हिंदी समाचार पढ़े
Expand
O.P. Jindal Global University
 
Home / Corporate Law News / European Union flags concerns on certain provisions of Data Protection Bill, Read Bill Text

European Union flags concerns on certain provisions of Data Protection Bill, Read Bill Text

November 21, 2018:

The Union also asserted that the proposed Data Protection Authority (DPA) needs to be allowed to function independently & impartially.

Draft Personal Data Protection Bill, 2018
Draft Personal Data Protection Bill, 2018

The European Union has expressed concerns over data localisation stipulations certain other provisions of India’s draft Personal Data Protection Bill, 2018.

The union also asserted that the proposed Data Protection Authority (DPA) needs to be allowed to function independently & impartially.

In its submission to the Indian IT Ministry, the delegation of the European Union to India & Bhutan said the law, if adopted, will contribute to facilitating data flows between the EU & India, & could open the way for a possible adequacy dialogue between the two sides.

However, it also made certain observations across various aspects of the Bill that was drafted by the committee led by Justice BN Srikrishna to develop a framework on data protection norms in India.

“In general, the draft law in a number of places leaves discretion to decide key matters in the hands of the Central Government or the DPA rather than dealing with them in the draft itself. This could create some uncertainties which could perhaps be avoided by providing further clarifications,” it noted.

The submission pointed out that having a data protection authority is important for both — citizens & businesses.

It emphasised that to effectively play its role, it is essential that the authority “acts with complete independence & impartiality in performing its duties & exercising its powers, free from any external influence”.
Source Link

Key Features

The Data Protection Bill identifies three parties who are the stakeholders in data protection. Firstly, Data Principal is the person whose data is being collected.

Secondly, Data Fiduciary is the one who determines how & why the data shall be collected.

Thirdly, Data Processor is the one which processes the data.

These roles are akin to those of Data Subject, Data Controller & Data Processor as given under GDPR. Inter alia, the Bill casts the following key obligations:

Ø Obtain consent of the data principal before collecting or processing data

Ø Provide access to the data principal of the data collected

Ø If the data breach is likely to harm the data principal, then the data fiduciary is required to notify such breach to the authorities.

Ø Conduct data impact assessment

Ø Locally store copy of data if data is being shared across borders.

Ø To obtain explicit consent where the data concerned is sensitive personal data

Ø Appoint a data protection officer

Ø Conduct a fair & reasonable processing of personal data only for the clear & specific purpose for which the data is collected.

Ø The right to be forgotten has been introduced by the Bill. However, the Bill does not talk about deleting the data once the purpose is fulfilled, however the data principal may ask the fiduciary to restrict its usage once the purpose of the data is fulfilled.

Ø To prevent any kind of misuse or allow any unauthorised access to personal data.

Personal Data Protection Bill, 2018 (Downloadable PDF)

Analysis of the Personal Data Protection Bill, 2018

Prima facie, there are the following loopholes extant in the Bill:

Ø Localisation of Data

The Data Protection Bill while outlining the provision for transfer of personal data outside India has provided for localisation of such data. Localisation of data embodies two elements:

· Firstly, it mandates that at least one copy of the personal data so collected shall be saved on the local servers within the country.

· Secondly, it calls for classification of data into critical data. This critical data is permitted to be processed only in India & no transfer outside India of such data is permissible.

On the face of it, this provision appears to provide a stringent protection mechanism. However, in reality, the setting up of a local server to store a copy of the personal data so collected locally, would prove to be too expensive for companies. This step would prove detrimental for companies, especially start-ups, as any data shared across borders would be required to be stored locally.

Moreover, the second element of localisation which mandates that critical data be processed only in India is at best a vague provision. No definition of what constitutes critical data or what might constitute critical data is provided for in the Bill.

In the absence of any explicit definition or indicators, how are companies supposed to identify this critical data. To add to this confusion, the term sensitive data is used under section 40 in addition to critical data. This clearly leads to the conclusion that the two are different. Hence, the portion of the Bill pertaining to cross border sharing of personal data is vague, ambiguous & confusing.

Ø Difference between consent & explicit consent

The Data Protection Bill has given utmost importance to the principle of consent. It reiterates time & again that the consent so given should be free, informed & specific. However, it distinguishes between the degree of consent required for personal data & that required for sensitive personal data. It states that the consent required for the collection & processing of sensitive personal data should be explicit.

The definition of explicit consent again is not very clearly laid out. It touches upon the same elements which are included in the definition of consent. Moreover, sensitive personal data is a species of the broad genre of personal data & hence, the degree of consent required should not vary.

Ø Exceptions under the Data Protection Bill

Unlike its counterpart, the Data Protection Bill has carved out several exceptions to the obligations outlined under it. Various exceptions have been carved out for the State. Chapter IX of the Bill lays down a number of exceptions to the therein mentioned obligations.

Moreover, section 17 of the Data Protection Bill lays down a number of purposes classified as `reasonable purposes for which data processing may be undertaken. So many escape routes & exemptions, make the data protection bill a weak law.

Ø Data Breach Notification

Under the GDPR, the data controller is required to notify the authorities within a stipulated time period of data breach occurs. However, under the Indian data protection Bill, the data breach notification is required only when the data fiduciary thinks that the breach is likely to harm the data principal. Leaving such discretion in the hands of the data fiduciary is erroneous. Such provision has the effect of translating data breach notification into a hollow requirement devoid of any real consequences.

Conclusion

The Data Protection Bill despite being a shoddily drafted piece of legislation, at least shows the commitment of the government towards introducing data privacy in the country. It is heavily based after the EU GDPR Regulations. However, despite its shortcomings, as discussed above, it also has certain merits which should not be overlooked. It has introduced steep penalties for violation, hence, making data protection a priority in companies collecting such data’s list. It has laid down a framework which for data protection in the country.

The principles of `no means no’ & free & informed consent go a long way in establishing the supremacy of the data principal. Similarly the obligations introduced for data protection in cross-border sharing of personal data also show the commitment towards data privacy. With a little tweaking & amendments, the data protection Bill has the potential of becoming a phenomenal piece of legislation. Its drafting & implementation, if done properly, can help perpetuate efficient data protection standards in India.

However, in order to remain compliant with the Bill in its current form, the following practices may be adopted:

Ø Collect/process data only after obtaining consent from the data principal. If the data being collected is sensitive data then explicit consent needs to be collected.

Ø The data so collected should only be used for the purpose for which it is collected.

Ø The purpose of data collection should be lawful & in accordance with the Bill.

Ø Draft & maintain a Data Privacy policy in consonance with the Bill.

Ø Provide access to data principal of the personal data collected by them.

Personal Data Protection Bill, 2018: Right in Direction, Less in Efficacy By: Bhumesh Verma

Personal Data Protection Bill, 2018 by Latest Laws Team on Scribd

Facebook Comments

Hindu

Auto Driver thrashed for no fault Auto Driver thrashed for no fault,                  source oneindia [caption id="attachment_97467" align="alignleft" width="621"]Humour with Latest Laws Humour with Latest Laws[/caption] America First Walk Your own Talk

Hindu

TOI [caption id="attachment_97462" align="alignleft" width="524"]Painting India Saffron Painting India Saffron[/caption] Time to straighten up Time to straighten up                pic by TOI

TOI

Belts are for Dogs Belts are for Dogs ALL_1_Theme_01A_24_2383617g

Hindu

Four Pillars of Democracy Four Pillars of Democracy             by Satish TOI Demonitisation Diaries Demonitisation Diaries                                                       by sify

Hindu

TOI

150425_-_farmers_a_2384764f

Hindu

Hindu Hindu State of Two Nations State of Two Nations               pic by sandeep Demonitisation Diaries 2 Demonitisation Diaries 2  pic by sify

TOI

...as an eminent lawyer you ought to know that your action tantamount to, under Section B, sub-section G.VIX, read along with I.P.C. (A) XI (B), notwithstanding...                                        TOI

[caption id="attachment_97477" align="alignleft" width="621"]UIDAI Leaks UIDAI Leaks[/caption] Alligator vs Litigator Alligator vs Litigator Hindu Soaring of Oil Prices pic by indiaone

Hindu

State of Affairs Women Safety: State of Affairs             pic by mangal

Hindu

If India takes One Step, we will take Two by Satish If India takes One Step, we will take Two ...................by Satish Missing the Point Missing the Point pic by english blog

IBN IBN

Pic by Hindu Women Empowerment and Sports Women Empowerment and Sports Delivery Boy Delivery Boy                    by Satish

TOI

Cartoon TOI

Hindu Hindu

Hindu Hindu

Humour @ Latest Laws Achhey Din Humour @ Latest Laws: Achhey Din Let Justice Be Let Justice Be

pinterest

Job Hazards

TOI

Hindu Hindu Hindu

Hindu

Demonitisation Diaries 1 Demonitisation Diaries 1                                  pic by sify   Hindu Hindu Hindu

TOI

Hindu

TOI TOI

TOI

TOI

[caption id="attachment_97474" align="alignleft" width="621"]Donald Trump’s immigration ban Donald Trump’s immigration ban[/caption]

TOI

Tax Reforms    by Hindu Tax Reforms by Hindu Hindu Hindu TOI Lawyers Bearing the Burden Literally Lawyers Bearing the Burden Literally pic by OMG Acheche DIn Acheche Din     pic by sify
 
 
 

Check Also

Ex Bangladesh PM Khaleda Zia

Bangladesh: Khaleda Zia files petitions to challenge disqualification from elections

December 10, 2018: On Sunday, Bangladesh’s imprisoned former prime minister & opposition leader Khaleda Zia challenged an election commission order disqualifying her from contesting the upcoming general election, as she filed three writ petitions in the High Court here. The ...

Leave a Reply

Your email address will not be published. Required fields are marked *

Latest laws

Join our mailing list to receive the Latest Laws News and updates from our team.