On Friday, 21 July 2017, Shri Baijayant Panda of Biju Janta Dal introduced a bill titled ‘The Data (Privacy and Protection) Bill, 2017’, Bill No. 100 of 2017, in the Lok Sabha. The full text of this Bill can be accessed here.
The Bill covers surveillance, data portability, consent for data processing, access to data, removal of data, notification on data breaches, setting up of an independent body called ‘Data Privacy and Protection Authority’ and more. You can read about these in more detail below.
The Bill explicitly states that there shall be a ‘right to privacy’, prohibits indiscriminate surveillance, and barring some reasonable exceptions, requires consent to collect, process, store and disclose personal data. Consent must be explicit, and has to be obtained after a full disclosure of the kinds of data that will be collected and the purpose of collection of that data. Any change in the purpose of processing must be accompanied with a new explicit consent. People can obtain a copy of their data from data controllers and data processors, and they can have their data rectified if it is inaccurate or incomplete. People can also get their personal data removed where: (a) it is no longer necessary for the original purpose, (b) by withdrawing their consent, (c) where the data was obtained unlawfully, or (d) under a Court order. At the same time, the Bill provides protection for retention of data where it is needed for a legal obligation or claim, in the interest of fundamental rights or to safeguard public interest. In case of a data breach resulting in leak of personal information, the people affected by such a breach must be informed within 7 days. Targeted profiling of any individual or class of persons without any basis is barred by the Bill. The Bill also requires data gathered by intelligence agencies during surveillance to be destroyed after one year if it is no longer necessary to retain the data for the purposes of evidence or investigation. Other aspects of surveillance covered by the Bill include an express bar on surveillance by any person except a public servant or authority duly authorised by the Central Government to order or conduct surveillance.
Sensitive personal data has been provided additional safeguards in Section 20 of the Bill. This covers racial or ethnic origins, political or religious views, financial information, medical history, sexual activity, biometric data, but does not cover anything that is lawfully available in the public domain or can be obtained under a law such as the Right to Information Act.
Exceptions have been made in the Bill for archiving or scientific or historical or statistical research, as long as it is in public interest and subject to adequate safeguards. Additional exceptions allow acquiring and processing personal data necessary to perform ‘any statutory, governmental or other functions’, contractual or legal obligation, medical emergency, court order, and legitimate interests of data controller, processor or third party.
The Bill mandates the appointment of an independent Data Protection Officer (DPO) by every data controller, processor and third party. Recognizing that this can be a costly affair, data controllers and processors that employ less than 500 people and have a per-capita turnover of less than one crore rupees are allowed to jointly appoint a DPO. The DPO’s duties include, among others, addressing complaints made in writing, initiating an inquiry and recommending actions to the data controller or processor.
The Bill also calls for a body called the Data Privacy and Protection Authority (DPPA) to be set up as an independent body that can be approached by people aggrieved under the Bill. This Authority can be approached by a person aggrieved by the decision of a DPO. In case there is no DPO that can handle the person’s grievance, then the person can approach the Authority directly. Section 15 of the Bill provides a list of situations in which the right to privacy could be restricted by the Authority. These include sovereignty or integrity of India, national security, defence of the country; prevention of terrorism, corruption, money laundering, organised crime, sale or purchase of narcotic and psychotropic substances; investigation of offences under the Indian Penal Code; and maintenance of public order in situations of imminent danger of breakdown. Such a violation of privacy must be ‘adequate, relevant, proportionate, not excessive in nature’. An order approving or rejecting a surveillance request from an intelligence agency must be made by the DPPA with reasons to be recorded in writing.
Contravention of the Bill with respect to personal data is punishable with imprisonment of up to five years and a fine of up to Rs. 50,000 per day. If the contravention involves sensitive personal data, then the term of imprisonment could extend to ten years, the fine could be up to Rs. 1,00,000 per day, and compensation must be paid to the person affected.
A breach of confidentiality or compromising security of personal data being collected as a part of surveillance is punishable with up to ten years of imprisonment and a fine of up to Rs. 50,000 per day.
Non-compliance with a direction of the Bench is punishable with imprisonment of up to six months and fine of up to Rs. 50,000 per day.