An Analysis of Personal Data Protection Bill, 2019

Haardik Rathore
Jul 12, 2021

‘Privacy’ has become a hot topic of discussion in recent times. This is particularly so in light of rapid digitisation and gross breach of privacy of individuals, by organisations collecting and processing personal data to benefit themselves. India as such hasn’t had any data privacy legislation. In the year 2017, there was a need for privacy legislation expressed in the Puttaswamy judgment^{^[1]}. For privacy laws, we have so far relied on the IT Act, 2000 which doesn't meet the present-day needs. Initially the Central Govt. introduced the PDP Bill in 2018, which was then passed on to the “Justice BN Srikrishna committee” for examining. But owing to a few shortcomings in the Bill, it was shelved. In the year 2019, the legislature introduced a fresh bill with quite a few changes. The purpose of this Bill is to provide for protection of privacy of individuals relating to their Personal Data and to establish a Data Protection Authority of India for the said purposes and the matters concerning the personal data of an individual. The 2019 Bill^{^[2]}, inter alia, prescribes the manner in which personal data is to be collected, processed, used, disclosed, stored and transferred.

The Bill proposes to protect Personal Data relating to the identity, characteristics trait, attribute of a natural person and Sensitive Personal Data such as financial data, health data, official identifier, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political beliefs.

The Salient Features of the Bill are as follows:

The Bill classifies data into 3 sub categories

Personal data: Data from which an individual can be identified like name, address etc. The Bill requires sensitive personal data to be stored only in India. It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA).
Sensitive personal data: Some types of personal data like as financial information, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more.
Critical personal data: Anything that the government at any time can deem critical, such as military or national security data. Critical personal data must be stored and processed in India.

The Bill removes the requirement of data mirroring (in case of personal data).
Data mirroring means the act of copying data from one location to a storage device in real time.
The Bill mandates fiduciaries to provide the government any non-personal data to the govt. or the concerned authority when asked by them. Non-personal data refers to anonymised data, such as traffic patterns or demographic data.
The Bill also requires social media companies, which are deemed significant data fiduciaries based on factors such as volume and sensitivity of data, to develop their own user verification mechanism. This intends to decrease the anonymity of users and prevent trolling.
The Bill includes exemptions for processing data without an individual’s consent for “reasonable purposes”, including security of the state, detection of any unlawful activity or fraud, whistleblowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.
The Bill calls for the creation of an independent regulator Data Protection Authority, which will oversee assessments and audits and definition making.
Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
It also grants individuals the right to data portability and the ability to access and transfer one’s own data.
It provides for the right to be forgotten. With historical roots in European Union law, General Data Protection Regulation (GDPR), this right allows an individual to remove consent for data collection and disclosure.
The Bill states the penalties as: Rs 5 crore or 2 percent of worldwide turnover for minor violations and Rs 15 crore or 4 percent of total worldwide turnover for more serious violations. Also, the company’s executive-in-charge can also face jail terms of up to three years.

There are certain areas of the Bill which don’t seem to fit in accordance with what was laid down by the SC in Puttaswamy Judgement. The Expert Committee’s draft Bill allowed exemption within the interests of national security when an equivalent is authorised by a law enacted by Parliament; as long as it satisfies the internationally recognised principles necessarily and proportionality. Whereas, under Section 35 of the PDP Bill, an easy executive order of the Central Government authorising any agency to process personal data can allow them to conduct surveillance with no clear safeguards. When the Expert Committee^{^[3]} recommended such exemptions to be made only with laws, the alteration as aforesaid seems like an attempt to dilute the privacy rights of individuals.

When we glance at the GDPR on which the PDP Bill is essentially based, it is often seen that GDPR offers European Union (EU) member states similar escape clauses. Whereas, they're tightly regulated by other EU directives. Without similar safeguards, India’s Bill potentially gives India’s Central Government the facility to access individual data over and above the prevailing Indian laws.

The Personal Data Protection Bill, 2019 will have huge commercial and political consequences for India. The Bill establishes a number of conditions for top companies to follow, and for large international tech firms that wish to operate in Indian territory. For one, it would require digital firms to obtain permission from users before collecting their data. It also declares that users who provide data are, in effect, the owners of their own data. This has major implications, suggesting that users are able to control the data their online selves produce, and may request firms to delete it, just as European internet-users are able to exercise a right to be forgotten and have evidence of their online presence removed.

Aside from the controversy surrounding the Aadhaar programme, the most recent indication of the Indian government’s casual treatment of its citizens’ privacy was the Aarogya Setu contact-tracing app, developed to track the spread of the COVID-19 pandemic. The government first made the app mandatory, but reactions from opposition parties and civil-society groups forced the app to be made optional only. Technology experts have criticised the app for its apparently wanton data collection and its lack of adequate data protection measures.

The Personal Data Protection Bill outlines the establishment of a Data Protection Authority (DPA), which will be charged with managing data collected by the Aadhaar programme. It will be led by a chairperson and six committee members, appointed by the central government on the recommendation of a selection committee. But this committee will be composed of senior civil servants, including the Cabinet Secretary, raising questions about the board’s independence. The government’s power to appoint and remove members at its discretion also stokes fears about its ability to influence this ostensibly independent agency. Unlike similar institutions, such as the Reserve Bank of India or the Securities and Exchange Board, the DPA will not have an independent expert or member of the judiciary on its governing committee. The UIDAI, for its part, has a chairperson appointed by the central government and reporting directly to the Centre.

Conclusion

While, the PDP Bill may be a welcome step in establishing a knowledge protection regime, it's fraught with various provisions that dilute the elemental right to privacy. The Bill also significantly dilutes the right to privacy and increases State power of surveillance without creating adequate checks and balances. Under Section 35 of the Bill, the Central Government has the power to exempt any agency of state from the application of the Act. The obligations like fair and reasonable processing and implementation of security safeguards should continue applying even to exempted government agencies.

The Bill as of now is tabled before the Standing Committee under the Chairmanship of Smt. Meenakashi Lekhi, whose report was sought on the same by the end of first week of second part of Budget Session 2021. But, several members of the Committee including the Chairman have been inducted as Cabinet Ministers which means they cease to be the members of the Committee. Vacancies in the Committee will be filled either by appointment or election in the House or nomination by the speaker of the House.

Reference

[1] K. Puttaswamy v. Union of India (2017) 105 SCC 1

[2] Draft of the Personal Data Protection Bill, 2019, as introduced in Lok Sabha, Parliament of India by Ministry of Electronics and Information Technology, Bill No. 373 of 2019

[3] Justice BN Srikrishna Committee Report, A Free and Fair Digital Economy Protecting Privacy, Empowering Indians, Pg.3-65, 2018. Retrieved from A Free and Fair Digital Economy Protecting Privacy, Empowering Indians Committee of Experts under the Chairmanship of Justice B.