Draft Personal Data Protection Bill – Explained, pointwise

ForumIAS announcing GS Foundation Program for UPSC CSE 2025-26 from 10th August. Click Here for more information.

For 7PM Editorial Archives click HERE
Present Status: Bill was withdrawn to introduce comprehensive legislation.

After almost two years of deliberation and scrutiny, the Joint Committee of Parliament on the Personal Data Protection Bill, 2019 has finalised its recommendations and is the Bill likely to be tabled in the upcoming winter session of Parliament. The committee, headed by P P Chaudhary, suggests a two-year period before operationalising the Data Protection law. The bill has seen several changes to the original draft drawn by retired Supreme Court Justice B N Srikrishna.

The Personal Data Protection Bill seeks to usher in a data governance architecture in India that fills an existing void in the institutional framework. It seeks to put in place safeguards to protect personal data, ensure privacy, and bring about transparency and accountability in data management.

About the draft Personal Data Protection Bill, 2019
Data protection
Source: IE

Personal data definition: The Bill defines ‘personal data’ as any information which renders an individual identifiable. Also, it defines data ‘processing’ as collection, manipulation, sharing or storage of data.

Territorial applicability: The Bill includes the processing of personal data by both government and private entities incorporated in India, and also the entities incorporated overseas if they systematically deal with data principals within the territory of India.

Grounds for data processing: The Bill allows data processing by fiduciaries if consent is provided by the individual.

Sensitive personal data: Sensitive personal data defined in the Bill includes passwords, financial data, biometric and genetic data, caste, religious or political beliefs. The Bill specifies more stringent grounds for the processing of sensitive personal data, such as seeking explicit consent of an individual prior to processing.

Data Protection Authority: The Bill provides for the establishment of a Data Protection Authority (DPA). The DPA is empowered to 1. Draft specific regulations for all data fiduciaries across different sectors, 2. Supervise and monitor data fiduciaries.

Cross-border storage of data: The Bill states that every fiduciary shall keep a ‘serving copy’ of all personal data in a server or data centre located in India.

Transfer of data outside the country: Personal data (except sensitive personal data which is ‘critical’) may be transferred outside India under certain circumstances.

What are the key recommendations of the Joint Committee on the Personal Data Protection Bill?

-Favours widening the ambit of the personal data protection bill, bringing in non-personal data under its scope.

Social media platforms: Bringing all social media intermediaries under the ambit by re-designating them as social media platforms. While the committee has suggested all social media platforms (which do not act as intermediaries) be treated as publishers.

A regulator should be set up along the lines of the Press Council of India to regulate social media companies. A mechanism may be devised for social media platforms to be held accountable for content coming from unverified accounts.

Note: The panel said that though social media (SM) platforms were designated as intermediaries under the IT Act, the law failed to regulate the SM platforms adequately.

-Consider an individual’s ‘right to be forgotten’ by clarifying the responsibilities of data fiduciaries, but it also noted that this may depend on available technology and practicability of applications.

Create an alternative to the SWIFT system of funds transfer: 1. Ensure privacy and avoid instances of breaches by Chinese lending apps in India, 2. Boost domestic economy.

-Ensure that a mirror copy of the sensitive and critical personal data which is already in possession of the foreign entities be mandatorily brought to India in a time-bound manner.

-Additional compliance for companies that deal exclusively with children’s data, by asking them to register with the Data Protection Authority.

Inclusion of hardware manufacturers: Bill favours bringing in data collection by electronic hardware under this law. The committee dismisses the difference between electronic hardware and software.

Formal certification process for all digital and IoT devices (sensors, gadgets) to ensure their integrity by setting up labs throughout the country.

-Centre “must ensure data localisation clauses are followed in letter and spirit by all local and foreign entities, and India must move towards data localisation gradually”.

Why does India need a Data Protection law?

Amid the proliferation of computers and the Internet, consumers have been generating a lot of data, which has allowed companies to show them personalised advertisements based on their browsing patterns and other online behaviour.

Companies began to store a lot of these datasets without taking the consent of the users and did not take responsibility when the data got leaked. To hold such companies accountable, a Personal Data Protection law is needed.

What are the concerns associated with the draft bill?

Issues with Sections 35 and 12: Under Section 35, the Centre can exempt any agency of the government from the application of all provisions of the Act; when it is deemed to be in national and public interest.

Similarly, Section 12(a)(i) creates the space to exempt the government from provisions of consent, allowing it to collect personal data without individual approval. These blanket exemptions is a cause of concern.

Ambiguity regarding data localisation: The bill makes a concerted push towards data localisation. But whether or not it will be implemented in a graded manner, depending on the sensitivity of data, is unclear.

Absence of a comprehensive surveillance framework: The bill does not have provisions for the creation of an oversight mechanism. The Data Protection Authority had been entrusted with a wide variety of functions, ranging from standard-setting to adjudication. This will end up “overburdening” the architecture.

Powers and functions of the Data Protection Authority: Enforcement of penalties and compensation orders of the DPA does not require a court order. The Bill does not specify that a court order would be required for the enforcement actions.

Read more: Issue of privacy and Personal Data Protection Bill 2019
What should India do to ensure data protection?

The data regulator plays a crucial role between all vested stakeholders that is citizens, businesses and the government themselves. So, the functional and structural independence of the data regulator should be a key aspect of the implementation of the bill.

There should be a statutory media regulatory authority to regulate the content of such media irrespective of where their content is published — online, print or otherwise.

Suggestions to improve committee recommendations

-Non-personal data has mainly a business dimension and is commercially critical for firms. With India’s internet economy taking off, the government should not club personal data and non-personal data.

-The committee recommended that individuals have to be alerted to a data breach of any entity collecting their data. But it has to be automatic and unconditional to help victims take precautions such as changing passwords.

-Data captured by electronic hardware should clarify whether the data include data generated by a company’s internal functions or not.

Data protection is a must in the age of digital era. With the right to privacy being a fundamental right and the recent rise in risks to the privacy of individuals, data protection law is the need of the hour. Parliament must scrutinise the issues in greater detail, tighten the framework, and move quickly to usher in a data protection architecture in India.

Print Friendly and PDF