After a year of deliberations with think tanks, Justice Srikrishna Committee submitted the much-awaited report on Data Protection and the draft Personal Data Protection Bill 2018 to the Ministry of Electronics and Information Technology (MEITY) last week.
The aim of the law is to ensure a free and fair digital Indian economy and it is seen as an important pillar in setting up a framework which gives the Indian citizens full freedom to protect their data. The development came at a time when citizens are reeling under a direct threat to their assets and it is believed that the protection of personal data holds the key to empowerment, progress, and innovation.
The draft follows the implementation of the General Data Protection Regulation (GDPR) in Europe. It is said to have taken cues from the already present legal frameworks in different countries and will surely feature the country on the world map. The draft submitted essentially notes that “the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy.” The bill says that it is necessary to create a trust between the individuals who provide their data and those who process this.
The bill asks the stakeholders to be more responsible and “protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data…” The bill also specifies the rights of individuals whose personal data is processed so that they can keep a check on what data has been used by the data fiduciary. The bill goes on to ask for a framework to implement organisational and technical measures in processing personal data which will essentially bind the data processors to access, analyse as well as use the personal data of an individual.
The norms for cross-border transfer of personal data will make the data secure not only in India but on foreign land. It also advocates that if the entities processing the personal data flouts any norms, they should be held accountable. During the process, the bill mandates the provision of remedies for unauthorised and harmful processing. On the right to be forgotten, however, the bill says that the individual, who is providing his or her data, has a “right to restrict or prevent continuing disclosure.” The bill notes that “the data fiduciary (the entities that are processing data) may charge a reasonable fee to be paid for complying with requests. According to the bill, the law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India.
However, in respect to processing by fiduciaries that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy harms to data principals in India. Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India. However, the data protection law may empower the Central Government to exempt such companies which only process the personal data of foreign nationals not present in India.
What comes under sensitive personal data and new definitions Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual. Consent will be a lawful basis for processing of personal data and for consent to be valid, it should be free, informed, specific, clear and capable of being withdrawn. For sensitive personal data, consent will have to be explicit.
A data principal below the age of eighteen years will be considered a child. Data fiduciaries have a general obligation to ensure that processing is undertaken keeping the best interests of the child in mind. Further, data fiduciaries capable of causing significant harm to children will be identified as guardian data fiduciaries. All data fiduciaries (including guardian data fiduciaries) are told to adopt appropriate age verification mechanism and obtain parental consent.
from Latest Technology News https://ift.tt/2MfhUvr