The much-awaited draft Personal Data Protection Bill 2018 by Justice Srikrishna Committee is out. This bill will be a framework for India stating how to collect, process and store data. The bill is submitted to Ravi Shankar Prasad, IT Minister for review.
In this article, we will cover the following points:
What is the Personal Data Protection Bill 2018?
Till now the transfer of personal data in India was governed by Sensitive Personal Data And Information 2011 which has proven itself inadequate. Now, the Personal Data Protection Bill is required to address the flaws in current data protection laws. The bill applies to both government and the private sector.
According to the bill, any individual or enterprise who collects data will be known as “data fiduciary” and the individual providing their data will be known as “data principal”.
Here are several points that are put forward in this draft bill:
1. Definition of Personal Data
Personal data is what makes an individual identifiable. Aadhaar identification and biometric data will be included in sensitive personal data. The list of sensitive personal data also includes data regarding sexuality, transgender/intersex status, religious/political beliefs.
2. Power of Consent
The draft clearly states the importance of consent, which has to be given at the beginning of the processing. And processing of sensitive data should be on the basis of “explicit content”. Also, consent needs to be ‘free’ ‘clear’ ‘specific’ ‘informed’ and ‘capable of being withdrawn’. But if the data principal decides to withdraw their consent they might have to bear legal consequences.
3. Data Processing
The draft bill states any person processing your data is obligated to do so in ‘fair and reasonable manner’. Also, personal data shall be processed only for purposes that are ‘clear’ ‘specific’ and ‘lawful’.
4. Data Protection Authority
There is a new and powerful regulator ‘Data Protection Authority (DPA)’. They will be responsible for preventing unlawful activities, debt recovery, and processing of publicly available data.
5. Data Localization
The most controversial point put forward in the draft bill is the localization of data. The bill requires a copy of all personal data to be stored on servers in India. Also, a certain category of data, not specified by government needs to be stored in India only.
“Every Data fiduciary shall ensure the storage, on a server or data center located in India, of at least one serving a copy of personal data to which this act applies” – Chapter VIII, The Personal Data protection Bill 2018
6. Right to Correction
Data Principal have the comprehensive right to correction, updating, and data portability. Right to deletion is, however, missing.
7. Data Breach
Any enterprise that has suffered data breach needs to inform DPA. DPA will then determine if they need to inform users about the breach or not.
8. Age Restriction
Many websites offering online services will need age verification and parental consent to continue. There will be significant restriction while tracking the data of any minor(below the age of 18).
What Happens if You Don’t Comply With PDPB?
There are 2 levels of penalties prescribed for violation- first is up to Rs 5 crores or 2% of total worldwide turnover, second is up to Rs 15 crore or 4% of worldwide turnover. The actual penalty will vary according to the violation and will be awarded by DPA.
Limitation of the Personal Data Protection Bill 2018
1. Data localization will be the biggest limitation. Companies will have to spend a huge amount on setting up local servers. While bigger firms like facebook and twitter might be able to meet this requirement but it will create problems for small enterprises. There is a possibility that some enterprises will choose not to offer services in India.
2. Right to correction is available but data fiduciaries can reject an application for correction of data if they believe it is unnecessary.
3. Personal Data Protection Bill doesn’t provide the right to data principal to get their data deleted or erased.
4. Data fiduciaries are required to inform DPA in case of a data breach. Thereafter DPA will decide whether data principal needs to be informed about this. It is not mandatory for data fiduciaries to inform data principal about a breach.
5. There is also a wide exception for any processing of data for any function of Parliament or State Legislature. Also, there is an exception for the processing of personal data for the issuance of any license or permit.
6. Furthermore, the bill grants DPA the power to allow processing of personal data without consent for certain purposes like detection of unlawful activities, credit scoring, recovery of debt, network security.
Difference between PDPB and GDPR
General Data Protection Regulator (GDPR), launched on 25 May 2018 strengthens the right of EU citizen for data protection and privacy. GDPR gives control to individuals over their data. Its primary objective is to establish the right to privacy as a fundamental right.
We have listed down some basic difference between Personal Data Protection Bill 2018 (PDPB) and GDPR.
1. GDPR mandates data fiduciaries to share with data principal for how long data will be stored. PDPB lays no such compulsion.
2. The Indian Legislation gives the right to ask for a summary of data being shared. However, there is no definition of what summary is. On the other hand, GDPR clearly states that the data principal is provided with a copy of undergoing data processing.
3. Data fiduciaries don’t have to share the name of other recipients of personal data with data principal according to the draft bill. This is however mandatory in GDPR.
4. Unlike PDPB, GDPR requires data fiduciaries to share the source of personal data in case the data is not collected from data principal directly.
5. One of the biggest difference is that in case of a data breach data fiduciaries have to inform DPAI. They are not obligated to inform data principal unless stated by DPA.
6. GDPR leaves data localization to specific countries, most of which allow free flow of information. Except for Germany and France, they require personal data to be resident in the country.
When will this draft become a bill?
Justice Srikrishna Committee, after working for almost a year finally submits a draft of Personal Data Protection Bill 2018 on 27 July 2018. The bill was submitted to Ravi Shankar Prasad, IT Minister who will review it and consider the next steps to initiate the parliamentary procedure.
In the parliamentary procedure, the bill will be introduced in Lok Sabha and Rajya Sabha. After some recommendations from Rajya Sabha, the bill will be reintroduced in Lok Sabha. After approval from both houses, the bill will be sent to President of India, who is free to send it back with or without any recommendations
Personal Data Protection Bill 2018(Draft) is an exhausted version of GDPR.
But this draft bill is definitely a step in the right direction. What’s your say? Do you agree that this draft needs more fine-tuning for an effective enforcement?
Let us know what you think in the comment section below.