TECH
05/12/2019 1:44 PM IST | Updated 05/12/2019 5:18 PM IST

5 Things You Should Know About The Personal Data Protection Bill, 2019

After many delays, the government is finally set to bring forth the Personal Data Protection Bill, and although it’s not made any announcements yet, some reports have part of the information.

SBphotos via Getty Images
The new bill proposes a penalty of up to Rs 15 crores and up to three years imprisonment for company executives violating privacy norms. 

CHANDIGARH, Punjab—The Personal Data Protection Bill, which has not been made public yet, will be introduced in Parliament on priority, after getting the Cabinet nod on Wednesday, reports noted. According to reports, the new bill proposes a penalty of up to Rs 15 crores, and up to three years imprisonment  for company executives violating privacy norms. 

For the latest news and more, follow HuffPost India on TwitterFacebook, and subscribe to our newsletter.

The draft bill, titled as The Personal Data Protection Bill, 2018, was prepared by an expert group headed by former Supreme Court judge B N Srikrishna which has proposed to set up a Data Protection Authority, an independent regulatory body for the effective enforcement and implementation of the law.  

5 key points of the new updated version of the Data Protection Bill

Although the bill has not been made public at this point, it’s known that there will be norms on the collection, storage, and processing of personal data, along with an enforcement model that includes penalties and compensation.

  1. PTI tweeted that the Personal Data Protection Bill proposes penalty of up to Rs 15 cr or 4% of global turnover; and critical data must be stored in India, say sources.
  2. Reports stated that the bill has categorised data into three categories—critical, sensitive and general. Sensitive data—financial, health, sexual orientation, biometrics, transgender status, religious or political beliefs and affiliation—can be stored only in India. However, data can be processed outside India with explicit consent.
  3. The Times of India reported that the updated version of the Data Protection Bill says that data such as what you order online or tour packages you book can be  taken abroad without asking for your consent, and there is no need for them to keep a copy of the information in India. 
  4. The new bill according to government sources may empower the government and other regulatory authorities to obtain any user’s non-personal data from companies. 
  5. Livemint, quoting government sources, reported that the bill proposes social media platforms must create a mechanism so that for “every user who registers their service from India or uses their service from India, a voluntary verifiable account mechanism has to be made.”

The Internet Freedom Foundation (IFF), a non-governmental organisation that conducts advocacy on digital rights and liberties, has issued a short statement and has urged the government to look at the substance and contents of the Bill rather than just be focussed on the process and act in haste. 

“Due to the large amount of concern and need for further study we recommend reference to the Parliamentary Committee on IT,” tweeted the IFF.

Ramesh Mamgain, Area Vice President, India and SAARC Region, Commvault (a data protection and management company) also said, “The data localization aspect in the bill will need more discussion on the critical and not so critical parts and that discussion will evolve.”

Experts from consulting firm Ernst and Young India also sounded a note of caution about the data protection bill. “The data protection bill is like a double-sided sword, on one hand it protects the personal data of Indians by empowering them with data principal rights and on the other hand it bestows the central government with exemptions which are against principles of processing,” said Jaspreet Singh, Partner — Cyber Security at EY.

“The state can process even sensitive personal data when required, without an explicit consent from the data principals. However, the government will need to show that any processing of personal data is necessary and processing of sensitive personal data is strictly necessary for the exercise of any function of the State authorized by law for the provision of service or benefit. These are broadly-worded carve-outs can be misused and hence need to be carefully examined,” he added.