The Union Ministry of Electronics & Information Technology (MEITY) has constituted an expert Committee to study and identify key data protection issues and recommend methods for addressing them.
Why needed?
There is a need to ensure growth of the digital economy while keeping personal data of citizens secure and protected. Even though the Information Technology Act contains certain provisions about data protection and handling, experts are of the opinion that India needs a fresh data protection law with the increased digitisation led by Aadhaar, the Goods and Service Tax and the push towards a digital economy. IT Act may also be inadequate to deal with the current requirements since it was drafted almost 17 years ago in 2000 and was amended last in 2008.
Also, in the last 5-6 years there has been a quantum leap in the world of technology which has been driven by trends such as proliferation of social media, growth of ecommerce leading to boom in transactions over the Internet and demonetisation, which has pushed more people into the digital economy, so the IT act may have to be obviously reconsidered in the light of these developments.
The government’s decision to focus on data protection comes on the back of a wave of privacy and data breaches– from corporates such as McDonalds, Reliance Jio and Zomato to government agencies that have leaked the
personal data and Aadhaar of over 100 million citizens.
Draft Data Personal Data Protection Bill
- For data processors not present in India, the Act will apply to those carrying on business in India or other activities, such as profiling, which could cause privacy harms to data principals in India.
- The draft also provides for penalties for the data processor as well as compensation to the data principal to be imposed for violations of the data protection law.
- It has suggested a penalty of ₹15 crore, or 4% of the total worldwide turnover of any data collection/processing entity, for violating provisions.
- Failure to take prompt action on a data security breach can attract up to ₹5 crore or 2% of turnover in penalty.
- Personal data, the draft law states, may be processed on the basis of the consent of the data principal, given no later than at the commencement of the processing.
- The processing of sensitive personal data should be on the basis of explicit consent.
- The law will not have retrospective application and will come into force in a structured and phased manner.
- Processing that is ongoing after the coming into force of the law would be covered.
- Other personal data may be transferred outside the territory of India with some riders. However, at least one copy of the data will need to be stored in India.
- On right to be forgotten, the draft states that data principal will have the right to restrict or prevent continuing disclosure of personal data by a data processor.
- The committee has not treated data as property as the relationship between the individual and entities with whom the individual shares his personal data is one that is based on a fundamental expectation of trust.
- The draft law will go through the process of inter-ministerial discussions and the Cabinet as well as parliamentary approval.
Data Protection Authority
- The Justice Srikrishna committee has recommended the creation of a Data Protection Authority that will be in charge of ensuring that entities processing data do so in keeping with the law.
- The DPA, a sector agnostic body, will ensure that every entity that handles data is conscious of its obligations and that it will be held to account in case of failure to comply.
- The authority will be governed by a board consisting of six whole-time members and a chairperson appointed by the Union government on the recommendation of a selection committee.
- The selection committee shall consist of the Chief Justice of India or her nominee (who is a judge of the Supreme Court of India), the Cabinet Secretary, Government of India, and one expert of repute who has special knowledge of, and professional experience in, areas related to data protection, information technology, data management, data science, cyber and Internet laws and related subjects.
- The members of the DPA are to be individuals of integrity and ability with special knowledge of, and professional experience of not less than 10 years in, areas related to data protection, information technology, data management, data science, cyber and internet laws and related subjects.
- The DPA members will have a five-year term, subject to a suitable retirement age and their salaries will be prescribed by the Central government.
- Broadly, the DPA will have four departments and related functions: monitoring and enforcement; legal affairs, policy and standard setting; research and awareness; and inquiries, grievance handling and adjudication.
- The DPA will be stating codes of practice, conducting inquiries, and issuing warnings and injunctions.
Exemptions
- The expert committee has recommended that processing of data for certain interests such as security of the state, legal proceedings, research and journalistic purpose, may be exempt from certain obligations of the proposed data protection law.
- For the creation of a truly free and fair digital economy, it is vital to provide certain exemptions from obligations that will facilitate the unhindered flow of personal data in certain situations.
- These exemptions derive their necessity from either a state or societal interest.
- It, however, added that adequate security safeguards must be incorporated in the law to guard against potential misuse.
- The processing of personal data in the interests of the security of the state shall not be permitted unless it is authorised pursuant to a law and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved.
- It has been recommended in the report that the Central government should expeditiously bring in a law for the oversight of intelligence gathering activities.
- The research exemption has not been envisaged as a blanket one and only those obligations that are necessary to achieve the object of the research will be exempted by the Data Protection Authority (DPA).
- It further added that to strike a balance between freedom of expression and right to informational privacy, the data protection law would need to signal what the term ‘journalistic purposes’ signifies, and how ethical standards for such activities would need to be set.
Protecting the data of children
- The committee on data privacy has made specific mention of the need for separate and more stringent norms for protecting the data of children, recommending that companies be barred from certain types of data processing such as behavioural monitoring, tracking, targeted advertising and any other type of processing which is not in the best interest of the child.
- It is widely accepted that processing of personal data of children ought to be subject to greater protection than regular processing of data.
- The justification for such differential treatment arises from the recognition that children are unable to fully understand the consequences of their actions.
Plz share sample notes.. at [email protected] evernote..