Madhu mithra
PERSONAL DATA PROTECTION BILL 2019 AND ITS VARIANCE FROM THE ONE ALREADY ENFORCED
Madhu mithra natarjan 24 Aug 2021

PERSONAL DATA PROTECTION BILL 2019 AND ITS VARIANCE FROM THE ONE ALREADY ENFORCED

India though one of the world’s largest democracies, does not possess proper legislation to protect the privacy of its citizens. A draft of the new law - “Personal data protection” (PDP) was introduced in 2018. Post the Supreme Court’s ruling in 2017, which classified privacy as a fundamental right (concerning about Aadhaar), the Government took a step towards forming stricter data protection and privacy laws in India. The 2018 Bill underwent few changes and the 2019 version was passed in the cabinet and still waiting for its enactment.

The PDP 2019 bill is meant to regulate how various companies and organizations use the data of their citizens outside and inside India. The bill proposes the formation of a Data Protection Authority (DPA), which would regulate the use of users’ data by social media companies and other organizations. It is also expected to set data localization norms for companies that retain user data.

 

OBLIGATION OF DATA FIDUCIARY

The data fiduciary is obliged to obtain the consent of the individuals before processing the data. The data obtained should be used for some lawful purpose. The individual’s data should be properly safeguarded i.e., encrypted by the fiduciary. They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.

 

GROUNDS FOR PROCESSING OF DATA WITHOUT CONSENT

The data of citizens can be processed without the consent on the following aspects

 

1.     to comply with any order or judgment of any Court or Tribunal in India

2.     to respond to any medical emergency involving a threat to the life or a severe threat

3.     to undertake any measure to ensure safety

4.     any public interest in processing for that purpose

 

RIGHTS OF DATA PRINCIPAL

The data principal shall by regulations, have the right to— (a) the correction of inaccurate or misleading personal data; (b) the completion of incomplete personal data; (c) the updating of personal data that is out-of-date; and (d) the erasure of personal data which is no longer necessary for the purpose for which it was processed.


DATA TRANSFER OUTSIDE INDIA

Personal data shall be transferred outside India for the purpose of processing it but only after the consent of the individuals. The applicability of the bill is extra-territorial, which means that it seeks to protect the data of not only Indian citizens but any data principal within the territory of India whose data is being processed by Indian companies or MNCs situated in India or outside.

 

EXEMPTIONS

The central government may exempt its agency from the regulations of this legislation in the interest of the security of the state, public order, sovereignty and integrity of India and friendly relations with foreign states, and for preventing incitement to the commission of any cognizable offenses.

 

PENALTIES AND COMPENSATION

Offenses under the Bill include: (i) processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and (ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. Re-identification and processing of de-identified personal data without consent are punishable with imprisonment of up to three years, or fine, or both.

 

INFORMATION TECHNOLOGY ACT, 2000

Sections 43A and 72A of Information Technology Act, 2000, and Information Technology Rules, 2011initiates data protection. Section 43A talks about compensation on the failure to protect data while section 72A deals with punishment for disclosure of information in breach of lawful content.

Under Section 72A imprisonment is for a term which may extend to three years or with a fine which may extend to Rupees Five Lakh or both. The Information Technology Rules, 2011 insists on the consent of the individual before disclosing information.

Whereas the PDP Bill 2019 covers the entire scenario of data protection which is the need of the hour.

 

CONCLUSION

Many developed countries have enacted data protection laws to ensure the data privacy of their citizens. But in India, a country with second largest population does not possess enough legal  resource to penalize the illegal data sellers. Digital India and other movements adopted by Indian government cannot be achieved without enforcing the Data protection legislation.

 

 

Did you find this write up useful? YES 1 NO 0
Featured Members view all

New Members view all

×

C2RMTo Know More

Something Awesome Is In The Work

0

DAYS

0

HOURS

0

MINUTES

0

SECONDS

Sign-up and we will notify you of our launch.
We’ll also give some discount for your effort :)

* We won’t use your email for spam, just to notify you of our launch.