The data protection bill, which is intended to make certain Indian citizens have autonomy on their personal data, specifies that the Central Government has the power towards exempting any agency of government from the application of the act.
The draft of Personal Data Protection Bill, 2019, shall be introduced in the Lok Sabha in few days, which bars storing as well as the processing of personal data through entities without the clear consent of an individual.
The bill has been cleared by the Cabinet recently but it is not yet been presented in the Parliament. It is estimated to be presented to a Select Committee for a detailed review. The bill, amongst other things, commands strict consent of persons before collecting as well as processing their personal data.
The bill stated that when the Central Government shall be satisfied that it is essential in the interest of sovereignty and integrity of India, the security of the State, public order, friendly relations through foreign states, it could direct that all or any of the provisions of this Act would not be applicable towards any agency of the Government relating to processing of such personal data.
The drafted Bill furnishes for exemptions relating to reasonable purposes which involve prevention as well as detection of any illegal activity which includes fraud, whistleblowing, merger and acquisitions, network and information security, credit scoring, debt recovery, processing of publicly available personal information, as well as the operation of search engines.
The legislation furnishes for strict ground rules for the processing of personal and sensitive data of children while instructing the processing of 'critical' personal information only in India.
The drafted bill held that data relating to health services and for conforming to any law or court orders could be processed without the consent of the proprietor,
It also provides power towards the government in order to decide from time to time on the exemption list.
The bill also held that certain provisions of the bill shall not be applied towards the government if personal information is processed in the interests of prevention, detection, investigation and prosecution of any wrongdoing, and is essential for enforcing a lawful right. It also specified that the Central Government could exempt certain data processors from the application of this Act.
Though the drafted bill has been released last year by the Justice BN Srikrishna committee, had clearly specified that processing of personal information in the interests of the security of the State would not be allowed unless it is authorized pursuant towards a law, and is according to the procedure established through such law, made by Parliament and is required for, and proportionate to, such interests being achieved.
This provision had held that the government is required to abide by the Supreme Court’s Privacy judgement in the year 2017, which orders that the government has to declare a particular objective for collecting private information, the authority ordering this and what process it shall be followed.
The drafted bill, which was cleared by the Cabinet recently, intends to make a "strong and robust data protection framework for India" as it states the responsibility of data fiduciary (that is organization or entity that are collecting and processing data) and places a limitation on transfer of personal data out of India.
Also, the drafted bill authorizes the Centre towards exempting any government agency from the application of the proposed legislation.
The draft bill states that the central government could make policies for the digital economy respecting non-personal data. Also, it may direct any data processor towards furnishing any personal information anonymized or additional non-personal information towards enabling improved targeting of delivery of services or formulation of evidence-based policies through the Central Government.
The drafted data protection bill also requires setting up an authority for protecting personal information and also recommends stiff fines for violation of many provisions.
For example, violations for processing of personal information of children shall comprise a penalty of up to Rs 15 crore or 4% of the global turnover, whereas 'significant data fiduciary' would have to pay up to Rs 5 crore or 2% of global turnover for violations relating to data audits.
The drafted bill describes the responsibility of entities that process personal information, and orders that critical personal information would only be processed in India. Though, it could be transferred out of India relating to health or emergency services where such transfer is essential for quick action, and where the government has considered such transfer to be allowable.
It also had stated that sensitive personal information like financial information, health information, and sexual orientation, biometric or genetic information, and transgender status, religious or political belief or affiliation could be transferred out of India with clear consent, but shall continue to be stored in India. What establishes critical data shall be notified by the Centre.
Relating to the personal information of children, the draft legislation suggests that data fiduciaries would have to confirm their age, and get the consent of parent or guardian before any processing occurs.
Guardian data fiduciary involves organizations which control commercial websites or online services directed at kids or process huge volumes of personal information of children shall be restricted from profiling, tracking or monitoring kids as well as undertaking data processing that could cause major damage towards the child.
Furthermore, social media entities with customer base above a specific threshold and whose actions have, or are expected to have a major impact on electoral democracy, the security of the State, public order or the sovereignty and integrity of India shall be notified as 'significant data fiduciary'.
In case such a 'significant data fiduciary' aims to undertake large scale profiling or make use of sensitive personal information like genetic or biometric data, or any additional processing that carries threat of significant damage towards individuals, it would have to first commence a data protection impact assessment.
Every social media intermediary categorized as a 'significant data fiduciary' would allow the users in India to voluntarily validate their accounts. Any customer undergoing such voluntary authentication would have to be provided with a mark of verification that is visible to every one of the users of the service.
Such entities would also have to get their policies, as well as the conduct of data processing, audited through an independent data auditor.
The drafted bill provides power towards the Centre in order to exempt any agency of Government from application of Act in the interest of integrity, as well as security of the nation, foreign relations and public order.
eStartIndia is the professional tech-based online legal services providing platform which assists the clients to simplify the procedures of all kinds of registration, implementation, tax concerns and any additional legal compliance and services related to the business in India.
Leave a Comment
Previous Comments