Cabinet clears Personal Data Protection Bill, penalty for privacy violations
New Delhi, Dec 04: The government on Wednesday approved the Personal Data Protection Bill which proposes a penalty of up to Rs 15 crore and up to three-year jail term for company executives for violating privacy norms.
The bill also mandates storage of critical data of individuals by internet companies within the country while sensitive data can be transferred overseas only after explicit consent of the data owner, a source said.
Information and Broadcasting Minister Prakash Javadekar said the bill has been approved by the Cabinet and will be introduced in Parliament during the current Winter Session.
The bill has been drafted following a Supreme Court judgement in August 2017 that declared 'Right to Privacy' a fundamental right.
The need for a strong personal data protection regime was further highlighted by the apex court in its judgement in September 2018 in which it held Aadhaar as a constitutionally valid scheme but struck down some provisions in the Aadhaar Act.
Giving details about the provisions of the bill, the source said that all internet companies will have to mandatorily store critical data of individuals within the country.
However, they can transfer sensitive data overseas after explicit consent of the data owner to process it only for purposes permissible under the proposed legislation. Critical data will be defined by the government from time to time. Data related to health, religious or political orientation, biometrics, genetic, sexual orientation, health, financial etc have been identified as sensitive data.
"A penalty of up to Rs 15 crore or 4 per cent of an entity's global revenue will be imposed on the entity found guilty of a major violation under the Bill," the source said.
For minor violations, the bill proposes a penalty of Rs 5 crore or 2 per cent of the global turnover. It also has the provision of jail term for officers of the entity that is found breaching provisions under the bill.
A company's executive in-charge of conduct of the data business would face a jail term of up to three years if found guilty of knowingly matching anonymous data with publicly available information to find out the identity of an individual -- called as 're-identify de-identified data' in technical parlance, the source said.
Social media companies will be required to come up with a mechanism to identify users on their platform who are willing to be identified on a voluntary basis.
"Under the provision, a social media fiduciary will have to give users on its platform an option to get verified. It will be voluntary for individuals if they want to get verified or not," the source said. The bill has provisions to grant the right to be forgotten to data owners as well as right to erase, correct and porting of data.
"The Bill will encourage entities to start processing data in India and with a high level of data consumption, the country is expected to become one of the world's biggest centre of data refinery. The Bill allows processing of data for lawful purpose only," the source said.
The Bill exempts processing of personal data in case of national security issues, court order etc. "Any data which can identify an individual has been defined as personal data.
While all entities will need to obtain the explicit consent of the data owner, in some cases like the security of the state, providing relief in case of a medical emergency, detection of unlawful activity, whistleblowing etc an explicit consent may not be required," the source said.
The Bill mandates entities in the business of data processing to register with the government as data fiduciary for the purpose of data processing.
"The government will have the right to direct data fiduciary to share anonymised or non-personal data for better targeting of service, policymaking, relief work, etc," the source said.