PERSONAL DATA PROTECTION BILL, 2019

Personal Data Protection Bill: An Analysis

Khushi Lunawat

The Constitution of India provides the right to privacy referred in Article 21, as a requirement of the right to life and personal liberty and is also now recognized as a fundamental right. It is a complex term that needs to be explained. Pursuant to the Indian Constitution, the scope of Article 21 is multidimensional. Tort law, criminal law and property law also recognize the right to privacy. There were some cases where privacy was required to be a fundamental right but it was never recognized as one. In M.P. Sharma v. Satish Chandra, the judgment made it clear that privacy has to go with lots of struggles before becoming as one of the fundamental rights. However, in K.S. Puttaswamy v. Union of India it was recognized as a fundamental right.

Data can be narrowly divided into two types: personal and non-personal data. Personal data relates to the features, characteristics or attributes of identification that can be used to identify a person. Non-personal data contains aggregated data that cannot be classified by individuals. For example, although the location of the vehicle would constitute personal data; information extracted from the location of several vehicles, which is sometimes used to analyses traffic flow, is non-personal data. Data security refers to policies and practices aimed at mitigating the privacy of individuals caused by the collection and use of their personal data.

In Puttuswamy case, it was argued that informational privacy is a facet of the right to privacy. In that judgement, the Union Government was further directed to explore the need for a comprehensive data protection system, balancing individual interests and legitimate state concerns. The Government responded by setting up a Committee of Experts headed by Justice B.N. Sri Krishna to research various issues related to data protection in India and to propose a Draft Data Protection Bill. In September 2019, MeitY also set up an expert committee under the chairmanship of Shri Kris Gopalakrishnan (Co-founder of Infosys) to make recommendations on the governance framework for non-personal data. The Committee submitted its report, along with the draft Personal Data Protection Bill 2018, to the Ministry of Electronics and Information Technology in July 2018. The Statement of Objects and Reasons of the Personal Data Protection Bill 2019 states that the Bill is based on the recommendations of the Expert Committee’s report and on the feedback received from various participants.

Why is there a need for such kind of Legislation?

Data has been referred as a new kind of oil and in this tech-growing world, the protection of data has became the matter of utmost importance. Data breaches are happening now and then and there is highly a requirement of a strict legislation for the protection of the same. This bill also obliges the data fiduciary to process the data of users with utmost care and failure to do so will call for compensation. Although this bill gives arbitrary power to the government as they can exempt any of the agencies from the provisions of the act by a mere notification, if the national security and sovereignty is in danger. Hence, even if this bill has some flaws but after all it protects the privacy of the individuals and this initiative of the government will always be regarded as the best initiative to protect citizens fundamental right to privacy.

Salient Features of this Bill

  1. The PDP Bill seeks to improve data handling and data protection in a manner close to the GDPR of the European Union.
  2. The PDP Bill calls for the establishment of a Data Protection Authority (DPA) similar to the organizations formed by the members of the European Union and specifies the categories of sensitive personal data to be covered.
  3. PDP Bill describes ‘data fiduciary’ and prescribes different responsibilities for them as to how they are to collect, process and maintain personal data. They shall be held responsible for complying with the duties relating to the collection of personal data performed by or on behalf of them.
  4. If the PDP bill falls into effect, companies will have to notify users about their data collection activities and obtain the approval of their customers. They will have to gather and store evidence that such a notice had been issued and that consent had been granted. PDP Bill grants customers the right to revoke their consent, and as such companies will have to set up processes to allow consumers to withdraw their consent.
  5. The PDP Bill gives customers the right to view, correct and remove their data after the same has been processed for the reason for which it was intended. As such, companies will have to build ways of allowing customers to do so.
  6. The PDP Bill allows customers to move their data, and any inferences made by businesses on the basis of those data, to other companies. Both businesses will have to build ways of enabling customers to do this.
  7. The PDP Bill allows all companies to make operational improvements to better protect data. This includes the Privacy-by-Design Principles (an approach in which privacy is a key consent)
  8. The PDP Bill provides for data localization requiring businesses to store certain categories of date only in Indian servers. In this regard, it establishes a three-tiered structure as follows:

A. Personal data: Localization or data transfer restrictions do not apply to personal data that is not considered “sensitive” or “critical.” This type of personal data may be stored entirely outside of India and no transfer restrictions would apply.

B. Sensitive personal data: “sensitive personal data” may be transferred outside of India, but such data shall continue to be stored in India. Sensitive personal data includes “special categories of personal data” including data relating to health, religion, sex life, political beliefs, biometric, genetic, finance etc. Notably, passwords have been removed from the definition.

C. Critical personal data: The Bill permits the Government to define certain personal data as “critical personal data” which can’t be transferred outside India. However, the Bill permits transfers to countries or organizations deemed to provide an adequate level of protection (where the State’s security or strategic interests will not be prejudiced).

  1. The PDP Bill provides for a right to be forgotten which enables the Data Principle to limit or prevent the continued disclosure of its personal data by a data trustee where such disclosure (a) has served the purpose for which it was collected or is no longer required for that purpose; (b) has been made with the consent of the data principal and has since been withdrawn; or (c) has been made with the consent of the data principal; infringement of any personal data processed by them where such infringement is likely to cause harm to any principal data.
  2. ‘Significant data fiduciaries’ would have new responsibilities under the Bill, such as performing data audits and naming data security officers. The bill empowers the central government to designate any social media intermediary (allowing contact between 2 or more individuals like Facebook) with users above the threshold that may be notified as a significant data fiduciary.
  3. The PDP Bill gives the central government immense powers to exclude every government agency from the implementation of the Act.
  4. Pursuant to Section 91 of the PDP Bill, the Government can access any anonymized or non-personal personal data from data trustees and processors. The Government can also require companies to share useful non-personal data (such as aggregate mobility data obtained by applications such as Google Maps or Uber) with the Government. The bill is silent as to whether companies will be compensated for their losses.
  5. Limited powers of Data Protection Authority in comparison with the Central Government – In comparison with the last version of the Personal Data Protection Bill, 2018 prepared by the Committee of Experts led by Justice Srikrishna, we witness an abrogation of powers of the Data Protection Authority (Authority), to be created, in this Bill. The powers and functions that were originally intended to be performed by the Authority have now been allocated to the Central Government. For example: (i) In the 2018 Bill, the Authority had the power to notify further categories of sensitive personal data. Under the present Bill, the Central Government in consultation with the sectoral regulators has been conferred the power to do so. (ii) Under the 2018 Bill, the Authority had the sole power to determine and notify significant data fiduciaries, however, under the present Bill, the Central Government has in consultation with the Authority been given the power to notify social media intermediaries as significant data fiduciaries.
  6. Punishment of fines for non-compliance-The PDP Bill gives the DPA the power to fine any company that does not comply with the law or regulations made by either the DPA or the Government. The maximum amount of fines that can be levied is 150 million Indian rupees (about $2.1 million) or 4 per cent of the company’s global revenue in the preceding financial year.

The Personal Data Protection Bill, is a welcoming step for a new data protection regime but it is also a diluter of fundamental right to privacy. The Bill lacks many necessary safeguards that are needed to protect the right to privacy. Not only is this problematic since the proposed framework is unlikely to protect privacy adequately, but the PDP Bill also significantly, dilutes right to privacy and increases State power to surveillance without creating adequate checks and balances. Hence, this bill needs some more changes before becoming an act.