The Personal Data Protection Bill, 2018

Shantanu SoodFounder, Quest IP Attorneys

Data is the new gold. The Government of India recently introduced the Personal Data Protection Bill, 2018 (Bill) in Parliament for scrutiny by the relevant Parliamentary Committee for review. This Bill spells out a framework for date protection and lays down the limits on how personal data is going to be used, collected, and processed. A Data Protection Regulator is to be set up. With an increasingly digital economy, the Bill aims to create accountability and prevent data misuse in light of the Right to Privacy, which is recognized as a fundamental right in India.

Some of the key features of the Bill include:

  • It regulates the processing of personal data of individuals (data principals) by both Government as well as private entities (data fiduciaries) in India and broad.
  • The individual (data principals) must provide explicit consent to process personal data.
  • Private entities (Data Fiduciary) must notify individuals (data principals) on nature and purpose of data processing.
  • It allows certain information to be exempted from regulation for ‘reasonable purposes’ such as national security, unlawful activity, whistleblowing, health services, journalistic purposes, legal proceedings, etc. The Government retains the power to review and change the list of exemptions from time to time. The Government may also exempt any governmental agency from compliance.
  • It mandates that personal data must be stored within the territory of India. Categories of personal data that are notified as critical personal data by the Government can be processed only within the territory of India. Passwords, financial data, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious belief and political belief are considered sensitive personal data.
  • It provides for the establishment of a national level Data Protection Authority (DPA) to supervise and regulate data fiduciaries (private entities).
  • It also provides provisions for compensation and stiff penalties for data breach.

Although the Bill aims to set up a culture of privacy and non-interference on data in the age of information technology, it also raises concerns on the extent of governmental control over certain kinds of data as well as the vagueness of the exemptions detailed. The Bill is expected to be examined soon by a Parliamentary Committee.

The full bill can be accessed here:
https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf