Transfer and Security of Data have been one of the most sought-after debates globally. India’s Personal Data Protection Bill [PDP], 2019 is the first attempt to domestically legislate on the issue of data protection. The present bill slightly differs from what was recommended by Justice B N Srikrishna committee in the previous draft version. Let us try to understand the basics of the PDP Bill, 2019.
There are five key terms that we should get ourselves acquainted with before moving ahead. The Bill defines ‘data fiduciary’ as the entity or individual who decides the means and purposes of processing data; ‘data principal’ as the individual whose personal data is being processed; ‘data processor’ as the entity or individual who processes data on behalf of the fiduciary; ‘data processing’ as any operation, including collection, manipulation, sharing or storage of data and ‘data localization’ as the act of storing data on any device physically present within the borders of a country.
The draft submitted by B N Srikrishna Committee required all fiduciaries to store a copy of all personal data in India, which was criticized by foreign technology companies that stored most of the Indians’ data abroad. The Present Bill, however, categorizes data into three categories and mandates the storage within the territory of India depending upon the type of data. The three divisions of data includes: ‘Personal Data’ – Data from which an individual can be identified like name, date of birth, address etc., ‘Sensitive Personal Data’- includes types of personal data like biometrics, sexual orientation, health etc., and ‘Critical Personal Data’ – which includes any data that the Government can at any time deem critical, like military or national security data.
The Bill also removes the requirement of ‘data mirroring’ in case of personal data and consent from the individual is required before making any data transfer abroad. However, the Bill exempts the processing of data without consent for ‘reasonable purposes’, including the security of the state, whistleblowing, medical emergencies, operation of search engines and processing of publicly available data. The Bill also calls for setting up of a national-level Data Protection Authority (DPA) for the supervision and regulation of data fiduciaries. The DPA is empowered to (i) draft specific regulations for all data fiduciaries across different sectors, (ii) supervise and monitor data fiduciaries, (iii) assess compliance with the Bill and initiate enforcement actions, and (iv) receive, handle and redress complaints from data principals. It shall consist of a chairperson and six members, with knowledge of at least ten years in the field of data protection and information technology.
The DPA shall have a separate adjudication wing to impose penalties and award compensation. Adjudicating Officers shall be specialists with at least seven years of professional experience in subjects including cyber and constitutional law, and data protection. Orders of the DPA can be appealed to an appellate Tribunal set up by the central government, and appeals from the Tribunal will go to the Supreme Court.
The penalties as stated in the Bill is Rs. 5 Crores or 2 percent of the global turnover for minor violations and Rs. 15 Crores or 4 percent of total global turnover for more serious violations. Further, any person who obtains, discloses, transfers, sells or offers to sell personal and sensitive personal data shall be punishable with imprisonment ranging up to five years, or a fine of up to three lakh rupees.
You can access the draft copy of the Personal Data Protection Bill here.