The Bill sets out certain rights of the individual (or data principal). These include the right to (i) obtain confirmation from the fiduciary on whether their personal data has been processed, (ii) seek correction of inaccurate, incomplete, or out-of-date personal data, (iii) have personal data transferred to any other data fiduciary in certain circumstances, and (iv) restrict continuing disclosure of their personal data by a fiduciary if it is no longer necessary or consent is withdrawn. The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India. Personal data is data that pertains to characteristics, traits, or attributes of identity, which can be used to identify an individual. The Bill categorizes certain personal data as sensitive personal data.https://prsindia.org/billtrack/the-personal-data-protection-bill-2019
The bill has also the provision for the Data Protection Authority. It will consist of a chairperson and six members, with at least 10 years of expertise in the field of data protection and information technology. It protects the interest of the individuals. This bill will be including the social intermediaries. Offenses under the Bill include: (i) processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and (ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. Re-identification and processing of de-identified personal data without consent are punishable with imprisonment of up to three years, or fine, or both. Data Protection came into the picture by the protection of the right to privacy.
A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to a certain purpose, collection, and storage limitations. For instance, personal data can be processed only for specific, clear, and lawful purposes. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as (i) implementing security safeguards (such as data encryption and preventing misuse of data), and (ii) instituting grievance redressal mechanisms to address complaints of individuals. They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.https://prsindia.org/billtrack/the-personal-data-protection-bill-2019
Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Certain personal data notified as critical personal data by the government can only be processed in India. The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data. The bill will give individuals some rights over their data. These include seeking confirmation on whether their personal data has been processed, seeking correction, completion, or erasure of their data, seeking transfer of data to other fiduciaries, and restricting continuing disclosure of their personal data, if it is no longer necessary or if consent is withdrawn. Any processing of personal data can be done only on the basis of consent given by the data principal.