What Indians should know about the proposed data-protection law

Be safe.
Be safe.
Image: AP Photo/Aijaz Rahi
We may earn a commission from links on this page.

Indians will soon have more control over how companies use their data.

After a long delay, a committee set up under former supreme court justice, BN Srikrishna, finally submitted a draft of the Personal Data Protection bill, 2018 (pdf), to the government on July 27.

The bill will now be introduced in parliament and become a law, with or without modifications.

This means Indians could soon have laws that protect their data from being misused by companies to their benefit. From outlining how a company can use data to setting punitive measures, here’s what the bill has for the common man:

What is personal?

The bill defines “personal data” as:

“…data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information;

It goes on to define “sensitive personal data,” which includes anything that reveals or relates to crucial information like financial details or passwords, to gender and even caste.

The bill also proposes a set of rights that Indian citizens have over their data.

What are your rights?

The bill proposes four rights that every citizen would have over his/her data:

Right to confirmation and access: Every citizen can ask companies to confirm if any of his/her data has been used for any processes, and also share details of what data was used and for what purpose.

Right to correction, etc: Indian citizens can ask companies to correct any inaccurate, misleading or incomplete personal data they have.

Right to data portability: Every Indian can ask companies to share details of his/her personal data that has been generated while he/she was using a service or goods.

Right to be forgotten: A person can restrict a company from using data he/she had shared earlier. This right does not make it mandatory for companies to delete such data altogether.

Consent and breaches

The bill states that a company can only process a person’s personal data on the basis of consent that is free, informed, specific, clear, and capable of being withdrawn.

Also, all companies and government entities will have to notify the Data Protection Authority of any breach likely to harm the individual whose data has been compromised. The disclosures in times of breaches must include:

  • Nature of personal data breached
  • Number of users affected
  • Possible consequences
  • Measures being taken to remedy the breach

In addition, under some circumstances, a citizen whose data is breached has the right to ask the company for compensation.

What if a company breaks the law?

The bill proposes strong punitive measures for companies in breach of the law.

Where the data fiduciary contravenes any of the following provisions, it shall be liable to a penalty which may extend up to Rs5 crore or 2% of its total worldwide turnover of the preceding financial year, whichever is higher.