This Article is written by Prakriti Suthar (a third-year law student from Manipal University Jaipur )
The Parliament introduced Personal Data Protection Bill, 2019 on 11 December 2019. The Bill regulates personal data related to individuals, and the processing, collection and storage of such data. The Bill consists of data fiduciary and data principal. The one whose personal data is being processed is known as the data principal. The entity or individual who decides the objective and purpose of data processing is known as data fiduciary.
Why was a Bill brought for personal data protection?
Privacy was declared a fundamental right, in the case justice K. S. Puttaswamy (Retd.) and Anr. Vs Union of India under the right to life and personal liberty under Article 21 of the Constitution by the Supreme Court in August 2017. Hence it was observed by the Court that privacy of personal data and facts is an essential aspect of the right to privacy. In July 2017, a Committee of Experts, chaired by Justice B. N. Srikrishna, was set up to examine various issues related to data protection in India. The Committee submitted its report, along with a draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology in July 2018.
Data Protection Authority
Under clause 41, a Data Protection Authority is set up by the Bill, to ensure compliance with the provisions of the Bill, and provide for further regulations with respect to the processing of personal data of individuals. The Authority is supposed to be a body corporate, having perpetual succession and a common seal, with power, subject to the provisions of this Act, to acquire, hold and dispose of property, and to contract, and sue to be sued.
Composition of members
The Authority should consist of one Chairperson and a maximum of 6 members of which one should have qualifications and experience in law and expertise in fields such as data protection and information technology.
The members and Chairperson shall be appointed on the recommendation made by a selection committee by the Central Government.
Qualification for appointment
The Chairperson and the Members shall be persons of ability and integrity and shall have specialized knowledge and experience of at least 10 years in data protection or related subjects.
The Chairperson and Members shall be appointed for 5 years/ 65 years of age, whichever is earlier and they can’t be reappointed. Any vacancy for these posts shall be filled up within 3 months from the date on which such vacancy occurs.
Power of Chairperson
The Chairperson shall have powers of superintendence and directors of the affairs and also exercise all powers and do acts which may be done by the Authority under this Act.
Officers and other employees
The Authority may appoint officers, other employees, consultants and experts for effective discharge of its functions. Any salary or allowances for these employees shall be specified by laws.
Meetings of the Authority
The Chairperson and Members of the Authority shall meet at such times and places and shall observe such rules and procedures in regard to the transaction of business at its meetings including quorum at such meetings, as may be prescribed according to clause 46.
All the questions shall be decided by a majority of votes of the Members, and in case of an equality of votes, the Chairperson or in his absence, the member presiding, shall exercise a second or casting vote.
Functions of the Authority
The functions of the Authority shall include-
- Monitoring and enforcing application of the provision of this Act
- Taking appropriate action in response to personal data breach
- Maintaining a database on its website
- Examination of any data audit reports and taking action
- Issuance of a certificate of registration to data auditors and renewal/withdrawal/suspension/cancellation thereof and maintaining a database of registered data Auditors and specifying the qualifications, code of conduct, practical training and functions to be performed.
- Classification of DF
- Monitoring cross-border transfer of personal data
- Specifying codes of practice
- Promoting awareness and the risks in respect of protection of personal data
- Monitoring technological developments and commercial practices that may affect protection of personal data
- Promoting measures & doing research for the Protection of personal data;
- Advising Central Government, State Government or other authorities on taking measures to promote protection of data.
- Specifying fees and other charges for carrying out the purposes of this Act
- Receiving and inquiring complaints under this Act
- Performing such other functions as may be prescribed
- Where the Authority processes any personal Data, it shall be construed as the DF or the DP in relation to such data, and where the Authority comes into possession of any info that is treated as confidential by the DF or processor, it shall not disclose any info unless required by law.
Under Section 51, the Authority may, for the discharge of its functions, issue directions from time to time to any Datafiduciary or Data Principal who is bound to comply.
Under Section 52, the Authority has the power to call for information and for this purpose the application should be made through a notice in writing to the Data Fiduciary or processor stating the reasons for such requisition.
Hence, any individual, who is not satisfied with the grievance redressal by the data fiduciary can file a complaint to the Authority. Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.
The Personal Data Protection Bill, 2019