AN ANALYTICAL STUDY ON THE PERSONAL DATA PROTECTION BILL, 2018[1].
INTRODUCTION:
“By signing up you agree to the privacy policy and terms and conditions of our site”, the most commonly read phrase by millions but usually ended up falling on deaf ears. The extent to which these words have our lives chained up is horrifying. This one sentence is capable of invading your personal life: by infringing your right to privacy, recording your personal data, tracking your activities on a daily basis etc. Have you ever wondered why the advertisements displayed in your screen are always according to your personal preference? It is because you are being tracked on a daily basis. But sadly this action can’t be considered as an infringement of your right to privacy because you’ve given your consent by signing up.
It is indeed true that internet has penetrated in every aspect of our lives and established itself in such a way that a slow internet connection can cause depression and stress to all of us. From signing e-contracts to net banking, every transaction is done via the internet. Hence this makes it a high time for our legislature to come up with a law to tame this beast.
This bill is known as the “Personal Data Protection Bill” is framed in order to protect, prevent the malpractices which occur in the processing of personal data. This bill also ensures that none of the rights of the individual is infringed. This bill establishes a fiduciary relationship between the data principal and the service provider. A committee of experts on a Data Protection Framework for India submitted a report and draft bill to The Ministry of Electronics And Information Technology on July 27, 2018. Few of the most outstanding aspects that are considered by the framers while drafting the bill are elucidated below:
JURISDICTION OF THE BILL[2]:
Due to globalization and liberalization, many foreign corporations have established themselves in India. The most salient feature of this bill is that it not only extends to the whole of India[3] but also the foreign entities which process the data of citizens in India[4]. Thus, the bill ensures the data of each and every citizen is being protected by the shields of law.
CONSENT BASED PROCESSING:
Section 12 of the bill extensively sheds light on the consent of the data principal. The section emphasizes the standards under which the consent given by the data principal is to be held valid. It is to be noted that the data principal has to be provided with necessary information like the application of the information obtained[5] and the categories of information obtained[6] etc., The bill ensures that the data principal is informed about every stage of data processing starting from collecting to deleting.
DATA STORAGE LIMITATION:
The section 10 of the bill states the tenure till which the processed data will be retained. The fiduciary runs a periodic security check to ensure that the data in its possession is necessary to be retained[7]. If the purpose of the processed data is fulfilled the data fiduciary may delete it[8].
THE GROUNDS FOR PROCESSING OF DATA:
The Chapters III, IV, and V state the grounds of processing of personal data, grounds of processing sensitive personal data and processing of personal & sensitive personal data of children respectively. This section curtails the extent to which the collected data can be used. The bill prevents the profiling, tracking and behavioral monitoring of children.
THE RIGHTS OF THE DATA PRINCIPAL:
The chapter VI of the bill emphasizes on the rights of the data principal. The rights include:
RIGHT TO CONFIRMATION AND ACCESS:
The data fiduciary has the obligation to answer the data principal regarding the processing of the data and a confirmation whether the data is processed[9].
RIGHT TO CORRECTION:
If the data principal finds the data provided by him to be misleading[10], incomplete[11] or outdated[12], the data principal has the right to ask the data fiduciary to make changes with the data obtained. The fiduciary either has to make the change in regard this or should give the valid reason for turning down the request.
RIGHT TO DATA PORTABILITY:
The data principal has the right to receive the data shared by him from the data fiduciary. He has the power to transfer the data from one data fiduciary to another[13].
RIGHT TO BE FORGOTTEN:
The data principal is conferred with a privilege of preventing the disclosure of his data in his own will. This can be done when the purpose of the data collected is served, when the consent obtained under section 12 is withdrawn or when the data is obtained by unfair methods.
This bill is indeed a mixed blessing, though it gives a lot of privileges, the very same privileges are curtailed by various exceptions.
SENSITIVE PERSONAL DATA:
The reason for the inclusion of passwords under this category still remains a mystery. Passwords are supposed to be private; they are not to be processed by any fiduciary. There is a lot of possibility of identity thefts when a security breach is caused, this would result in an irrevocable loss to the individual.
EXEMPTIONS[14]:
The privileges which we mentioned earlier are contravened in this chapter with respect to certain circumstances.
Few of the common exemptions include:
- The data principal need not be informed about the reasons for the requirement of his data, the method of processing, the categories data obtained etc.
- The consent of the data principal need not be obtained while processing personal data.
- Explicit consent need not be obtained while processing sensitive personal data
- The personal and sensitive personal data of children would be processed.
- The rights of data principal become pointless.
SECTION 48:
The section explains about the manual processing by small entities. Small entities is a data fiduciary which doesn’t have a turnover of more than 20 lakhs, due to this there is a meager possibility of it employing high-end technology to ensure the safety of the data collected. The entity need not worry about the safety of the data collected as it is exempted from it.
The initiative to bring such a bill before the house for approval is to be appreciated. Though the bill isn’t free from errors, with revision and rectification this bill would indeed make a huge impact in the fore-coming years.
[1] Authored By: Ms. Rishitha.K, B.B.A.LL.B, 3rd Year Student at IFIM Law College & Research Writer at Law Audience: Edited By: Mr. Varun Kumar (Founder & CEO & Editor-In-Chief).
[2] S.2, The Personal Data Protection Bill, 2018 (pending).
[3] S.2 (1) (a), The Personal Data Protection Bill, 2018 (pending).
[4] S.2 (2), The Personal Data Protection Bill, 2018 (pending).
[5] S.8 (1) (a), The Personal Data Protection Bill, 2018 (pending).
[6] S.8 (1) (b), The Personal Data Protection Bill, 2018 (pending).
[7] S.10 (3), The Personal Data Protection Bill, 2018 (pending).
[8] S.10 (4), The Personal Data Protection Bill, 2018 (pending).
[9] S.24, The Personal Data Protection Bill, 2018 (pending).
[10] S.25 (1) (a), The Personal Data Protection Bill, 2018 (pending).
[11] S.25 (1) (b), The Personal Data Protection Bill, 2018 (pending).
[12] S.25 (1) (c), The Personal Data Protection Bill, 2018 (pending).
[13] S.26 (1) (b), The Personal Data Protection Bill, 2018 (pending).
[14] Chapter IX, The Personal Data Protection Bill, 2018 (pending).
