Amidst fears with regard to handling of sensitive data and information and several allegations being levelled against the government of enabling the creation of a surveillance state and also with regard to the alleged leak of private information of plethora of people on the social networking site Facebook, a committee headed by retired Justice BN Srikrishna was constituted and given the task of carving out a solid foundation or a digital framework for proper handling and processing of personal and sensitive data and after a long and tedious deliberation it submitted its draft of the “Personal Data Protection Bill, 2018” on July 27, 2018 to the Government.
Various Entities:
The Bill has recognised several entities Data Principal (whose data is processed), Data Processor/Data Fiduciaries (who processes the data), a central regulating authority called the Data Protection Authority of India (DPAI) whereby term “Processing” includes collecting, recording, adapting, indexing and disclosing personal data. DPAI is the central authority which is concerned with proper implementation of the provisions of bill.
Consent- Core Principle:
Bill serves to give “consent” as the predominant factor to determine the course of processing of sensitive information and explicitly mentions that consent of Data Principal should be extracted from him before his personal data may be handled and consent must be “specific”, “clear”, “informed” and “capable of being withdrawn” and must be fully “aware of the consequences” that may follow.
Vulnerable Sections- High Standard of Consent Required:
Strong protection becomes all the more necessary in cases involving vulnerable sections of society such as children and bill has been successful in catering to this need and has laid down above par protective shield explicitly to prevent violation of children and the untoward use of their personal data.
Rights of Data Principal:
The rights given to the Data Principal form the backbone of bill. They are:-
1. “Right to be forgotten” which enables a Data Principle to get his old, irrelevant data removed from the public domain, however the term is very broad and has always been a subject of controversy whenever the time comes for its practical implementation.
2. The “Right to Portability” enables a Data Principal to freely mobilise their data across service providers and such other Data Fiduciaries.
3. The “Right to Correction” which gives them the right to correct and update the information and it becomes the duty of the Data Fiduciary to make the necessary changes.
4. The “Right to Confirmation and Access” gives Data Principal the right to access and know for what purpose their information is being processed.
Data Protection Authority of India (DPAI) and Data Fiduciaries:
Dynamic outlook of the bill is evident from the creation of Data Protection Authority of India (DPAI) which will keep on with the work of categorisation and segmentation of the data as “Personal Data” which will then naturally heed to the provisions of the bill. However, the bill classifies Data Fiduciaries into “Significant” and “Insignificant” ones, which creates a lacuna as the bill delves the accountability only on “Significant” Data Fiduciaries and this provides for a safe escape for the ones who have not been tagged as “Significant”. Thus, not laying accountability for all data fiduciaries might lead to a weak control environment.
Transnational Migration of Data:
To clear the fog of ambiguity, the bill has explicitly dealt with the issue of Transnational Migration of data in which it has stated the procedure for transnational mobilisation of data. However, the bill serves to put a restraint on Data Fiduciaries with regard to transferring “critical” and “sensitive” data and information and has delegated the authority to Data Protection Authority of India (DPAI) for labelling a data and information, as one which is “critical” and “sensitive”.
Penalties:
The bill also entails severe penalties for the ones who act in contravention to its provisions and states that fines, as high as 5 Crores may be imposed upon the defaulters and these type of penalties present a very robust stature of the bill. It also provides that penalty up to 1 Crore may be imposed if any provision is violated and no specific punishment is prescribed for it.
All in all it may be said that this bill is central to the evolution of data protection law in India and will hopefully help in steering the development and refinement of this branch of law in a positive direction.
Written By : Rahil Setia (2nd Year)
Disclaimer : The views expressed in this article are views of the author and do not reflect the views of the Blog.
Comments
Post a Comment