K.S. Puttaswamy (Retd.) v. Union of India in 2017. In this digital era, there is a high potential of misuse of personal data shared by people on various websites and media. In view of the above, the Committee has felt the need for a data protection framework for protecting citizens from dangers to informational privacy originating from state and non-state actors.

The essential features of the Bill are as follows:

The Bill casts a duty on a person, determining the purpose and means of processing personal data (Data Fiduciary) of a natural person (Data Principal), to provide requisite details about the nature and procedure of use of the personal data to the Data Principal.

The personal data may be processed on the basis of the consent of the Data Principal.

Upon receipt of such consent, the processing may be done by the Data Fiduciary for his own interest or if otherwise required by law, courts or Government, say, to provide medical treatment or health services, etc.

Personal data such as passwords, financial data, biometric data, etc (Sensitive Personal Data) may be processed only with prior explicit consent, i.e. specific, clear and informed consent for the aforesaid purposes.

The Data Principal may also file an application along with a prescribed fee to an Adjudicating Officer (AO), appointed under this law, to restrict or prevent continuing disclosure of personal data by a Data Fiduciary. The AO would then review the said application and pass orders based on the sensitivity of the personal data, the nature of the disclosure and of the activities of the Data Fiduciary, etc. Appeal against the orders of the AO may be made to an Appellate Tribunal established hereunder and, further to the Supreme Court against the orders of the Appellate Tribunal.

The Data Fiduciary has to take adequate measures to identify and avoid any harm that may be caused to the Data Principal due to misuse, unauthorized access, destruction of data, etc. For instance, the technology used to process personal data has to be in accordance with commercially accepted or certified standards, methods such as de-identification and encryption may be used, etc. Any such breach of use of personal data has to be notified to the Data Principal.

A Data Protection Authority of India has been established hereunder to protect the interests of Data Principals, promote awareness of data protection, etc.

The data fiduciaries, if, registered with the Data Protection Authority of India (Significant Data Fiduciaries) would have to keep proper records of its operations, etc, get its policies, etc audited annually, and so on.

The Data Fiduciary is not permitted to transfer any personal data overseas and has to ensure its storage on a server or data centre located in India. Cross-border transfer of personal data other than Sensitive Personal Data may be allowed only with prior approval of the Data Protection Authority of India or in other prescribed circumstances.

In the event of contravention of provisions of this law pertaining to processing of personal data and Sensitive Personal Data , etc, the Data Fiduciary would be liable to a maximum penalty of fifteen crore rupees or four per cent of its total worldwide turnover of the preceding financial year, whichever is higher. Further, the Data Principal may seek compensation in such cases from the Data Fiduciary.

The Report also recommends amendments to be made to the Information Technology Act, 2000, the Right to Information Act, 2005, and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 in order to incorporate provisions related to privacy protection. A few experts have reportedly lauded the Bill stating that it lays down a strong foundation for privacy protection in India.

Harini Daliparthy

Senior Legal Associate

The Indian Lawyer