Highlights of the Personal Data Protection Bill

Author: thinkinglegal | January 18, 2020 - 10:41 | Tags: Data Protection

The Personal Data Protection Bill (“Bill”) was tabled before the Lok Sabha on 11 December 2019 and is currently being analysed by the Joint Select Committee. The Bill regulates the processing of personal data of individuals (which are referred to as data principals) by government and private entities (which act as data fiduciaries) incorporated in India and abroad. The key highlights of the Bill are:

  • Clause 4 - Personal data shall be processed only for purposes which are clear, specific and lawful.
  • Clause 5 - The data fiduciary shall ensure the privacy of data principal and shall process data for the purpose consented to or incidental to such purpose.
  • Clause 11- The processing of data will be permitted if the individual gives consent at the commencement of processing and the consent shall be free, informed, specific, clear and capable of being withdrawn.
  • Clause 12 - The data processing for performance of any function by the State, under any law by the Parliament or State Legislature, any medical emergency, in the interest of national security, for legal proceedings, are exempted from the applications of the Bill.
  • Clause 14 - The Bill allows processing of data for “reasonable purposes” which include preventing and detecting fraud, whistle-blowing, recovery of debt, mergers and acquisitions, the operation of search engines, etc.
  • Clause 18 - The data principal has the right to seek rectification of inaccurate or misleading data, completion of incomplete data, erasure of irrelevant data, updating out-of-date data, which is stored with the data fiduciary. 
  • Clause 33 - Copy of sensitive personal data may be transferred outside India but such data should be compulsorily stored and processed within India especially critical personal data.
  • Clause 41- A national-level Data Protection Authority (“DPA”) will be established to supervise and regulate data fiduciaries. Data fiduciaries will be obligated to inform the DPA of any breach of data that is likely to cause harm to the data principal.

This post has been contributed by Ms. Vaneesa Agrawal and Ms. Vasuvita Singh.

[DISCLAIMER:  This article is for academic purpose and is solely to provide readers with general information regarding developments in Indian law. The information contained herein does not constitute legal or a professional advice.]