Steep penalties for violations of data breach
Amid a sharp rise in data breaches, a new legislation today proposed taking explicit consent of individuals before sensitive personal information like religious or political beliefs, sexual orientation and biometric information is processed.
Amid a sharp rise in data breaches, a new legislation today proposed taking explicit consent of individuals before sensitive personal information like religious or political beliefs, sexual orientation, and biometric information is processed.
The draft of Personal Data Protection Bill, 2018 which is based on the recommendations of the government-constituted, high-level panel set up in 2017 and headed by Justice B N Srikrishna restricts and imposes conditions on the cross-border transfer of personal data, and suggests setting up of Data Protection Authority of India to prevent any misuse of personal information.
The draft legislation, which would go to Parliament after stakeholder consultation, provides for a penalty of Rs 15 crore or 4 percent of the total worldwide turnover of any data collection entity, including the state, for violation of personal data processing provisions.
Failure to take prompt action on a data security breach can attract up to Rs 5 crore or 2 percent of turnover, whichever is higher, as a penalty. Once passed by parliament, the framework will override all legislation dealing with data privacy and collection, including Aadhaar.
'Sensitive personal data' comprises passwords, financial data, health data, sex life, sexual orientation, biometric data, genetic data, caste or tribe and religious or political belief or affiliation. These can be handled only with the explicit consent of an individual.
"The draft does not give users ownership of their data and deprives them of control that they need to be able to delete data from collectors like Facebook and Google. Also, there is no restriction on mass surveillance by the government," Nikhil Pahwa, a digital rights activist, said.
He further said it is not feasible to expect every website or app to mirror the data in India and added that doing so will be a "direct attack" on the global nature of the internet.
NASSCOM-DSCI said while the Bill builds on the Supreme Court judgment advocating privacy as a fundamental right, mandating localization of all personal data is "likely to become a trade barrier in the key markets".
"Startups from India that are going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets," it said in a statement.
Besides setting up of Data Protection Authority of India aimed at preventing misuse of personal data, ensuring compliance and promoting awareness of data protection the draft also provides for setting up of an Appellate Tribunal.
Compensation has to be given to any person who has been wronged, the draft has suggested.
It has emphasized that it is necessary to create a collective culture that "fosters a free and fair digital economy", respecting the informational privacy of individuals, and ensuring empowerment, progress, and innovation.
The Bill in the works aims to "protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data are appropriate, to create a relationship of trust between persons and entities processing their personal data."
The areas covered included consent, what comprises personal data including sensitive personal data, exemptions which can be granted, grounds for processing data, storage restrictions for personal data, individual rights and right to be forgotten.
"It is a monumental law and we would be like to have a widest parliamentary consultation... We want Indian data protection law to become a model globally, blending security, privacy, safety, and innovation," IT Minister Ravi Shankar Prasad said at a conference.
He added that the report will go through the process of inter-ministerial consultations and Cabinet as well as parliamentary approval.
Justice Srikrishna said privacy has become "a burning issue" and therefore, every effort has to be made to protect data at any cost.
(This story has not been edited by Devdiscourse staff and is auto-generated from a syndicated feed.)