A copy of the personal data protection bill 2019 was circulated among members of parliament on Tuesday. The bill which was approved by the cabinet last week is listed for introduction in parliament before the winter session ends on December 13.
The first draft of the bill was framed and introduced for public consultation in July 2018, by a committee led by justice BN Srikrishna.
According to sources, the bill is likely to be referred to a standing committee before it is taken up again after the budget session next year.
Here are some of the salient points made in the copy of the bill which has been reviewed by TechCircle.
- Classification of data into personal, sensitive and critical personal data as defined by the central government.
- Setting up Data Protection Authority (DPA) as the regulator which will constitute of a chairperson and six whole-time members appointed by the central government. The bill also mandates appointing an Appellate Tribunal which will hear appeals against decisions taken by DPA.
- The central government in consultation with DPA can direct any data processor or fiduciary to provide anonymised personal data or other non-personal data for delivery of services or to benefit policy formation by the government.
- The DPA has the power to notify certain businesses or data fiduciaries as significant, based on the volume and sensitivity of data processed by them, the turnover of the company, use of new technology and risk of harm by processing of the data by the company.
- The DPA will also set up a sandbox for encouraging innovation in artificial intelligence, machine learning and other emerging technologies.
- Social media intermediaries notified as significant data fiduciary will have to allow Indian users to voluntarily verify their accounts. Verified accounts will be marked visibly to other users of the service. This clause is likely to have a direct bearing on the case for linking citizen identification to social media accounts, which is being debated in the Supreme Court.
- The central government has the power to exempt any agency of the government from the act.
- Data fiduciaries will be required to get their policies and conduct on processing personal data audited annually by an independent data auditor.