The Union cabinet on Wednesday gave its approval to the Personal Data Protection Bill that seeks to lay down a legal framework to preserve the sanctity of “consent" in data sharing and penalize those breaching privacy norms.
In a first, the bill proposes social media platforms to create a mechanism so that for “every user who registers their service from India or uses their service from India, a voluntary verifiable account mechanism has to be made", said a senior government official.
The provision puts the onus of creating the mechanism on the company. The provision is largely aimed at checking social media trolling.
The bill categorizes data into three categories—critical, sensitive and general. Sensitive data—financial, health, sexual orientation, biometrics, transgender status, religious or political beliefs and affiliation—can be stored only in India. However, data can be processed outside India with explicit consent, the official cited above said.
Critical data will be defined by the government from time to time and has to be stored and processed in India. Any data that is non-critical and non-sensitive will be categorized as general data with no restriction on where it is stored or processed.
In line with the European Union’s General Data Protection Regulation (GDPR), the government last year introduced a draft personal data protection bill to regulate the use of an individual’s data by the government and private companies. Currently, there are no laws on the use of personal data and preventing its misuse, although the Supreme Court upheld the right to privacy as a fundamental right back in 2017.
The Personal Data Protection Bill, 2018, was prepared by a high-level expert group headed by former Supreme Court judge B.N. Srikrishna. However, interministerial consultations delayed its approval.
In September 2018, the apex court affirmed Aadhaar’s constitutionality, saying the linking of the biometric-based identification card with PAN only involved minimal information to fulfil the larger public interest of the poor, who can use it to obtain benefits and subsidies.
The judgement was a key step in firming up rules and regulations for data protection and privacy norms.
The bill will be introduced in Parliament soon and companies will be given some time for compliance once it becomes law.
The official said the government is entitled to direct a fiduciary—any person or entity that processes data—to get access to non-personal data to provide better services to citizens. For instance, the government can use non-personal or anonymous data for research or any other purpose.
No personal data can be processed except for specific clear and lawful purpose," said the official.
However, in the interest of national security, certain agencies can have access to personal data for any investigation pertaining to offences. “Technological evidence is the best evidence. Investigation of crime is public purpose; hence, under the garb of data protection, one cannot cage the rights of an investigating agency," the official said.
As far as violations are concerned, a company will have to cough up as much as ₹5 crore or 2% of its worldwide turnover, whichever is higher, in case there is a data breach or inaction by the fiduciary or a minor violation. In case of major violations such as data processed or shared without consent, there will be a penalty of ₹15 crore or 4% of global turnover, the official said. Besides, there is also a jail term for any violation.
The bill will encourage entities to start processing data in India and with high level of data consumption, the country is expected to become one of the world’s biggest centres of data refinery. The bill allows processing of data for lawful purpose only," the official said.
“What most people don’t realize is that unlike most other Indian laws, the Personal Data Protection Bill only lists a set of broad principles that lay down the contours of privacy in the country. That in itself offers neither a clear road map for governance nor any of the details that data principals, and fiduciaries alike, would need in order to understand their rights and obligations. A lot has been left for the incoming Data Protection Authority to flesh out," Rahul Matthan, partner at Trilegal, wrote in Mint last month.