The Indian government has put forward the Personal Data Protection bill Draft in 2019 to regulate the data Privacy and processing in India. With the fourth industrial revolution (digital Age), Data has been Playing a magnanimous role in Operation of any organisation. Accordingly, EU has created the general data protection regulation act in 2016. In-Line with the GDPR, Indian Government has brought the PDP bill. Similar to GDPR, Indian data protection bill held the same time frame of two years for implementation of the latest Data protection regulations. personal data protection draft ushers a paradigm shift in IT governance and Regulations in India. This Regulations proposes the guidelines for “processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India”. The absence of any data protection law in India leads to Serious threat to individual’s personal data causing the violation of the fundamental right to privacy. Particularly, this bill laid a great responsibility on IT Enterprises where much of the data shuttles.
The Bill Explicitly predefined the role of the data user as Data Fiduciaries, Data Processors and Data Principals which is unprecedent in India law book. The Data Fiduciary (an organisation or entity or Individual or State or their conjunction who determines the purpose and process of collection on data) has been given a greater onus to Govern and regulate their data to make them compliant with the Data protection regulatory laws.
The Extra-Territorial Data regulation of bill emphasises that the data obtained in India may be shared outside India, but shall be stored in India. Also, it’s the responsibility of the data fiduciary to obtain the consent for transferring of data only with the consent of the data principal. India being the largest internet market and the volume of data utilised in India placed a humongous task before the IT enterprises to align with the latest compliances. Nevertheless, enormous value which the data created for itself has made it inevitable to regulations. DATA PROTECTION AUTHORITY OF INDIA is made responsible to regulate Data protection law in India. The Data Protection authority has given the pivotal role in regulation of data through various measures like Qualifying Data auditors, Monitoring data processing and exchange along with the adjudicating powers.
The Data fiduciary shall Prepare a “Privacy by Design Policy containing the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal” to ensure transparency and accountability. A new rating mechanism shall be introduced to evaluate the Data Protection regime of the Data fiduciary called as DATA TRUST SCORE. This was intended to build the Trust and credibility among Data Fiduciary and Data Principal.
The Data Fiduciary shall be classified into various categories based on their Data range, volume and sensitivity of data they process. Social Media shall be classified as a Significant Data Fiduciary with respect to the wide range of personal data they Process. A provision for Special categories of data fiduciaries under “SANDBOX” shall be created to encourage Innovation for such Data Fiduciaries who deal with Artificial intelligence or any other emerging technologies.
The Data Protection Officer shall be responsible for periodic assessment of the Data Fiduciary working with New Technologies and high volume of personal data. The significant data fiduciary shall annually Audit its data protection frameworks through an independent certified auditor to assess its clarity, effectiveness, Transparency and security. The Data Fiduciary was made liable to pay the Penalties and compensation as prescribed in the Data Protection law. A penalty of minimum 5 crore rupees or 2% of the worldwide turnover to 15 crore rupees or 4% of the worldwide turnover shall be laid on the Data Fiduciary if there was any Non-Compliance of Data Protection bill. An Appellate Tribunal shall be constituted by the provision to enforce the protection law which shall act as an adjudication authority with the same powers of a civil court under the code of civil procedures, 1908.
§ obligation to take prompt and appropriate action in response to a data security breach
§ failure to register with the Authority
§ obligation to undertake a data protection impact assessment by a significant data fiduciary
§ obligation to conduct a data audit by a significant data fiduciary
§ appointment of a data protection officer by a significant data fiduciary
penalty which may extend to 5 crore rupees or two per cent. of its total worldwide turnover of the preceding financial year, whichever is higher
§ processing of personal data in violation of the provisions
§ processing of personal data of children in violation of the provisions
§ failure to adhere to security safeguards
§ transfer of personal data outside India in violation of the provisions
A penalty which may extend to 15 crore rupees or four per cent. of its
total worldwide turnover of the preceding financial year, whichever is higher.
Advantages of the PDP Bill
Protect critical information such as business transactions and financial statements.
Provide standard Procedure for data protection (Last bill on data protection-Information Technology Act,2000)
Now the personal data or the sensitive data collected in India shall be stored in India.
Transparent and explicit Data Collection and Processing Procedure.
Enhance User privacy with Advance Notification of reasonable cause for collection of data.
Explicit classification of Data Fiduciaries will increase the accountability in processing and regulation data protection.
Encouraging Innovation and Technological Advancement through the mechanism of SANDBOX
Exclusive Authority and appellate body to monitor data protection. Will enhance Dispute resolution process.
Provides protection from Cyber Attacks
Disadvantages/Challenges of the PDP Bill
Heavy Hand of government in Data Protection through data Protection Authority.
The employers have the full right to use their employees’ data without taking any consent.
It is Challenging task to Make Large MNCs like Google, Facebook with latest innovations in technology (Artificial Intelligence and Block Chain) to Regulate and follow compliances.
With the world more globalised it is difficult to Contain every Data Generated within the boundaries of a country. Therefore, Indian Data Protection Provisions should be made compatible with other data protection regimes in the world like GDPR, US Data protection laws.