The normative foundation of the proposed Personal Data Protection Bill, 2018 (hereinafter referred to as “Data Protection framework”) is the outcome of the judgment passed by way of the Hon’ble Supreme Court of India in Justice K.S. Puttaswamy (Retd.) v. Union of India1. That vide the said judgment proper to privacy has been diagnosed as a fundamental proper rising in the main from Article 21 of the Constitution. The Supreme Court vide the aforesaid judgment clarified that the right to privateness isn’t an absolute proper and that a person’s privateness interests may be overridden by using competing State and character hobbies.
In 2011, i.E. Before Justice Puttaswamy judgment (supra) judgment, the Government propounded the Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 (hereinafter known as the SPD Rules), have been issued beneath Section 43A of the IT Act. The said Rules study with Section 43A of the Act holds the simplest a body corporate responsible for compensation for any negligence in enforcing and retaining affordable security practices and strategies whilst handling sensitive personal information or records. However, the pace of development of the digital financial system and with the advent of right to privacy being diagnosed as a essential proper after the regulation laid down in by way of the Hon’ble Supreme Court in Justice Puttaswamy judgment (supra), it has grow to be inevitable to have extra intricate laws for protecting the facts of individuals.
The latest disclosure of facts sharing practices with the aid of Facebook2 has positioned the interests of the man or woman (in whose call the information flows) as secondary to the interests of the corporates which address the statistics, which has in addition made the requirement of getting stringent norms for protection of statistics of the individuals.
After the selection of the Supreme Court in Justice Puttaswamy judgment (supra), a Committee underneath the aegis of Justice B.N. Srikrishna became constituted (popularly called the Justice Srikrishna Committee). The Committee in its Report gives the want for propounding a Personal Data Protection Bill, because the records gathering practice in India, presently is opaque and mired in complex privacy bureaucracy that is unintelligible. The Committee opined that defensive the autonomy of an person is vital no longer most effective for the sake of the character, but because such autonomy is constitutive of the commonplace precise of a loose and fair virtual financial system.
Some of the highlights of the Data Protection framework are elaborated hereinbelow:
With many businesses now not being based totally in India but sporting on business, or supplying items and/or offerings in India, the State has a valid interest in regulating the activity of accumulating and processing personal records with the aid of such entities. The Committee, consequently, proposes to extend the regulation to all such entities processing the non-public facts of Indian citizens or citizens.
The data that is processed, the motives for such processing, and safety requirements maintained are the important elements to determine the applicability of the regulation. The Report offers that the proposed regulation shall not be retrospective in its Application. However, if there is any ongoing processing interest at the time the regulation comes into effect, then the data fiduciary (i.E. The entity amassing the facts) have to ensure that it is in compliance with this law when it comes to that interest. This way that simply because some private facts have been gathered prior to the graduation of this law, such non-public records isn’t always excluded from the utility of the regulation.
As detailed in advance SPD Rules constrained its applicability to body corporates. However, the present Data Protection framework has taken into consideration the problem that Governments, as information fiduciaries, methods massive quantities of personal statistics, be it associated with taxation, Aadhaar, social security schemes, riding permits, etc. Unlawful processing of such facts can purpose widespread harm to people. As such Governments, as records fiduciaries, must be in the remit of the law, ensuring that State respects the right to privateness of the citizen.
The Bill will cowl the processing of personal facts by way of both public and private entities. Consent might be a lawful basis for processing of personal facts. Furthermore, processing of private facts of children3 must be with the utmost care and have to be completed with greater safety than normal processing of data.
The obligation of facts fiduciaries
All processing of records needs to be honest and affordable. Furthermore, the Bill imposes an obstacle that only such facts must be collected this is essential for reaching the functions unique for such processing. Thus, the minimal records vital for accomplishing a cause could be accrued, and such facts will be used simplest for the desired purpose and other well-suited purposes and no different. Furthermore, records need to be saved by using the fiduciary most effective for a term this is vital to fulfill the reason for which it becomes amassed. Once the reason has been finished, the information has to be deleted or anonymized.
With massive amounts of statistics being held by fiduciaries, breach of private records will become a real opportunity. Currently, in India, the SPD Rules, address records safety. Thus, the Bill affords for notification to the Data Protection Authority, upon the incidence of such breach, before notification to the person is made. As propounded through the framework, the Data Protection Authority shall be a high-powered, independent countrywide frame. Such Authority shall have the electricity of issuing instructions, energy to name for records, the e-book of recommendations, issuance of Public Statement, Conducting inquiries, granting injunctive comfort and so on.
Data Principal’s Right
The Bill affords that rights are based at the standards of autonomy, self-willpower, transparency and accountability for you to provide people manipulate over their statistics, which in flip is important for freedom inside the virtual financial system. The Bill affords the records essential with the (a) right to confirmation and access, (b) correction, (c) records portability and (d) right to be forgotten.
Transfer of Personal Data Outside India
Personal records this is maintained in India will always have the protection of India’s information protection regime. However, the countrywide hobby would require that as a minimum an good enough level of protection must be accorded to private records transferred overseas.
Cross border data transfers of private facts, apart from critical private statistics, maybe through version contract clauses containing key obligations with the transferor being chargeable for harms caused to the principal because of any violations devoted with the aid of the transferee. Personal records decided to be vital could be a challenge to the requirement to method best in India (there could be a prohibition in opposition to cross border transfer for such information). The Central Government ought to decide categories of touchy personal facts which can be vital to the country having regard to strategic pursuits and enforcement.
The committee has endorsed certain amendments within the Aadhaar Act 2016 and the Right to Information (RTI) act, 2005.
Offenses and Penalties
Penalties can be imposed on records fiduciaries and compensation can be provided to statistics principals for violations of the data protection law. Moreover, the joint and numerous liability to pay repayment would be attached to the data fiduciary and its processors with a penalty being imposed, so long as infringement has been verified.
As in keeping with Section sixty nine of the Bill, where the information fiduciary contravenes any of the subsequent provisions, it shall be susceptible to a penalty which may also expand as much as 5 crore rupees or in step with cent of its general international turnover of the previous economic yr, whichever is higher, as relevant—
responsibility to take set off and suitable action in response to a statistics safety breach
the obligation to adopt a statistics protection impact assessment by way of large facts fiduciary
responsibility to conduct a facts audit by means of extensive facts fiduciary
appointment of an information protection officer by way of sizeable records fiduciary
failure to check in with the Data Protection Authority
Sub-Clause 2 of Section sixty nine similarly offers that wherein a facts fiduciary contravenes any of the subsequent provisions, it shall be susceptible to a penalty which may additionally extend up to 15 crore rupees or 4 in line with cent of its general global turnover of the previous financial 12 months, whichever is higher, as relevant—
processing of personal records in violation of the provisions of the proposed framework
a violation in the processing of sensitive personal facts
the violation in the processing of private data of kids
failure to stick to security safeguards, de-identity, and encryption, protective integrity of private statistics, stopping misuse, unauthorized access, modification, disclosure or destruction of personal records
a violation in the transfer of personal records outside India
The framework further provides for the penalty for failure to conform with statistics fundamental’s request, the penalty for failure to provide the document, go back, records and so forth, the penalty for failure to comply with the path or order issued via the Authority and so forth.
Companies such as Facebook, WhatsApp, Google, Uber, Apple, among others, may not be able to transfer and method ‘touchy personal statistics’ of Indians to their servers overseas with the advent of the Data Protection Bill. As discussed, earlier the Bill prohibits pass-border movement of data touchy non-public statistics besides through version settlement clauses containing key responsibilities with the transferor being accountable for harms brought on to the essential due to any violations devoted through the transferee. Personal information decided to be essential could be an issue to the requirement to system simplest in India (there can be a prohibition against move border transfer for such records).
Definition of touchy private records as it existed below SPD Rules, has been improved to include passwords; monetary information; health records; authentic identifier; biometric facts; genetic records and so on. Every entity gathering the records shall ensure storage of such non-public information on a server placed in India. To meet those expectancies Entities could be required to spend huge quantities for putting in nearby servers in India. This might be a hurdle for the present Companies in terms of growing the infrastructure for enabling compliance of the Law. Such a Law may impede small business houses from starting/ continuing their enterprise in India.