The Indian government’s endeavour to regulate the collection and use of personal data dates back to 2012 when the A.P. Shah led committee released its report on privacy[1]. Seven years hence, the much awaited Personal Data Protection Bill, 2019 (“2019 Bill”)[2] was introduced by the Ministry of Electronics and Information Technology in the seventeenth Lok Sabha on 11 December 2019[3]. If passed, this bill will govern how personal data is handled by entities who collect and process it as part of their business operations.
The 2019 Bill retains much of the draft bill proposed by the Justice Srikrishna Committee[4] (“2018 Bill”)[5]. However, the 2019 Bill introduces new concepts and deviates from the 2018 Bill in certain respects. The key differences include:
1. The data localisation requirements for personal data have been relaxed to an extent. However, storage/ transfer of sensitive personal data and critical personal data are still restricted.
2. The 2019 Bill introduces the concept of a ‘consent manager’ through whom data principals can manage consent for exercising rights such as data portability, right to correction and right to be forgotten under the 2019 Bill.
3. Unlike the 2018 Bill, the DPA cannot specify new categories of sensitive personal data under the 2019 Bill. This power has been given to the central government.
4. The 2019 Bill gives the central government powers to direct any data fiduciary/data processor to provide non-personal data to the government to ‘enable better targeting of delivery of services or formulation of evidence-based policies’. This was not envisaged by the 2018 Bill.
5. Under the 2019 Bill, the central government can exempt any government agency from the application of the provisions of the bill on widely worded grounds, subject only to such procedure, safeguards and oversight mechanism as may be prescribed. This is a significant dilution of the 2018 Bill, where the central government could be exempted from limited provisions of the bill, and only on limited grounds and subject to (a) procedure established by law, (b) necessity, and (c) proportionality
6. Under the 2019 Bill, the central government may notify certain social media intermediaries as ‘significant data fiduciaries’, who will have to comply with additional obligations under the 2019 Bill and will be required to give their users the option to voluntarily verify their accounts in the prescribed manner.
7. Under the 2018 Bill, the Data Protection Authority (“DPA”) consisted of a chairperson and six whole time members, while under the 2019 Bill the DPA may consist lesser than six members. Further, the selection committee under the 2019 Bill does not include a judicial member as opposed to the 2018 Bill where it consisted of the Chief Justice of India (“CJI”) or a Supreme Court judge nominated by him and an expert.
Non-compliance with the proposed act entails significant penalties which could go up to four percent of total worldwide turnover of an entity.
To help develop a more granular understanding of the differences between the 2018 Bill and the 2019 Bill, we have undertaken a clause by clause comparison of the two bills, available here.
An overview of practical concerns with the Bill is available here; and a compliance checklist can be found here.
This blog is by the Data governance team at Ikigai Law.
References –
[1] The text of the report of the A.P. Shah led group of experts on privacy is available at http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf.
[2] The text of the 2019 Bill is available at http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf.
[3] The house and date of introduction of the 2019 Bill may be found at http://164.100.47.194/Loksabha/Legislation/NewAdvsearch.aspx.
[4] These recommendations may be found at https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf.
[5] The text of the 2019 Bill is available at https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf.