The Personal Data Protection (PDP) Bill, which is likely to be tabled in Parliament this week, proposes allowing law enforcement agencies to process personal data of data principals (users) without consent for “reasonable purposes”.
The exemptions will be in cases of prevention and detection of any unlawful activity including fraud, whistle blowing, mergers and acquisitions, network and information security, credit scoring, recovery of debt, processing of publicly available personal data and operation of search engines.
However, reiterating the importance of privacy, the draft, seen by Inc42, clearly states that except for any specific, clear and lawful purpose, no personal data shall be processed by any person.
Personal data can be processed without consent only after taking into consideration factors such as public interest. The draft says that personal data may be “processed” if this is necessary for the performance of “any function of the state authorized by the law” for any public service and for compliance with any order of a court or tribunal.
Among other changes, the proposed bill also gives users the right to delete any personal data posted in the public domain similar to the Right To Be Forgotten ruling in Europe and gives them the freedom to ask social media platforms such as Facebook and Twitter to delete any data they have published online.
The proposed bill will also require social media platforms to create a mechanism that will allow users to verify their accounts.
Data principals can also ask for restricting continued disclosure of data once the purpose for which it was collected has been served, or is no longer necessary. If the users withdraws consent, the data has to be removed. However, they will have to file an application with an adjudicating officer in case they wish to withdraw consent or want to limit the use of data, according to the draft.
The draft also says that every data fiduciary i.e. company or agency asking for the data and the data processor processing the data shall implement necessary security safeguards, including use of methods such as de-identification and encryption, steps necessary to protect the integrity of personal data; and steps necessary to prevent misuse, unauthorised access, modification, disclosure or destruction of personal data. It also says that every data fiduciary and data processor shall undertake a review of its security safeguards periodically.
The PDP Bill has got the union cabinet’s approval last week and will be sent to a joint committee for further discussion after it is tabled.