New Delhi:The much-talked-about legislation to protect personal data will allow processing of private data without the explicit consent of the owner of the information for credit scores, debt recovery, security, operation of search engines and whistleblowing.
The draft Personal Data Protection Bill, 2019, which is likely to be introduced in the Lok Sabha in the next couple of days, bars storing and processing of personal data by entities without the explicit consent of an individual.
It, however, provides for exemptions for "reasonable purposes" such as "prevention and detection of any unlawful activity including fraud, whistleblowing, merger and acquisitions, network and information security, credit scoring, recovery of debt, processing of publicly available personal data, and the operation of search engines."
The legislation provides for stringent ground rules for the processing of personal and sensitive information of children while mandating the processing of 'critical' personal data only in India.
But data concerning health services and for complying with any law or court orders can be processed without the consent of the owner, the draft bill said.
It also gives power to the government to decide from time to time on the exemption list.
The draft bill, cleared by the Cabinet last week, aims to create a "strong and robust data protection framework for India" as it fixes obligation of data fiduciary (that is entity collecting and processing data) and places a restriction on transfer of personal data outside India.
Interestingly, the draft bill empowers the Centre to exempt any government agency from the application of the proposed legislation.
The draft bill also states that the central government can frame a policy for the digital economy with respect to non-personal data. In particular, it can direct any data processor to "provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government".
The draft data protection bill also entails setting up of authority for protecting personal data and also prescribes stiff penalties for violation of various provisions.
For instance, violations in case of processing of personal data of children will involve a fine of up to Rs 15 crore or 4 per cent of the global turnover, while 'significant data fiduciary' will have to pay up to Rs 5 crore or 2 per cent of global turnover for contraventions pertaining to data audits.
It said that sensitive personal data -- like financial data, health data, sexual orientation, biometric or genetic data, transgender status, religious or political belief/affiliation can be transferred outside India with explicit consent, but will continue to be stored in India. What constitutes critical data will be notified by the Centre.
On the personal data of children, the draft legislation proposes that data fiduciaries will have to verify their age and obtain the consent of parent or guardian before any processing takes place.
Further, social media entities with user base above a certain threshold and whose "actions have, or are likely to have a significant impact on electoral democracy, the security of the State, public order or the sovereignty and integrity of India," will be notified as 'significant data fiduciary'.
The draft bill gives power to the Centre "to exempt any agency of Government from the application of Act" in the interest of integrity, and security of the country, foreign relations and public order.
The bill provides for a penalty of up to Rs 15 crore or 4 per cent of global turnover for companies found violating norms under the Personal Data Protection Bill, while in case of certain minor violations, it proposes a penalty of Rs 5 crore or 2 per cent of the global turnover.
Read more:RBI had no objection to issuance of electoral bonds through SBI: FM
