The personal data protection bill 2019 (PDPA) was introduced in parliament in December 2019. The bill establishes a framework to protect an individual’s data from entities that collect and use the data e.g ecommerce, social networking companies, etc. Soon after its introduction, the bill was referred to a joint parliamentary committee for further examination.
The bill places certain obligations on data. Those who collect and use data give certain rights to the individuals or data principles to protect their data. It establishes a data protection authority to regulate and oversee data fiduciaries. Finally, the bill raises some issues to consider.
Can companies collect your personal data without your consent?
The bill data entities cannot collect or process personal data without an individual’s consent. Personal data is any piece of information that can identify a person’s identity. For example, financial information such as a pen or a complex number, the bill next, some exceptions for obtaining.
Can you say it will not be required for events such as a medical emergency or legal proceedings or when the government is providing a benefit or service to the individuals? If the government is the sole provider of a benefit or. So just driving license. Then the question of consent does not arise because an individual any big cannot refuse consent.
But if we take health insurance as an example where the government can provide service alongside private actors, this raises the question. Why should the public insurer be given an exemption from taking consent? When are the private insurance companies under the bill required?
Under the bill entities, which process personal data will have to specify the purpose of data collection, show that the process data is complete and not misleading and ensure that data is not leading beyond the necessary period. How’d I gone there exempted from this provision if they’re processing personal?
For prevention, detection, investigation, or prosecution of any offence in such cases, data entities only have to ensure that the processing is done for a clear, specific and lawful purpose. This implies that the fiduciary may collect more data and required and retain that data for a period longer than necessary.
For those, the individual will not have rights over. Why do you think these steps that consent cannot be taken before processing their data for the prevention and investigation of offences or data principles? It is unclear why other obligations should not apply. The 2018 export committee had argued that prevention, detection, investigation, and prosecution for a violation of the law are essential to state farms.
It’s recommended that these activities should be exempted from specific provisions. However, such exemptions should be proportionate to the interests being achieved.
What is required by an individual to file a complaint?
According to the bills, an individual may complain to a data fiduciary. However, if they act against the provisions of the law, only if it has caused harm or is likely to cause harm. It is unclear why the build is not enough individually to file a complain for, say, violation of their rights. For instance, if a data fiduciary binds the personal data of a user without their consent for profit, this may not necessarily cause harm to them. Still, the user would have to demonstrate the likely harm this would cost to file a complaint.
Under the bill, in the event of a data breach, the data fiduciary has the discretion to decide whether the breach needs to be reported to the data protection authority, such discretion. As a result, we lead to under-reporting breaches by data fiduciaries to protect their market reputation. The complete analysis of the bill is available in the description.
To who this personal data protection 2019 (PDPA)?
The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India.
Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual. The Bill categorises specific personal data as sensitive personal data. This includes financial data, biometric data, caste, religious or political beliefs, etc.
Can personal data be stored and processed outside?
Sensitive personal data may be transferred outside India for processing if explicitly consented by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Certain personal data notified as critical personal data by the government can only be processed in India.