The great strides taken towards the protection of personal data in the European Union, put in motion by the General Data Protection Rules of 2016, have triggered Indian legislature to provide meaningful measures to data protection laws in India. Previously proposed in the last winter session, the ‘Personal Data Protection Bill’, has been approved by the cabinet and is scheduled to be tabled in Parliament this winter session.
The ‘Personal Data Protection Bill of 2019’ looks to overhaul the under developed protection afforded to the personal data of individuals and sensitive personal data under the Information Technology Act, 2000 and the Sensitive Personal Data and Information Rules.
The landmark judgement of the Supreme Court of India in Puttaswamy v Union of India, acknowledged the right to privacy was a facet of the right of life and personal liberty, enshrined in Article 21 of the Constitution of India, and such right to privacy must include informational privacy as well.
Subsequent to the Supreme Court judgement and constant advances in the area of data protection in other parts of the world, a Committee of Experts on Data Protection Framework in India, headed by Justice B.N. Srikrishna was constituted. The committee submitted a White Paper along with the Personal Data Protection bill with the following considerations in mind: technological agnosticism, holistic application, the principle of informed consent, data minimization, controller accountability, structured enforcement and deterrent penalties.
There are various aspects of the Bill that are worth mentioning. Firstly, the Bill provides for the grounds to establish for the processing of personal data and special grounds for the processing of sensitive personal data. Consent is identified as one of the primary grounds for processing and is aimed at providing the data principal control over the processing of his or her own personal data. The draft bill clearly identifies that consent, coupled with the performance of a contract, will provide a greater degree of control to individuals. In addition to this, further safeguards are sought to be put up when dealing with the personal data of children as a mode of obtaining consent.
The Bill further enumerates various rights that are available to Data Principals (Data Subjects in the GDPR) and imposes on data controllers and processors the obligation of transparency and accountability.
A peculiar aspect of the Bill is imposing an obligation of processing personal data locally itself and imposes specific requirements for the transfer of personal data outside of India, a policy not found in the GDPR. Although this move could have some negative consequences, it would ensure effective enforcement of the law, reduce setbacks in dealing with foreign jurisdictions, and protect national security and interests. Furthermore, in a move focused on protecting national interests and containing the risk of surveillance from foreign states on critical data, the draft bill prevents data fiduciaries from sending ‘critical’ personal data outside the territory of India. However, what constitutes personal data and ‘critical’ personal data is a decision that has been left up to the relevant authority.
Perhaps most importantly, it shall constitute a data protection authority of India to ensure that the provisions are respected, penalties are promptly imposed, and remedies are freely available.
This would be a great stride towards catching up with other countries on the subject of data protection and D’ Andrea & Partners is closely following the developments on the Personal Data Protection Bill in the Parliament and is looking to the implementation of the Personal Data Protection Bill and working with its new requirements.