2020 is expected to be a historic year for privacy activists in India, all set to pass the Personal Data Protection Bill 2019 (PDPB 2019) into a law.
PDPA 2020 attempts to protect the privacy rights of Indian citizens through regulation of the “personal data” which is “information about an individual in electronic form containing the identity of an individual.”
Since privacy protection is sought to be achieved by providing the Right to Choose what part of one’s personal information may be shared with the society, legislation regulates Personal Data is considered relevant for privacy protection. However, privacy protection is not an absolute right and is subject to reasonable restrictions as laid down in the Constitution and reiterated by the Supreme Court. It has to be, therefore, balanced with the needs of national security.
DATA, A VALUABLE ASSET…
Data is a valuable asset of the commercial world and a huge industry runs on the use of data with personal data as its raw material. So law cannot ignore the requirements of the industry to make reasonable use of personal data for commercial purposes.
Therefore, in drafting the law of privacy protection for the citizens there is recognition that business, as well as the government, are genuine stakeholders and tries to balance the requirements.
As a result, the legislation prescribes stringent norms for compliance by any data processor who collects personal data from an individual along with a heavy penalty for noncompliance.
Unlike the Information Technology Act 2000 (ITA 2000), which also protects wrongful use of personal data, PDPA can be invoked even if no data breach has occurred. Mere noncompliance of the provisions of the law is adequate to impose a fine up to a maximum of 4 per cent of the global turnover of an organisation to which this law is applicable.
Additionally, it should be noted that this legislation applies not only to private companies but also to government agencies and, except small entities, every other entity that collects, stores, processes, or transmits personal data.
REQUIRES CONSENT OF DATA PROVIDER
The law prescribes that the processing shall be done for a lawful purpose under a valid and well-informed consent from the data provider. At the same time, the data receiver shall collect only such information as is required for a given purpose and retain it only as long as necessary in a secure manner. The law also provides the individuals certain rights, such as the right to know if the data is being processed and, right to demand that the personal data with an entity be returned to him/her, and the right to demand that his/her data shall be completely erased.
Indian Law is unique in several respects over comparable global laws such as the GDPR since it imposes a fiduciary responsibility on the entity that collects and uses the personal data.
Given the complexities of such legislation, it is natural that there are criticisms that the government may have retained more powers than necessary under the excuse of national security and the law is more stringent than necessary when it comes to restricting the operations of the data processing industry. These are controversies that are part of the challenge of balancing the rights of different stakeholders and need to be addressed more in the way the law would be implemented in the coming days by the Data Protection Authority.
For the time being, privacy right is being protected by this law and a significant effort has been made by the government in drafting a law that is as balanced as it can be. Instead of blocking the law for speculative reasons it is necessary to ensure that the law is passed smoothly, Indian citizens can feel proud that we are on par with the citizens of other countries as regards the protection of privacy as a democratic right.