Personal Data Protection Bill: All that you must know about the ‘sensitive data’ draft

Amid a sharp rise in data breaches, a new legislation has been proposed for taking explicit consent of individuals before sensitive personal information like religious or political beliefs, sexual orientation, and biometric information is processed. A high-level panel set up in 2017 and headed by Justice B N Srikrishna has drafted Personal Data Protection Bill, 2018 in which it restricts and imposes conditions on the cross-border transfer of personal data, and suggests setting up of Data Protection Authority of India to prevent any misuse of personal information.

The panel submitted its report on data protection as also the draft of the bill to IT Minister Ravi Shankar Prasad, wrapping up nearly one year of deliberations. In its 213-page report.

Here are things you need to know about the draft of Personal Data Protection Bill, 2018:

The draft legislation, which would go to Parliament after stakeholder consultation, provides for a penalty of Rs 15 crore or 4 percent of the total worldwide turnover of any data collection entity, including the state, for violation of personal data processing provisions.
Failure to take prompt action on a data security breach can attract up to Rs 5 crore or 2 percent of turnover, whichever is higher, a penalty.
Once passed by parliament, the framework will override all legislation dealing with data privacy and collection, including Aadhaar.
The Bill provides that the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy.
It allows processing of personal data only for the purpose it is collected, for compliance with laws, employment as well as any function of parliament or state legislature.
‘Sensitive personal data’ comprises passwords, passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data and data that reveals transgender status, inter-sex status, caste, tribe, religious or political beliefs or affiliations of an individual. These can be handled only with the explicit consent of an individual.
The Bill in the works aims to “protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data are appropriate, to create a relationship of trust between persons and entities processing their personal data.”
The law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India.
However, in respect of processing by fiduciaries that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy harms to data principals in India.
The law will not have retrospective application and will come into force in a structured and phased manner.
The report suggests amendments to the Aadhaar Act from a data protection perspective. Read along with the provisions of the proposed data protection bill, the amendments will deal with enforcement action and individual remedies.
The authority will be given the residuary power to notify further categories in accordance with the criteria set by law.
A data principal below 18 years of age will be considered a child. Data fiduciaries have a general obligation to ensure that processing is undertaken keeping the best interests of the child in mind.
Cross-border data transfers of personal data, other than critical personal data, will be through model contract clauses containing key obligations with the transferor being liable for harms caused to the principal due to any violations committed by the transferee.
The right to be forgotten may be adopted, with the Adjudication Wing of the DPA determining its applicability on the basis of the five-point criteria as follows:
(i) the sensitivity of the personal data sought to be restricted;

(ii) the scale of disclosure or degree of accessibility sought to be restricted;

(iii) the role of the data principal in public life (whether the data principal is publicly recognisable or whether they serve in public office);

(iv) the relevance of the personal data to the public (whether the passage of time or change in circumstances has modified such relevance for the public); and

(v) the nature of the disclosure and the activities of the data fiduciary (whether the fiduciary is a credible source or whether the disclosure is a matter of public record; further, the right should focus on restricting accessibility and not content creation).

(Inputs from PTI, IANS)


Mobile No
Your Comment *