New bill to make sharing personal data difficult

The Personal Data Protection Bill is being sent to a joint select committee of both the Houses of Parliament amid protests by the Opposition, reports Tehelka Bureau

The government has proposed to send the Personal Data Protection Bill to a joint select committee of both the Houses of Parliament amid protests by the Opposition, which said the right of privacy of citizens is being compromised.

According to the Union minister Ravi Shankar Prasad, the government will bring a resolution in the House to refer it to a joint select committee of the Lok Sabha and the Rajya Sabha. The proposed committee could bring out a report before the Budget session, which usually begins in the last week of January, he added.

Shashi Tharoor of the Congress, who heads the Parliamentary Standing Committee on Information and Technology, protested the move and said it should be referred to his panel. Prasad said the joint panel will have the sole agenda of going through the bill as the parliamentary standing committee has other bills to scrutinise.

The much-talked about legislation to protect personal data will allow processing of private data without explicit consent of the owner of the information for credit scores, debt recovery, security, operation of search engines and whistle blowing.

The draft Personal Data Protection Bill, 2019 bars storing and processing of personal data by entities without the explicit consent of an individual, media reports said.

It, however, provides for exemptions for “reasonable purposes” such as “prevention and detection of any unlawful activity including fraud, whistle blowing, merger and acquisitions, network and information security, credit scoring, recovery of debt, processing of publicly available personal data, and the operation of search engines.” The legislation provides for stringent ground rules for processing of personal and sensitive information of children, while mandating the processing of ‘critical’ personal data only in India.

But data concerning health services and for complying with any law or court orders can be processed without the consent of the owner, the draft bill said. It also gives power to the government to decide from time to time on the exemption list.

The draft bill, cleared by the Cabinet last week, aims to create a “strong and robust data protection framework for India” as it fixes obligation of data fiduciary (that is entity collecting and processing data) and places restriction on transfer of personal data outside India. Interestingly, the draft bill empowers the Centre to exempt any government agency from application of the proposed legislation.

The draft bill also states that the central government can frame policy for the digital economy with respect to non-personal data. In particular, it can direct any data processor to “provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government”.

The draft data protection bill also entails setting up of an authority for protecting personal data and also prescribes stiff penalties for violation of various provisions. For instance, violations in case of processing of personal data of children will involve a fine of up to 15 crore or 4 per cent of the global turnover, while ‘significant data fiduciary’ will have to pay up to 5 crore or 2 per cent of global turnover for contraventions pertaining to data audits.

The draft bill defines accountability of entities that process personal data, and mandates that critical personal data shall only be processed in India. However, it can be transferred outside India in case of health or emergency services “where such transfer is necessary for prompt action”, and where the government has deemed such transfer to be permissible. It said that sensitive personal data — like financial data, health data, sexual orientation, biometric or genetic data, transgender status, religious or political belief/affiliation — can be transferred outside India with explicit consent, but will continue to be stored in India. What constitutes critical data will be notified by the Centre.

On the personal data of children, the draft legislation proposes that data fiduciaries will have to verify their age, and obtain the consent of parent or guardian before any processing takes place. Guardian data fiduciary — that is entities which operate commercial sites or online services directed at children, or process large volumes of personal data of children — will be barred from profiling, tracking or monitoring children and undertaking data processing that can cause significant harm to the child.

Further, social media entities with user base above a certain threshold and whose “actions have, or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India,” will be notified as ‘significant data fiduciary’. If such a ‘significant data fiduciary’ intends to undertake large scale profiling or use sensitive personal data like genetic or biometric data, or any other processing that carries risk of significant harm to individuals, it will have to first undertake a data protection impact assessment.

Every social media intermediary classified as a ‘significant data fiduciary’ will enable the users in India to voluntarily verify their accounts. Any user undergoing such voluntarily verification will have to be provided with a mark of verification that is visible to all users of the service. Such entities will also have to get their policies and conduct (of data processing) audited by an independent data auditor.

The draft bill gives power to the Centre “to exempt any agency of Government from application of Act” in the interest of integrity, and security of the country, foreign relations and public order. The bill provides for a penalty of up to 15 crore or 4 per cent of global turnover for companies found violating norms under the Personal Data Protection Bill, while in case of certain minor violations, it proposes a penalty of 5 crore or 2 per cent of the global turnover.

The draft personal data protection bill that seeks to empower the Centre to exempt any government agency from the provisions of the proposed legislation has the industry worried, as they warn that such exemptions represent “new, significant threats” to the privacy of Indians. The proposed bill also provides for voluntary verification of social media users and transfer of non-personal data.

The outcry from industry watchers, analysts and civil society comes amid the draft bill suggesting that the Centre will be empowered to exempt any government agency from the application of the Act and verify social media users.

One of the provisions of the draft bill states that the Centre can — in the interest of sovereignty, the security of the state, and public order — “direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data…”