The draft Personal Data Protection Bill, 2018, recognises privacy as a fundamental right. It has provisions to protect personal data as an essential facet of information privacy. The objective of the Bill is to balance the growth of the digital economy and use of data as a means of communication between persons with a statutory regime that will protect the autonomy of individuals from encroachments by the state and private entities.
The Bill applies to the processing of personal data where such data have been collected, disclosed, shared or otherwise processed within India. It includes the processing of personal data by the state, any Indian company, any Indian citizen, or any person or body of persons incorporated or created under Indian law. The Bill also brings within its ambit the processing of personal data by data fiduciaries or data processors located abroad in connection with business, systematic activity of offering goods or services to data principals, or profiling of data principals within the territory of India.
The proposed law defines personal data as information relating to a natural person. Breach of personal data involves unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction, loss of access to personal data that compromises the confidentiality, integrity or availability of personal data to a data principal. The Bill recognises the possibly transgender status of data principals. The Srikrishna Committee has complied with the Supreme Court’s suggestion that collection, processing and storage of personal data should be limited to the stated purpose, which has to be clear, specific and lawful. An opportunity has to be given to the data principal to withdraw consent.
The Bill mandates that data fiduciaries should retain personal data “only as long as may be reasonably necessary to satisfy the purpose for which it is processed”. There should be a periodic review done to check if continued storage of data is necessary.
The Bill allows processing of personal data for “prompt action” only if it is necessary for any function of Parliament; or any State Legislature to render service or benefit to citizens; or in response to any medical emergency to the data principal; or in cases of epidemic, outbreak of disease, disaster or breakdown of public order.
The Bill includes the ‘right to be forgotten’, which is the right of a data principal to restrict or prevent continuing disclosure of personal data by a data fiduciary.