Some of the terms used in the Personal Data Protection Bill, 2019 include,
Data Principal: The individual whose data is being processed
Data Fiduciary: Service Provider who collects, stores and uses data in the course of providing such goods and services
The key changes from the 2018 Bill include:
- Sensitive personal data definition extended
- Right to erasure of personal data introduced
- Concept of ‘consent managers’ introduced to manage ongoing consent of users regarding their data
- Data Principals given right to access the identities of any data fiduciary using their data
- Compulsory Privacy by Design policy
- Central Government can access anonymized personal data from data fiduciaries
- No need to store mirror copy of data
- Central Government can exempt any fiduciary from the Bill
- ‘Social Media Intermediaries’ along with their obligations defined
- Data fiduciaries no longer required to demonstrate adherence to the bill
- Data protection officers to be located in India
- Definition of personal and sensitive personal data (Sec 3(28) and (36))
The Bill has expanded the definition of personal data to include inferred data , “…and shall include any inference drawn from such data for the purpose of profiling.”
It has also taken off ‘passwords’ from under the purview of sensitive personal data.
- The Right to Erasure (Sec 18)
The previous Srikrishna Bill of 2018 did not contain a right to erasure, even under the right to be forgotten (Sec 27) whereas the Personal Data Protection (PDP) Bill of 2019 has a clause for a right to erasure along with a right to erasure of personal data when such data is no longer required for the purpose of processing. The data principal may request the data fiduciaries to erase such data.
- Transparency in Data Sharing and the concept of consent managers(Sec 17,21 and 23)
Section 17(3) gives rights to data principals to access, in one place, the identities of data fiduciaries with whom their personal data has been shared by any other data fiduciary. This allows data principals to review the entities with whom their personal data has been shared by one particular data fiduciary.
The PDP Bill 2019 also introduces a concept of ‘consent managers’ (Sec 21(1) and 23) which was not present earlier. A Consent Manager is a data fiduciary which enables a data principal to gain, withdraw, review and manage their consent through an accessible, transparent and interoperable platform. These consent management platforms are to be registered with the Data Protection Authority (DPA).
- Privacy by Design Policy (Sec 22)
The Bill introduces a concept of privacy by design policy wherein every data fiduciary is required to prepare a privacy by design policy and have it certified by the DPA and the data fiduciary is supposed to publish this privacy by design policy.
- Central Government can direct Data Fiduciaries to share anonymized personal data/ non-personal data (Sec 91)
This section enables the Central Government to direct any fiduciary/processor to provide any anonymized personal or non-personal data to “…enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.”
- Dilution of Data Localisation Requirements (Sec 33 and 34)
The Bill has removed the mandatory requirement for storing a mirror copy of all personal data in India. Sensitive personal data may be transferred outside India based on explicit consent and the Central Government or DPA may allow transfer of SPD for specific purposes.
- Central Government can exempt any Government Agency from the bill (Sect 35)
Sec 35 enhances the surveillance powers of the government and gives the Central government the power to exempt any government agency from the purview of the bill and does not list the principles of necessity and proportionality as determinants to access. Thus, the Government can collect and process any category of personal data as per their requirements.
- Social Media Intermediaries and voluntary verification of accounts (Sec 26 and 28)
The bill defines social media intermediaries (SMIs) to mean intermediaries who primarily enable online interaction between two or more users and allow them to create, upload, share, disseminate, modify or access information using its services. It excludes entities like e-commerce platforms, TSPs/ISPs, search engines, cloud service providers, online encyclopedias, and email services from the definition of SMIs. Another qualification for an entity to be an SMI is – the likelihood or actual impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India.
SMIs have the obligations of data protection impact assessments, maintenance of records, audit of policies, and appointment of a data protection officer, and providing an option to users for voluntary verification of their accounts, which are applicable to all significant data fiduciaries.
Link to Image:
Link to Bill: