Personal Data Protection Bill 2019
- September 8, 2021
- Posted by: OptimizeIAS Team
- Category: DPN Topics
No Comments
Personal Data Protection Bill 2019
Subject – Governance
Context – More delays on Data Protection Bill. Panel finalised draft report last year but it wasn’t circulated to members.
Concept –
- The Bill has three key aspects prepared by a committee headed by retired Justice B N Srikrishna.
- The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India.
- The bill constitutes 3 personal information types: Critical, Sensitive, General.
- Sensitive data constitutes or is related to passwords, financial data, health data, official identifier, sexual orientation, religious or caste data, biometric data and genetic data. It may be processed outside India with the explicit consent of the user.
- Critical data will be characterised by the government every once in a while, and must be stored and handled only in India.
- General data: Any data that is non-critical and non-sensitive is categorised as general data with no limitation on where it is stored or managed.
Other Key provisions:
- Data principal: As per the bill, it is the individual whose data is being stored and processed.
- Exemptions: The government is qualified to order any data fiduciary to acquire personal and non-personal/anonymised data for the sake of research and for national security and criminal investigations.
- Social media companies, which are deemed significant data fiduciaries based on factors such as volume and sensitivity of data as well as their turnover, should develop their own user verification mechanism.
- An independent regulator Data Protection Agency (DPA) will oversee assessments and audits and definition making.
- Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
- The bill also grants individuals the right to data portability, and the ability to access and transfer one’s own data.
- The right to be forgotten: this right allows an individual to remove consent for data collection and disclosure.
How is data handled?
- Data is collected and handled by entities called data fiduciaries.
- While the fiduciary controls how and why data is processed, the processing itself may be by a third party, the data processor.
- The physical attributes of data — where data is stored, where it is sent, where it is turned into something useful — are called data flows.
For more information, please refer to – The Personal Data Protection Bill, 2019, PRS.