MeitY publishes final draft of the Personal Data Protection Bill, 2018
The Ministry of Electronics and Information Technology (MeitY) has recently on July 27, 2018 published the Justice BN Srikrishna Committee of Experts Report on Data Protection as well as a Personal Data Protection Bill, 2018 (“Bill”).
This Bill is the result of the deliberations of the Justice B. Srikrishna Committee to review and recommend necessary changes to be made to the current data protection regime under the Information Technology Act, 2000 along with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 keeping in mind the technological changes.
Aim of the Bill:
- Create a relationship of trust between persons and entities processing their personal data;
- To specify the rights of individuals whose personal data are processed;
- To create a framework for implementing organisational and technical measures in processing personal data;
- To lay down norms for cross-border transfer of personal data;
- To ensure the accountability of entities processing personal data;
- To provide remedies for unauthorised and harmful processing, and;
- To establish a Data Protection Authority for overseeing processing activities.
Key Highlights of the Bill:
- A new definition for Personal Data has been introduced and the definition for Sensitive Personal Data has been revised to include new parameters such as religious and political views, caste and tribe etc., which were earlier not present;
- Concepts of data principal, data fiduciary and data processor has been introduced;
- Concept of Anonymization of data has been introduced;
- The Bill contemplates the creation of the Data Protection Authority of India as an independent regulator;
- Requirement for appointing a data protection officer and conducting regular data audits has been introduced;
- The concept of right to be forgotten, data portability and cross-border flow of data has been introduced;
- A requirement has been made for collection and processing of data must be for lawful purposes;
- Special provisions for the protection and processing of the data of a child has been introduced;
- Reporting requirements in the event of a data breach has been introduced.
The Bill also proposes to have an overriding effect on few provisions of the following enactments:
- Information Technology Act, 2000;
- The Right to Information Act, 2005.
For a detailed read on the proposed amendments of the Bill, please click on the hyperlink below.