Saptaswara Chakraborty| North Eastern Hill University| 9th June 2020
Introduction
The world today that we live in is fast-paced, where data transfer is as normal as people travelling. These transferring of data happens between companies and their customers, the State and its citizens, to name a few. This has thus led to the increase in the vulnerability of such private information of the users being released. On the 27th of July, 2018, the Government introduced the draft of the Personal Data Protection Bill in the light of a similar bill having been passed by the European Union called the General Data Protection Bill. The passing of the GDPR in the European Union comes after the surfacing of Facebook’s admission on the sharing of data of 87 million users out of which 5 lakh users were Indian to Cambridge Analytics. With the Information Technology’s Reasonable Security Practices and Procedure also in place, questions are being asked on its effectiveness and the need of protecting the users from such malpractices. While talking about privacy, it is pertinent to refer to the judgement of Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors [ WRIT PETITION (CIVIL) NO 494 OF 2012] where the Supreme Court addressed and acknowledged the Right to Privacy as a Fundamental Right. The case while dealing with the Right to Privacy as fundamental right under article 21 also highlighted the right to informational privacy as a significant right. This article shall be dealing with the key features or the salient features of the Bill with a brief explanation of them.
Salient features of the Bill are
- Broad classification of data– Under this proposed bill, it regulates three categories of data. They are: Personal data, sensitive personal data and the critical personal data. Sensitive personal data has been defined under the Bill to include personal data such as the financial data, health data, sexual orientation, biometric, sex life, genetic data, intersex status, caste or tribe. Such an information can only be shared outside of India only after attaining the explicit consent of the user and the Data Protection Authority’s. The Critical personal data refers to the data which can only be processed in a server of data centre located within India. This means that such a data cannot be shared outside of India. A problem also remains regarding the unclarity of the scope of the definition of it.
- Right to data– Data portability refers to providing of data that the entities uses so that it is interoperable across various platforms. Such a right bars the hostage of personal data by certain entities. It prevents the entities that are in control of the personal data to hold such data of individuals in certain formats which therefore makes it difficult to use it elsewhere. Through this right, individuals are therefore required to be provided with the data which is structured, commonly used and machine readable.
- Right to confirmation and access– This right allows the users to obtain the following information from the data fiduciary on matters including confirmation on whether the data fiduciary has processed its personal data, summary of such a processed data, and Summary of such activities
- Right to be forgotten- Under this right the data principal has a right to restrict the data fiduciary from further disclosure of such a right if the purpose of such a disclosure has been served, if the data principal has withdrawn his/her consent and if such a disclosure was made illegally.
- Applicability of the Bill- Under the present Personal Data Protection Bill, which is governed by the IT rules, all the government bodies and its branches are excluded from its purview. It applies to such institutions which comes within the jurisdiction of the Indian territory.
- Transparency- Following aresome of the obligations that the data fiduciary is required to follow:
Firstly, to provide the manner of collection of the data, secondly the purpose of such a data collected , thirdly how such a right is being exercised and lastly the right to file a complaint.
- Accountability– The data fiduciary is responsible for protecting the personal data of the data principals. This bill is similar to that of the principles enumerated under the GDPR so that it is in accordance to that of the international practice. Further the engagement of a data fiduciary and a data processor must be done through a contract. A data barred from engaging with any other data processor unless it is mentioned within a specific clause.
- Breach of personal data– Under the occurrence of any breach of data, it would harm the data principal when such an occurrence happens. Therefore the data fiduciary is required to inform about the same to the authorities after which the authorities would instruct the data fiduciary to inform about it to the data principal and to take immediate and appropriate remedial actions as soon as possible.
- Reasonable use of the data– Chapter II of the Personal Data Protection Bill mentions the fair and reasonable processing, purpose, limitations , collection limitation, notice, data quality, etc. This however represents the stark difference from the previous Sensitive Personal Data Rules, 2011. Such a care is necessary on the part of the Data Fiduciaries because it ensures that a framework of accountability is setup.
- Children’s data privacy– A child’s personal data can only be processed after verifying their age and having obtained the consent of the parents. The Data Protection Authority also can classify any data fiduciaries who operate services directed to children.
Conclusion
Such a bill was brought to increase the security and the data of the citizens. After a thorough analysis of the various sections, it can be seen that the bill has increased the liability of the data fiduciaries manifolds with the prime objective of providing remedial measures whenever there is a breach of such a contract.
Leave a Reply