• This bill intends to protect the data of the users from misuse
• The bill also lays down the punishment in terms of data misuse
• Data can be critical or non-critical and hence the punishment will differ in both the cases

Union cabinet on Wednesday laid down the broad guidelines about the usage of personal data of millions of consumers. Personal Data Protection Bill will devise a framework on collecting, storage and processing of personal data. This bill will also puts a bullet point about taking consent of individuals on the data usage, penalties in terms of non-adherence to these guidelines and compensation. The decision was taken at a Cabinet meeting chaired by Prime Minister Narendra Modi.

This bill will be supposed to be put before the parliament during the ongoing winter session of the parliament. ‘The Bill is likely to contain broad guidelines on collection, storage and processing of personal data, consent of individuals, penalties and compensation, code of conduct and an enforcement model.’ as per the government sources.

This bill gives a strong message to all the entities involved in handling personal data that India is very serious about data usage and it is in no mood to tolerate the misuse of data.

Why do we need Personal Data Protection Bill:

We live in an era of digital environment. This means that at all times, we are some how connected to one or the other digital entity. It can be an application, a social media platform, a website or a professional forum. During interaction with any of these entities, we knowingly or unknowingly share a lot of our personal data like name, address, age, phone number etc. Now it becomes evident for these application to handle the data with utmost scrutiny and make sure that this data is not subjected to any misuse.

What is the punishment under Personal Data Protection Bill:

Data misuse and punishment arising out of that misuse would be decided on the basis of data that is being misused. Data can be critical or it may not be critical. Hence the punishment also depends on the criticality of data.

Definition of Critical data will be defined by the government from time to time. Data related to health, religion, political orientation, bio-metrics, genetic, sexual preferences and financial information will be considered as critical. Rest all other data will be treated as non-critical data.

Punishment for misuse of critical/sensitive data

If any company is found to be violating the norms under Personal Data Protection Bill for critical data, then a fine of Rs 15 crore or 4 percent of global turnover can be imposed on them. Apart from this, the company’s executive-in-charge of such data can be jailed for a period of up to three years if he/she is found guilty of violating the norms of the bill.

Also, all the companies possessing critical data has to store such data with in the country boundaries. The data can be transferred outside the country only after explicit consent of the data owner. While taking such consent, the company has to disclose the purpose for which the data will be utilised.

Punishment for misuse of non-critical data:

For minor data misuse or violation of the norms of the bill, a penalty of Rs 5 crore or 2 percent of the global revenue will be imposed. Here also the officer in charge of this data might face the jail term.

As per the bill provisions, it is also prohibited to knowingly ‘re-identifying de-identified data’ of individuals. Under such conditions, social media platforms will have to come up with a mechanism to identify users who want to be identified on voluntary basis. The users will be provided with an option to be verified or not. Users can also select to get their data erased, corrected or ported.

The bill seeks to promote companies to process data with the country itself and make India biggest data centre and refinery. The bill mandates to seek the consent of the user for processing personal data. However when it comes to cases of national security issues, medical emergency, detection of unlawful activity, explicit consent will not be required for processing the data.