The lower house of India’s Parliament, Lok Sabha, introduced the Personal Data Protection Bill of 2019 (PDPB) in December, almost a year after the first draft was debated. The bill has been sent to a joint select committee for review and is already generating concerns about how easily the central government would be allowed to bypass data protections.
The PDPB confers upon the Central Government the power to allow government agencies access and use of personal data of individuals in the interest of national security and sovereignty. There are no objective parameters and criterion of when the government can access an individual’s data. The bill gives the government an arbitrary power to bypass data protections.
In 2018 the Supreme Court of India declared privacy a fundamental right under Article 21 of the Indian Constitution. The PDPB is meant to enshrine the Supreme Court’s decision into law, regulating the sharing of personal data, the processing of “sensitive” and “critical” personal data, and establishing a Data Protection Authority of India (DPAI) to enforce the law. The PDPB was modeled after the European GDPR, but with an innovative twist.
The PDPB proposes regulations on social media platforms, tasking them with creating mechanisms to verify accounts created by users in India or accessing a platform in India. The provision seeks to reduce social media trolling and prevent the type of foreign influence allegedly perpetrated during the 2016 presidential election in the United States.
The bill creates two special data categories: “sensitive” and “critical” data. Sensitive data is defined as related to financial, health, sexual orientation, biometrics, transgender status, religious or political beliefs and affiliation. The PDPB proposes that such data can be stored only in India, although it may be processed outside India with explicit consent. Critical data includes military or national security data, or other data defined by the government. All other data is considered “general data”.
The bill also provides rights such as Right to confirmation, Right to correction, Right to Data Portability and the Right to Be Forgotten.
The National Assembly passed Bill 665 concerning data protection in 2018. The law is scheduled to come into effect two years after enactment. The country currently does not have a general data protection law.
Japan is the only country in the region to have received an Adequacy Decision by the European Commission.
The California Consumer Privacy Act (CCPA) passed in June 2018 will be enforced from January 1, 2020.
Although the country already has stringent data protections, they are not applicable to every industry and enforcement is inconsistent.
Europe remains concerned about government surveillance in the United States and deficiencies in the mechanism created in the Privacy Shield for U.S. government review of complaints lodged by Europeans against surveillance activities.
The Minister of Innovation, Science and Industry, the Minister of Justice and the Minister of Canadian Heritage were tasked by the Prime Minister to in December to create significant changes to the rules around personal data, literally, “a new set of online rights”.
Kenyan citizens now have the right to know why and how their information is being recorded, stored and handled, and for what specific purpose it will be used.