BY – Ayush Kumar
WHEREAS the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy;
WHEREAS the growth of the digital economy has meant the use of data as a critical means of communication between persons;
WHEREAS it is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation;
AND WHEREAS it is expedient to make provision: to protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organisational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorised and harmful processing, and to establish a Data Protection Authority for overseeing processing activities;
The PDP Act includes notices and prior consent requirements regarding the use of personal data, restrictions on the purpose for which a company can process data, and restrictions to ensure that only the data necessary to provide related services is collected. It also includes requirements for data localisation and the appointment of data protection officers within the organisation. India has not yet enacted this particular data protection law. However, Indian lawmakers have amended the Information Technology Act (2000) to include Section 43A and Section 72A, which provide the right to compensation for improper disclosure of personal information.
1. Short title, range, and beginning. —
(1) This law can be called the 2018 Law on the Protection of Personal Data.
(2) It extends all over India. ‘
(3) The provisions of Chapter 14 of this Act shall come into effect on the day the central government may specify by notice, and the remaining provisions of the Act shall come into effect under the provisions of this Chapter.
2. Application of law to the processing of personal data. —
(1) This law applies to —
(a) Processing of personal data if it is collected, disclosed, or otherwise processed within the boundary of India; and
( b) Processing of personal data by a country, an Indian company, an Indian citizen, or an individual or group of individuals which comes under Indian law.
(2) Notwithstanding the provisions of paragraph (1), the law applies to the processing of personal data by data consignees or data processors not located on the territory of India. A systematic activity to provide goods or services to any business carried out in India or to data managers within the territory of India. Or
(b) in connection with activities involving data controller profiling within the Indian Territory.
The Personal Data Protection bill of 2019 was brought to notice at Lok Sabha on December 11, 2019, by Minister of Electronics and Information Technology.
The central government of India then enacted information technology regulations (appropriate security practices and procedures, and sensitive personal data or information) under Section 43A of IT Law. This rule imposes additional requirements on Indian commerce and businesses regarding the collection and disclosure of sensitive personal data or information that has some similarities to the GDPR and privacy policies. Companies in regulated sectors such as financial services and telecommunications are subject to confidentiality obligations under Sector Act and will keep their personal data confidential and use it only for certain purposes or in a manner agreed with the customer is obligatory.
WHY THIS LAW SHOULD COME
- DATA FIDUCIARY
A data fiduciary is also called a data trustee. The PDP bill proposes the concept of “data trustees”. “Data trustee” corresponds to the concept of controller and processor in the sense of GDPR. The PDP Act applies not only to people in India, but also to people outside India who are involved in doing business in India, providing goods or services to people in India, or profiling people in India. Therefore, organizations must take appropriate steps to prevent unauthorized access to sensitive information and prevent malicious cyberattacks, accidental loss, or deletion of sensitive data. This includes implementing robust data security strategies that focus on people, processes, and technology. Organizations need to ensure that their employees are trained and understand the importance of protecting sensitive information. Therefore, to support this, security must be incorporated into corporate culture and processes. This includes implementing the appropriate technology to protect against malicious accidental data loss. Data security is as robust as the various factors that support it, so it’s a good idea to layer proven solutions to keep sensitive data secure from start to finish.
- Individual Rights: The bill provides specific rights to individuals (or data commissioners). This includes (i) receiving confirmation from the trustee asto whether your personal data has been processed, (ii) requesting correction of inaccurate, incomplete, or outdated personal data, and (iii) another dataconsignment. Includes the right to transfer personal data to a person. In certain circumstances, (iv) we request that you limit the disclosure of your personal data if it is no longer required or your consent is revoked.
- Reasons for processing personal data: The bill only allows trustees to process data with the consent of the data subject. However, under certain circumstances, personal data may be processed without your consent. These include (ii) legal proceedings and (iii) emergency medical care if the state requires personal benefit.
- Social Media Mediators: The bill defines these as mediators that enable online dialogue and information exchange between users. All of these intermediaries, where users have exceeded reported thresholds and whose actions can harm election democracy or public order and morals, provide Indian users with a voluntary user screening mechanism, etc., Has certain obligations.
- Data Protection Agency: The bill is a data protection agency that can (i) take steps to protect the interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure compliance with the bill. To establish. It consists of a chairman and six members with over 10 years of experience in the fields of data protection and information technology. Authorities’ decisions can be appealed to the Court of Appeals. The referee’s appeal goes to the Supreme Court.
- Transfer of Data Outside India: Sensitive personal data may be transferred for processing outside India, subject to certain additional terms, with the express consent of the individual. However, such sensitive personal data should still be stored in India. Certain personal data reported by the government as important personal data can only be processed in India.
- Exceptions: The central government may exempt any of its institutions from the provisions of law: (i) national security, public order, India’s sovereignty, and integrity, and foreign friendships. To prevent instigating (ie, arresting without a warrant) to commit an identifiable criminal offense for the benefit of and (ii) in connection with the above matters. The processing of personal data is based on the provisions of legislation for certain other purposes, such as (i) prevention, investigation, or prosecution of criminal offenses, or (ii) personal, national, or (iii) journalistic purposes. increase. You will also be exempt. However, such processing requires certain security measures to be taken to serve certain explicit and legitimate purposes.
We live in a data-driven world. Sharing data makes the lives of all of us easier, more convenient, and more connected, both at home and at work. Data protection legislation stipulates what should be done to ensure that everyone’s data is used properly and fairly. You probably have personal data about your customers and clients, such as your name, address, and contact details. You may even have sensitive information such as medical information. This may be required to provide goods and services, but people should not use it in unexpected ways. And you have to protect it. This is because misuse of personal data can cause harm to humans. In some situations, you may be the victim of personal information theft, discrimination, and even physical harm. Data protection law, in principle, applies to all workplaces, businesses, associations, groups, associations, and businesses of all kinds. This includes sole proprietorships, self-employed people, working on their own, or being an owner or manager. This is also true when there are few or no employees. Running a one-person business can be very different from running a global company. However, if personal information is misused, it doesn’t matter where the mistake came from, so the rules are the same. It is important that people can be harmed. Compliance with data protection legislation has many advantages. Not only is good data protection required by law, but it also makes financial sense because it saves time and money. It also shows people that you care about their information, and it’s good for your reputation and brand. More and more people are getting to know their personal data and how they are used. Therefore, organisations that need trust need to do it right.