From UPSC perspective, the following things are important :
Prelims level : Various keywords mentioned in the Bill
Mains level : Personal Data Protection: Prospects and challenges
The Personal Data Protection (PDP) Bill, 2019, introduced in Lok Sabha this week, has been referred to a joint select committee. Here are some terms described in the Bill:
- Data: Information that is represented in a form that is more appropriate for processing.
- Cross-border transfer: The movement of data across nation borders
- Data localisation: Restrictions on the transfer of data outside national borders.
- Data processing: The analysis of data to glean patterns, turning raw data into useful information
- Personal data: Data that identifies an individual
- Non-personal data: Data that is anonymised, most probably because it is presented in an aggregated or summary form
- Data principal: The individual whose data is being collected and processed
- Data fiduciary: The entity that collects and/or processes a data principal’s data
- Data processor: The entity that a fiduciary might give the data to for processing, a third-party entity
- Notice: The fiduciary gives the principal a notice of the collection, including the purpose, the type of data, fiduciary contact details, the principals’ rights, and more
- Right to correction and erasure: Principal’s right to correct and erase their data
- Right to data portability: The right to receive the data from the fiduciary in a machine-readable format
- The right to be forgotten: The right to restrict continuing disclosure of personal data
- Privacy by design: Developing the product and business with privacy concerns in mind
- Significant data fiduciaries: The Data Protection Authority labels certain as this depending on its data processing, such as volume of data, sensitivity of data, company turnover, risk of harm, and newer technologies.
- Data protection impact assessment: The fiduciary’s internal assessment
- Data protection officer: A representative of the fiduciary that coordinates with the Authority
- Critical personal data: The government decides the definition from time to time and it cannot be taken outside of India at all.
- Adjudicating officers: Officers in the DPA with the power to call people forward for inquiry into fiduciaries, assess compliance, and determine penalties on the fiduciary or compensation to the principal. Adjudication decisions can be appealed in the appellate tribunal.
Sensitive personal data
- Data related to finances, health, official identifiers, sex life, sexual orientation, biometric, genetics, transgender status, intersex status, caste or tribe, religious or political belief or affiliation.
- This data can only be sent abroad with Authority approval.
Data Protection Authority
- A government authority tasked with protecting individuals’ data and executing this Act through codes of practice, inquiries, audits and more
- The authority has four groups of tasks. In adjudication, the DPA receives grievances and handles enforcement.
- In monitoring, it oversees internal assessments and external audits of the fiduciaries, as well as tracks data security breaches.
- In policy, the DPA defines sensitive personal data, reasonable purposes for processing, forms of consent, and the lawful transfer of data outside of India. Finally, the Authority conducts research and awareness building about data protection.