Personal Data Protection Bill, 2019: It is based on Justice B N Srikrishna committee. It has following provisions:
- The Bill establishes a Data Protection Authority (DPA) as an independent regulator with quasi-judicial powers.
- Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
- Holistic Approach: The Bill governs the processing of personal data by: government, companies incorporated in India, and foreign companies dealing with personal data of individuals in India.
- The Bill classifies the data into 3 types:
- Critical data (characterized by the government) must be stored and handled only in India.
- Sensitive data like passwords, financial data, health data, biometric data, etc may be processed outside India with the explicit consent of the user and to be stored in India only.
- General data is any data that is non-critical and non-sensitive is categorised as general data with no limitation on where it is stored or managed.
- Rights of the individual includes seeking correction of inaccurate, incomplete, or out-of-date personal data, and the Right to be forgotten, i.e., to restrict continuing disclosure of their personal data by a fiduciary.
- Data Processing can be done only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent. These include:
- If required by the State
- Legal proceedings
- To respond to a medical emergency.
- Big Social media intermediaries have to provide a voluntary user verification mechanism for users in India.
- The central government can exempt any of its agencies from the provisions of the Act in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states,
- The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.
Justice (Rtd) BN Srikrishna, has reportedly called it “a piece of legislation that could turn India into an Orwellian state”.
- No independent collegium for the appointment of members to the DPA.
- Open-ended exceptions power to the government.
The Personal Data Protection Bill, 2019, was withdrawn by the Union Information Technology Minister in light of the recommendations given by the Joint Committee of Parliament (JCP) on the Law.
Thus, it appears from above discussion that the bill appears to be a good step in the right direction. However, it has various issues that must be addressed to ensure that in a digital age someone’s privacy is not taken for granted.