News Highlight
The government has withdrawn the Personal Data Protection Bill from Parliament.
Timeline of Personal Data Protection Bil
The Personal Data Protection Bill, 2019
- The main idea behind the bill was to safeguard citizens’ privacy by properly defining personal data, establishing a Data Protection Authority (DPA), and framing a policy framework for data use, including by big tech companies like Meta and Google.
- The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India.
Key Provision of the bill
- Obligations of data fiduciary:
- A data fiduciary is an entity or individual who decides the means and purpose of processing personal data.
- Such processing will be subject to a certain purpose, collection and storage limitations
- Rights of the Individual: The Bill sets out certain rights of the individual
- To obtain confirmation from the fiduciary whether their personal data has been processed
- To seek correction of inaccurate, incomplete or outdated personal data
- To transfer personal data to any other data fiduciary under certain circumstances
- To control the continuous disclosure of their personal data by a fiduciary
- Grounds for processing data by Fiduciary:
- The bill allows Fiduciaries to process data only with the consent of the individual.
- Exception where personal data can be processed without consent
- If required by the State for providing benefits to the individual
- Legal proceedings
- To respond to a medical emergency.
- Social media intermediaries:
- Platforms with a larger number of users and having the potential to impact electoral democracy or public order, have certain obligations, which include providing a voluntary user verification mechanism for users in India.
- Data Protection Authority:
- The Bill sets up a Data Protection Authority which may: (i)take steps to protect the interests of individuals, (ii) prevent misuse of personal data and (iii) ensure compliance with the Bill.
- Transfer of data outside India:
- Sensitive data transferred outside India for processing, only with the consent of the individual.
- However, such sensitive personal data should continue to be stored in India.
- Personal data notified as critical personal data by the government can only be processed in India
- Exemptions:
- Central government can exempt any of its agencies from the provisions of Act
- In the interest of the security of the state, public order, sovereignty and integrity of India and friendly relations with foreign states
- For preventing incitement to the commission of any cognisable offence (i.e. arrest without warrant) relating to the above matters.
- Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as Prevention, investigation, or prosecution of any offence for personal, domestic and journalistic purposes
- Central government can exempt any of its agencies from the provisions of Act
- Amendments to other laws:
- The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.
Why the bill has been withdrawn?
- Joint Committee of Parliament (JCP) Suggestions
- The major changes proposed by the JCP were deemed necessary by the government for a new bill rather than heavy patchwork on the existing bill.
- Opposition by Privacy Activists
- Privacy activists had criticized the bill as inconsistent with the Supreme Court’s landmark judgment of 2017.
- SC, Justice K. Puttaswamy vs. Union of India considers privacy as a fundamental right.
- They claimed that the bill empowered the government to determine what is critical personal data could lead to an abuse of power by the state.
- Outcry over Article 12(a) and Article 35 of the Bill
- Article 35, the central government could exempt any government agency from the law’s provisions, subject to procedures, safeguards, and oversight mechanisms to be prescribed by the Government.”
- Article 12(a), meanwhile, eliminated the need for the data principal’s informed consent for the processing of their data when it is required “for the performance of any function of the state authorised by law
Pic Courtesy: India Today
Content Source: Indian Express