Critically analyse the provisions of Personal Data Protection Bill which seeks to update the currently non-existent standards for privacy and consent.

Recently the Union Cabinet has approved the Personal Data Protection Bill which lays down a legal framework in the Indian context to preserve the sanctity of “consent” in data sharing and penalize those breaching privacy norms.

Seeking to keep up with regulation around the world regarding data, such as the European Union’s General Data Protection Regulation (GDPR), the Union Government in 2018 introduced a draft personal data protection bill in order to regulate the use of an individual’s data by both the government and private sector. As of now, there are no laws to govern the use of personal data and to prevent its misuse, the Supreme Court on its part did uphold the right to privacy as a fundamental right back in 2017.

The current Personal Data Protection Bill, 2018, was prepared by a high-level expert group headed by former Supreme Court judge B.N. Srikrishna. Consultations between certain ministries delayed its approval.

The bill proposes a number of things- 

• In order to check social media trolling the bill proposes social media platforms to create a voluntary verifiable account mechanism for users who utilize their services from India and who has registered for the service from India. 
• Data has been divided into three categories—critical, sensitive and general.  Data related to a person’s financial, health, sexual, orientation, biometrics, gender status, political or religious beliefs will be identified as ‘sensitive data’ and can only be stored in India. However, with the explicit consent of the user, this data may be shared.
• The government will define what is and isn’t ‘critical data’ from time to time and will be stored and processed in India only. 
• Data which doesn’t fall in either category mentioned above will be categorized as general data which will have no restriction on where the data is stored or processed.
• The government is entitled to direct companies and individuals who possess data to get access to non-personal data for public services like providing the public with better services and for research purposes. 
• Personal data can be processed only in specific cases where it will be utilized for lawful purpose. For example, National security and other agencies may get access to personal data for investigation purposes. 
• There will be provisions to penalise firms in case of violations, a company would have to cough up as much as ₹5 crore or 2% of its worldwide turnover, whichever is higher, in the case of a minor violation. In case of a major violation, it will be either ₹15 crore or 4% of global turnover, whichever is higher.

Topics: GS-III: Cyber Security in India