The much-talked about legislation to protect personal data will allow processing of private data without explicit consent of the owner of the information for credit scores, debt recovery, security, operation of search engines and whistle blowing.
The draft Personal Data Protection Bill, 2019, which is likely to be introduced in the Lok Sabha in the next couple of days, bars storing and processing of personal data by entities without the explicit consent of an individual.
It, however, provides for exemptions for "reasonable purposes" such as "prevention and detection of any unlawful activity including fraud, whistle blowing, merger and acquisitions, network and information security, credit scoring, recovery of debt, processing of publicly available personal data, and the operation of search engines."
The legislation provides for stringent ground rules for processing of personal and sensitive information of children, while mandating the processing of 'critical' personal data only in India.
But data concerning health services and for complying with any law or court orders can be processed without the consent of the owner, the draft bill said.
It also gives power to the government to decide from time to time on the exemption list.
The draft bill, cleared by the Cabinet last week, aims to create a "strong and robust data protection framework for India" as it fixes obligation of data fiduciary (that is entity collecting and processing data) and places restriction on transfer of personal data outside India.
Interestingly, the draft bill empowers the Centre to exempt any government agency from application of the proposed legislation.
The draft bill also states that the central government can frame policy for the digital economy with respect to non-personal data. In particular, it can direct any data processor to "provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government".
The draft data protection bill also entails setting up of an authority for protecting personal data and also prescribes stiff penalties for violation of various provisions.
For instance, violations in case of processing of personal data of children will involve a fine of up to Rs 15 crore or 4 per cent of the global turnover, while 'significant data fiduciary' will have to pay up to Rs 5 crore or 2 per cent of global turnover for contraventions pertaining to data audits.
The draft bill defines accountability of entities that process personal data, and mandates that critical personal data shall only be processed in India. However, it can be transferred outside India in case of health or emergency services "where such transfer is necessary for prompt action", and where the government has deemed such transfer to be permissible.
It said that sensitive personal data -- like financial data, health data, sexual orientation, biometric or genetic data, transgender status, religious or political belief/affiliation -- can be transferred outside India with explicit consent, but will continue to be stored in India. What constitutes critical data will be notified by the Centre.
On the personal data of children, the draft legislation proposes that data fiduciaries will have to verify their age, and obtain the consent of parent or guardian before any processing takes place.
Guardian data fiduciary -- that is entities which operate commercial sites or online services directed at children, or process large volumes of personal data of children -- will be barred from profiling, tracking or monitoring children and undertaking data processing that can cause significant harm to the child.
Further, social media entities with user base above a certain threshold and whose "actions have, or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India," will be notified as 'significant data fiduciary'.
If such a 'significant data fiduciary' intends to undertake large scale profiling or use sensitive personal data like genetic or biometric data, or any other processing that carries risk of significant harm to individuals, it will have to first undertake a data protection impact assessment.
Every social media intermediary classified as a 'significant data fiduciary' will enable the users in India to voluntarily verify their accounts. Any user undergoing such voluntarily verification will have to be provided with a mark of verification that is visible to all users of the service.
Such entities will also have to get their policies and conduct (of data processing) audited by an independent data auditor.
The draft bill gives power to the Centre "to exempt any agency of Government from application of Act" in the interest of integrity, and security of the country, foreign relations and public order.
The bill provides for a penalty of up to Rs 15 crore or 4 per cent of global turnover for companies found violating norms under the Personal Data Protection Bill, while in case of certain minor violations, it proposes a penalty of Rs 5 crore or 2 per cent of the global turnover.