The Union cabinet on Wednesday gave its approval to the Personal Data Protection Bill that seeks to lay down a legal framework to preserve the sanctity of “consent" in data sharing and penalize those breaching privacy norms.
In a first, the bill proposes social media platforms to create a mechanism so that for “every user who registers their service from India or uses their service from India, a voluntary verifiable account mechanism has to be made", said a senior government official.
The provision puts the onus of creating the mechanism on the company. The provision is largely aimed at checking social media trolling.
The bill categorizes data into three categories—critical, sensitive and general. Sensitive data—financial, health, sexual orientation, biometrics, transgender status, religious or political beliefs and affiliation—can be stored only in India. However, data can be processed outside India with explicit consent, the official cited above said.
Critical data will be defined by the government from time to time and has to be stored and processed in India. Any data that is non-critical and non-sensitive will be categorized as general data with no restriction on where it is stored or processed.
In line with the European Union’s General Data Protection Regulation (GDPR), the government last year introduced a draft personal data protection bill to regulate the use of an individual’s data by the government and private companies. Currently, there are no laws on the use of personal data and preventing its misuse, although the Supreme Court upheld the right to privacy as a fundamental right back in 2017.
The Personal Data Protection Bill, 2018, was prepared by a high-level expert group headed by former Supreme Court judge B.N. Srikrishna. However, interministerial consultations delayed its approval.
In September 2018, the apex court affirmed Aadhaar’s constitutionality, saying the linking of the biometric-based identification card with PAN only involved minimal information to fulfil the larger public interest of the poor, who can use it to obtain benefits and subsidies.
The judgement was a key step in firming up rules and regulations for data protection and privacy norms.
The bill will be introduced in Parliament soon and companies will be given some time for compliance once it becomes law.
The official said the government is entitled to direct a fiduciary—any person or entity that processes data—to get access to non-personal data to provide better services to citizens. For instance, the government can use non-personal or anonymous data for research or any other purpose.
“No personal data can be processed except for specific clear and lawful purpose," said the official.
However, in the interest of national security, certain agencies can have access to personal data for any investigation pertaining to offences. “Technological evidence is the best evidence. Investigation of crime is public purpose; hence, under the garb of data protection, one cannot cage the rights of an investigating agency," the official said.