Data Protection Bill moots power to Govt to call for information from data collecting entities, Board

New Delhi: The data protection bill introduced in Parliament on Thursday enables Government "to call for information" from data protection board, data collecting entities or intermediary, and safeguards the Centre from legal proceedings for "action taken in good faith" under the provisions of the legislation.

After two or more instances of norm violation by a data collection entity, the Government on the advice of Data Protection Board, can direct blocking access to information in the interest of the general public, according to the provisions of the Bill.

The Digital Personal Data Protection Bill was tabled in Lok Sabha on Thursday.

"...after giving an opportunity of being heard to that Data Fiduciary, on being satisfied that it is necessary or expedient so to do, in the interests of the general public, for reasons to be recorded in writing, by order...direct any agency of the Central Government or any intermediary to block for access by the public or cause to be blocked for access by the public any such information," it said.

This provision will apply where Board informs Government about imposition of monetary penalty on a Data Fiduciary in two or more instances, and advises such blocking in public interest.

"The Central Government may, for the purposes of this Act, require the Board and any Data Fiduciary or intermediary to furnish such information as it may call for," as per the Bill.

While data collecting and processing entity (Data Fiduciary) has to take consent of parent before processing personal data of children (defined as individual below the age of 18 years), there is some leeway for entities which abide by secure and "verifiably safe" processing of children's personal data.

"The Central Government may, if satisfied that a Data Fiduciary has ensured that its processing of personal data of children is done in a manner that is verifiably safe, notify for such processing by such Data Fiduciary the age above which that Data Fiduciary shall be exempt from the applicability of all or any of the obligations...in respect of processing by that Data Fiduciary as the notification may specify," it said.

All in all, the Digital Personal Data Protection Bill or data protection Bill in short, provides for the processing of digital personal data recognising right of individuals to safeguard their information and the need to process personal data for lawful purposes.

It defines personal data breach as unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.

It classifies the data ecosystem into Data Fiduciaries (who determines the purpose and means of processing of personal data) and Data Principal (individual to whom the personal data belongs to), laying down obligations and dos and dont's for the former and specifying the rights and duties of the latter.

Once approved by Parliament, the norms will apply to personal data collected within India from data principals online, and personal data collected offline, but subsequently digitised. It will also apply to such processing outside India, if it is for offering goods or services to individuals in India.

The proposed provisions of the Act do not apply to personal data processed by an individual for any personal or domestic purpose, personal data caused to be made publicly available by data principle, say a blogger sharing personal data on his/her social media blog.

Personal data can be processed only for a lawful purpose for which an individual has given consent and for certain legitimate uses.

It moots that notice is to be given by data fiduciary (entities taking the data) to an individual concerned describing the data being taken and the purpose for which it is being processed.

Citing an instance, it says if a bank is processing customer KYC, they have to send notice to individual concerned describing the data and purpose of processing.

Consent of the individual needs to be a clear affirmative action, agreeing to processing of personal data only for the specified purpose.

This means that even if consent is for other purposes, say giving access to contact list while downloading a telemedicine app, the consent will be seen limited only actual and real purpose of data being collected.