The PDP Bill – Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019. The Bill seeks to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same.
Now known as the Data protection bill, 2021 will soon become a part of Indian Legislature as the Data Protection Act, 2021. The act basically defines the rights of data principals (data subjects), the obligations of data fiduciaries (data handlers), and penalties for non-compliance.
Track the updates on this bill here- The Personal Data Protection Bill, 2019 (prsindia.org).
Why is this law important?
- Collection of information about individuals and their online habits has become an important source of profits, but also a potential avenue for invasion of privacy because it can reveal extremely personal aspects.
- Companies, governments, and political parties find it valuable because they can use it to find the most convincing ways to advertise online.
- To prevent the breach of privacy and unwarranted advertising, this bill was a necessity.
The scope of this law :-
The Data Protection Bill 2021 applies to both personal and non-personal data. The Bill defines “personal data” as any data related to the natural person that may identify them regarding characteristics, traits, attributes, and features. “Non-personal data” is defined as any data that is not personal in nature. It is the combination of all such information that can profile an individual.
As far as the territorial scope of the Data Protection Bill is concerned, it applies to the processing of all personal data that has been “collected, disclosed, shared” within the territory of India or by a person that is under Indian law. Furthermore, it applies to all data fiduciaries that are not present in India if the collected data is used for any business purpose within India.
Salient features of this law:-
The Bill seeks to provide for the protection of personal data of individuals. The Bill governs the processing of personal data by:
- Companies incorporated in India
- Foreign companies dealing with personal data of individuals in India
- Obligations of data fiduciary: Personal data can be processed only for a specific, clear and lawful purpose. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as:
- Implementing security safeguards (such as data encryption and preventing misuse of data), and
- Instituting Grievance Redressal Mechanisms to address complaints of individuals. They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.
- Rights of the individual
- Seek correction of inaccurate, incomplete, or out-of-date personal data.
- Have personal data transferred to any other data fiduciary in certain circumstances.
- Restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
- Grounds for processing personal data: The Bill allows the processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent. These include:
- If required by the State for providing benefits to the individual,
- Legal proceedings,
- To respond to a medical emergency.
Find the comparison between PDP bill and GDPR here Comparison- Personal Data Protection Bill and General Data Protection Regulation.