Editorial Simplified: Drafting a Data Protection Bill – [GS – 2]

Why has this article been released?

Recently, a draft Personal Data Protection Bill, 2018 has been released. This bill is the outcome of Srikrishna Committee report.


What is the objective of the bill?

The objective of the Bill is to balance the growth of the digital economy and use of data as a means of communication between persons with a statutory regime that will protect the autonomy of individuals from encroachments by the state and private entities.


How does the bill define ‘personal data’?

The bill defines personal data as information relating to a natural person.


Important features of the bill

  • The draft Personal Data Protection Bill, 2018, recognizes privacy as a fundamental right.
  • It has provisions to protect personal data as an essential facet of information privacy.
  • The Bill applies to the processing of personal data where such data have been collected, disclosed, shared or otherwise processed within India. • It includes the processing of personal data by the state, any Indian company, any Indian citizen, or any person or body of persons incorporated or created under Indian law.
  • The Bill also brings within its ambit the processing of personal data by data fiduciaries or data processors located abroad in connection with business, systematic activity of offering goods or services to data principals, or profiling of data principals within the territory of India.
  • Breach of personal data involves unauthorized or accidental disclosure, acquisition, sharing, use, alteration, destruction, loss of access to personal data that compromises the confidentiality, integrity or availability of personal data to a data principal.
  • The Srikrishna Committee has complied with the Supreme Court’s suggestion that collection, processing and storage of personal data should be limited to the stated purpose, which has to be clear, specific and lawful.
  • The Bill mandates that data fiduciaries should retain personal data “only as long as may be reasonably necessary to satisfy the purpose for which it is processed”. There should be a periodic review done to check if continued storage of data is necessary.
  • The Bill allows processing of personal data for “prompt action” only if it is necessary for any function of Parliament; or any State Legislature to render service or benefit to citizens; or in response to any medical emergency to the data principal; or in cases of epidemic, outbreak of disease, disaster or breakdown of public order.
  • The Bill includes the ‘right to be forgotten’, which is the right of a data principal to restrict or prevent continuing disclosure of personal data by a data fiduciary.

Leave a Reply