The Personal Data Protection Bill was introduced in the Lok Sabha in December last year and mandates setting up of a data protection authority
The bill mandates penalties for violations of norms and incidents of data theft
Clause 35 of the bill exempts government agencies from the application of the bill on grounds of national security
The joint Parliamentary committee (JPC) currently examining the Personal Data Protection Bill, 2019, (PDP) has called US tech giant Facebook to give its deposition on the matter in its second meeting on August 10.
Representatives from the Associated Chambers of Commerce and Industry of India (ASSOCHAM), Dr APJ Abdul Kalam Centre and L&L Partners-Law Office have also been invited for the meeting.
The PDP Bill was introduced in the Lok Sabha in December last year by IT Minister Ravi Shankar Prasad. The bill sets rules for how personal data should be stored, while also talking about people’s rights with respect to their personal information. The bill proposes to create a data protection authority (DPA) to monitor violations of norms and keep an eye on incidents of data theft, privacy breaches, among others.
The bill also mandates various penalties for violations of norms and incidents of data theft and illegal processing. For violation of certain proposed norms, the bill mandates a penalty of INR 5 Cr or 2% of global turnover, whichever is higher, while for data leakage or illegal processing, it stipulates the highest penalty of INR 15 Cr or 4% of the turnover. Almost all companies in India across all sectors dealing with customer data would have to comply with the provisions of the bill. Foreign companies operating in India and handling data of Indian users would also have to comply. The only exception for the bill will be “small entities” (businesses like small retailers that collect information manually and meet other conditions to be specified by the DPA).
The Internet Freedom Foundation (IFF), an Indian digital liberties organisation, has previously expressed concern about the bill’s ‘reasonable purposes’ exemption under clause 14 of the bill, which allows publicly available personal data of users to be accessed for reasonable purposes. “We think that this is a backdoor towards profiling and allows collation of demographic/individual sentiments on issues. We also think this would allow the government (and other powerful data fiduciaries) to aggregate social networking activities without the need for individual consent. The right to privacy is applicable in public spaces. Therefore, we proposed that this provision be removed from the reasonable purposes exception since it is an excessive encroachment on people’s privacy in public spaces,” IFF’s submission on the bill reads.
Government agencies have also been exempted from the application of the provisions of the bill under clause 35 of the PDP bill, which provides the government access to personal data for reasons related to national security, integrity and sovereignty, public order, friendly relations with foreign states, and for preventing any cognisable offence relating to above.
The clause in the bill has been flagged by opposition members and domain experts for expanding the scope of exemptions while diluting important safeguards. According to a special report by policy think-tank Observer Research Foundation (ORF), “blanket exemptions and lack of executive or judicial safeguards will fail to meet the standards laid out by the Supreme Court in the KS Puttaswamy vs. Union of India case, where it ruled that measures restricting the right to privacy must be backed by law, serve a legitimate aim, be proportionate to the objective of the law, and have procedural safeguards against abuse. Vague grounds that trigger exemptions, absence of procedure in granting exemptions and the lack of independent oversight are major concerns.”-INC42