The personal data protection bill-2019 was announced in the Lok Sabha on December-2019. The Bill aims to deliver for protection of personal data of individuals, and launches a Data Protection Authority for the same. The Bill administrates the processing of personal data by the Indian Government, companies in India and mainly the overseas companies dealing with the personal data of entities & individuals in India.
What is to be secured:
Personal data is information about an individual’s qualities, traits, or attributes of identification that can be used to classify them.
Every sensitive data can be labelled as a personal data but not every personal data is sensitive. This comprises of financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.
Who will have to comply?
As a result of this bill, most of the Indian businesses will have to comply with the hefty compliance requirements for data protection. Small businesses, such as merchants, will be the only exception, as long as they gather data manually and meet other standards set by the Data Protection Authority.
Major aspects of the bill:
- After the bill comes into effect, businesses would be required to inform customers about their data collecting procedures and seek their consent. They’d have to gather and maintain proof that such notification was made and that approval was granted.
- As per the bill, customers have the right to withdraw their consent. Businesses will have to provide the customers the rights to access, modify, remove or transfer their data.
- The bill mandates that all businesses adopt organizational changes compliant with the bill to better protect data.
- The PDP bill demands that all the ‘sensitive personal data’ must be stored in India and ‘critical personal data’ should not be moved out of India. The aim is to maintain and store sensitive data locally within India.
- A group of data fiduciaries (those responsible for ensuring that data is stored fairly and responsibly) will be incorporated to carry data audits and other data securing procedures.
- Finally, the bill contains provisions concerning nonpersonal data. The bill allows the government to acquire any corporation to disclose important nonpersonal data.
- The bill grants DPA the authority to punish any company that does not follow the bill’s or the DPA’s or the government’s requirements and regulations.
- The maximum penalty that can be levied is 150 million rupees in India or 4 percent of the firm’s global turnover in the previous financial year.