2019 – Posted in: Daily News

Personal Data Protection Bill 2019

For: Preliminary & Mains

Topics covered:

Key features, Advantages, Need, Criticism of the Personal Data Protection Bill 2019

News Flash

The cabinet clears the Personal Data Protection Bill. The bill spells out a framework for the handling of personal data including its processing by public and private entities.

The bill is drafted by a panel headed by a former Supreme Court judge B. N. Srikrishna, is key for how firms including global tech giants Amazon, Facebook, Alphabet’s Google and others process, store and transfer Indian consumers’ data.

What do you mean by Data?

Data usually refers to information about your messages, social media posts, online transactions, and browser searches. Data is any collection of information that is stored in a way so computers can easily read them (011010101010 formats).
Data is stored in a physical space similar to a file of documents, and transported across country borders in underwater cables that run as deep as Mount Everest and as long as four times the Indian Ocean. To be considered useful, data has to be processed, which means analysed by computers.
The physical attributes of data — where data is stored, where it is sent, where it is turned into something useful — are called data flows.

Guidelines

Broad guidelines on collection, storage and processing of personal data, consent of individuals, penalties and compensation, code of conduct and an enforcement model is likely to be a part of the law.

Personal Data Protection Bill 2019 Image: Livemint

Why companies are worried?

The proposed law may have a considerable impact on MNCs operating in India, whether with or without a physical presence, due to its data localisation requirements and cross-border data transfer restrictions.
The Reserve Bank of India had, in April last year, issued a data localisation directive, mandating all authorised payment system operators and banks to store payment systems data only in India.
This led to various ambiguities in the requirements as well as industry pushback on the strict requirements imposed, especially by global payment companies.

Why does data matter?

The large collection of information about you and your online habits has become an important source of profits, but also a potential avenue for invasion of privacy because it can reveal extremely personal aspects.
Companies, governments, and political parties find it valuable because they can use it to find the most convincing ways to advertise to you online.

Who store/handle the data?

Data is collected and handled by entities called data fiduciaries.
While the fiduciary controls how and why data is processed, the processing itself may be by a third party, the data processor. This distinction is important to delineate responsibility as data moves from entity to entity.

How does the bill propose to regulate data transfer?

The draft had said all fiduciaries must store a copy of all personal data in India — a provision that was criticised by foreign technology companies that store most of Indians’ data abroad and even some domestic startups that were worried about a foreign backlash. The approved Bill removes this stipulation, only requiring individual consent for data transfer abroad.

Similar to the draft, however, the Bill still requires sensitive personal data to be stored only in India. It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA). The final category of critical personal data must be stored and processed in India.

The Bill mandates fiduciaries to give the government any non-personal data when demanded. Non-personal data refers to anonymised data, such as traffic patterns or demographic data. The previous draft did not apply to this type of data, which many companies use to fund their business model.

The Bill also requires social media companies, which are deemed significant data fiduciaries based on factors such as volume and sensitivity of data as well as their turnover, to develop their own user verification mechanism. While the process can be voluntary for users and can be completely designed by the company, it will decrease the anonymity of users and “prevent trolling”.

Key Features

The Bill includes exemptions for processing data without an individual’s consent for “reasonable purposes”, including security of the state, detection of any unlawful activity or fraud, whistleblowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.
The Bill calls for the creation of an independent regulator DPA, which will oversee assessments and audits and definition making. Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more. The committee’s draft had required the DPO to be based in India.
The committee’s draft had several other significant keywords that are expected to be in the Bill. “Purpose limitation” and “collection limitation” limit the collection of data to what is needed for “clear, specific, and lawful” purposes or for reasons that the data principal would “reasonably expect”. It also grants individuals the right to data portability, and the ability to access and transfer one’s own data.

Source: Indian Express