Draft bill: Processing of sensitive personal data needs 'explicit consent'
Recognising privacy as a fundamental right, a draft personal data protection bill today proposed "explicit consent" for processing 'sensitive personal information' like religious or political belief, sexual orientation and biometric information.
Recognising privacy as a fundamental right, a draft personal data protection bill today proposed "explicit consent" for processing 'sensitive personal information' like religious or political belief, sexual orientation, and biometric information.
It also provided for the right to be forgotten and prescribed steep penalties for violations.
The draft of Personal Data Protection Bill, 2018 -- which is based on the recommendations of the government-constituted high-level panel headed by Justice B N Srikrishna -- restricts and imposes conditions on the cross-border transfer of personal data, and suggests setting up of Data Protection Authority of India to prevent any misuse of personal information.
The panel submitted its report on data protection as also the draft of the bill to the government today.
The draft provides for a penalty of Rs 15 crore or 4 percent of the total worldwide turnover of any data collection entity, including the state, for violation of personal data processing provisions.
Failure to take prompt action on a data security breach can attract up to Rs 5 crore or 2 percent of turnover, whichever is higher, as a penalty.
"The Bill provides that right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy," the draft said.
It allowed processing of personal data only for the purpose it is collected or for compliance of any law, employment and for any function of Parliament or any state legislature.
'Sensitive personal data' comprises passwords, financial data, health data, sex life, sexual orientation, biometric data, genetic data, caste or tribe and religious or political belief or affiliation.
According to the draft, personal data means "data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information."
"Personal data may be processed on the basis of the consent of the data principal, given no later than at the commencement of the processing," it said, adding that processing of sensitive personal data should be on the basis of explicit consent.
It provides for the processing of personal data only for purposes that are clear, specific and lawful. Collection of personal data has been limited to such data that is necessary for the purposes of processing.
Data fiduciary, which includes the state, has to give the individual information of the purpose for which the personal data is to be processed.
It will retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed. It provides for the right to be forgotten after the particular purpose has been served.
The draft restricts cross-border transfer of personal data and gives exemption on use of personal data for national security, crime investigation, legal proceedings and certain journalistic purpose.
Besides the Data Protection Authority of India to prevent any misuse of personal data, ensure compliance and promote awareness of data protection, it also provides for setting up of an Appellate Tribunal.
Compensation has to be given to any person whose has been wronged, it has suggested.
The draft bill makes obtaining, transferring or selling of personal data in contravention as an offence.
It has stated that it is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation.
The Bill in the works aims to "protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data."
The high-level panel set up in 2017 to craft the data protection framework today submitted its report to the government, suggesting steps for safeguarding personal information, defining obligations of data processors as also rights of individuals.
Headed by Justice B N Srikrishna, the panel handed the report to IT Minister Ravi Shankar Prasad, wrapping up nearly one year of deliberations.
The areas covered included consent, what comprises personal data including sensitive personal data, exemptions which can be granted, grounds for processing data, storage restrictions for personal data, individual rights and right to be forgotten.
"It is a monumental law and we would be like to have a widest parliamentary consultation... We want Indian data protection law to become a model globally, blending security, privacy, safety, and innovation," Prasad said at a conference.
He added that the report will go through the process of inter-ministerial consultations and Cabinet as well as parliamentary approval.
Justice Srikrishna said privacy has become "a burning issue" and therefore, every effort has to be made to protect data at any cost.
(This story has not been edited by Devdiscourse staff and is auto-generated from a syndicated feed.)