It includes several novel concepts not present in the draft circulated by the Committee of Experts.
By Arun Prabhu
The Personal Data Protection Bill, 2019 (the “Bill”), is largely based on the draft of the Personal Data Protection Bill, 2018 submitted by the Committee of Experts constituted under the Chairmanship of Justice Srikrishna (Retired.). The Bill continues to mandate that Personal Data be processed fairly and reasonably while ensuring the privacy of the Data Principal, for purposes that are consented to by the Data Principal, or purposes incidental or connected thereto.
It includes several novel concepts not present in the draft circulated by the Committee of Experts. For instance, it defines a category of Social Media Intermediaries and excludes search engines, storage and email providers, E-Commerce platforms, ISPs, etc.
Social Media Intermediaries having more than a specified number of users and whose actions are likely to impact certain factors like democracy, the security of the state, sovereignty, etc., will be notified by the Central Government as Significant Data Fiduciaries. All such entities are required to enable users who register for their services from India to voluntarily verify their accounts, and thereafter mark verified accounts with a specified mark which will be visible to all users.
The Bill proposes a regulatory sandbox to promote the development of new technologies such as artificial intelligence and machine learning. Entities which successfully apply for inclusion in the sandbox will enjoy certain time-bound exemptions from purpose, storage and consent requirements.
The Bill also proposes limiting the data localization requirement only to Critical Personal Data, while permitting sensitive personal data (as opposed to all personal data) to be transferred and processed outside India.
While the above changes would arguably help enable certain types of businesses, other changes, such as the removal of a specific implementation timeline, transition provisions and the requirement to share anonymized and non-personal data with Central Government under certain circumstances may prove to be a source of concern.
(The author is Partner with Cyril Amarchand Mangaldas, and also with Technology, Media and Telecommunications (TMT) group. Also a member of the Government of India’s working group on the legal enablement of information and communication technology systems. Views expressed are personal.)