Section 91 of the Personal Data Protection Bill from an Intellectual Property Law Perspective

Section 91 of the Personal Data Protection Bill states that govt retains the right to interpret some policies for the benefit of the digital economy of India, as long as this does not include the use of personal data that can be used specifically to identify an individual. This article traces the significance of personal data protection bill and personal and Non- personal data. When and how the bill will come into force and how it will affect the Indian scenario is also discussed in the article. The apprehensions regarding the bill are many at the moment, however, innovation and policy design should ensure that user data is given the protection it deserves.


In recent times, one of the biggest scandals of data leak and personal data protection is the Facebook–Cambridge Analytica data breach. In early 2018, millions of details from Facebook users were gathered without their permission to assist skew data for the upcoming elections. The data was gathered by Dr. Aleksandr Kogan, a Cambridge academic, via an app developed in 2013 and consisting of a series of questions to construct user psychological profiles. The app collected not just the personal data of the users who completed the questions, but also of the Facebook friends of the users. Cambridge Analytica sought to sell American voters’ data to electoral candidates and eventually equipped the campaigns of Ted Cruz and Donald Trump with assistance and analytics. The data breach was revealed in 2018 in interviews with The Guardian and The New York Times by Christopher Wylie, a former Cambridge Analytica employee. Besides, Facebook apologized for its involvement in data collection, and in front of Congress, its CEO Mark Zuckerberg testified. [1]

Scams like these show the “breach of trust” that occurs on the internet as our data may be used unethically or to manipulate public opinions on issues of national and international significance. Users are not told of the extent to which their data is used and as a result, our overly public lives become a threat to our security.

Personal Data Protection Bill, 2018

In August 2017, the Supreme Court held that privacy is a fundamental right which, under Article 21 of the Constitution, derives from the right to life and personal liberty. The Court also found out that the protection of personal data and records is an important feature of the right to privacy. In the case of Justice KS Puttuswamy v. Union of India[2], the fact that the existing regime in India is not adequate to deal with a complex data protection scenario was agreed upon by Justice Chandrachud and Justice Kishan Kaul. The Government of India appointed the Shri BN Krishna Committee, according to the judgment, to report on the progress of the data protection regime in India. In its observations, the Committee reiterated the views of Justice Chandrachud and Justice Kaul and held that while the SPD Rules were a novel attempt at data security at the time they were adopted, the pace of the digital economy’s growth made it unavoidable that had over time become evident in certain deficiencies. The Committee, therefore, recommended the establishment of a concrete framework for a data protection law referred to as the Personal Data Protection Bill 2018.

The bill was modeled largely on existing frameworks for protecting privacy in other jurisdictions, including “the GDPR and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework. These regulations themselves were based on older frameworks for the protection of privacy that originated in the 1970s. In 1973, a report of the U.S. Department of Health, Education, and Welfare proposed a set of principles that have been adopted in many countries’ privacy frameworks. The “Records, Computers and the Rights of Citizens” report responded to rapid technological developments occurring in the 1970s, specifically computerization and automated processing by government and private firms. Subsequently, the main proposals of the report” (such as no data collection without consent, use limitations, transparency of data processing, and right to correction of data) were adopted by, among others, the Organization for Economic Co-operation and Development.[3]

Personal and Non-Personal Data

Personal data and Non-personal data are distinguished in that, any information that relates to a known or identifiable living person is personal data. Different bits of information that may contribute to the identity of a single person when collected often constitute personal data. Non-personal data, on the other hand, is any data collection that does not include sensitive personal information. In effect, this means that by looking at such details, no entity or living person can be identified.

India’s new data security regime suffers from an interim inability to cope with the increasingly changing world, with automation being an omnipresent phenomenon. Therefore, under the IT Ministry, a committee chaired by Infosys co-founder Kris Gopalakrishnan called for data regulation that would involve the sharing of anonymous or “non-personal” data to assist Indian companies.[4] This committee was created last year and requires data-sharing legislation to transfer the “economic benefits to Indian people and communities” of data as well as to assist the government in policymaking and delivery of services.

Significance of Non-Personal Data in Personal Data Protection Bill

Section 91(2) of the Personal Data Protection Bill allows the central government the power to guide the provision of any non-personal data to any data trustee or data processor. Such directions may be made in consultation with the DPA. The stated purpose for such directions would be to allow the central government to better target the provision of services or to formulate evidence-based policies. The disclosure of such directions made annually by the central government is required by Section 91(3). Section 2(B) of the Bill states that, rather than in the case of anonymized data referred to in section 91, the scope of that law would not apply to anonymized data.[5] It has been suggested, however, that any laws or legislation relating to anonymized or non-personal data should occur as part of the mechanism of that Committee, rather than be included in the proposed Personal Data Protection Act, which has radically different goals and objectives.

As opposed to this, efforts are being made to ensure that the user’s data is not breached by corporations for selling and unauthorized use. The preservation of privacy and personal data is most generally accomplished through the legislative system of regulations, policies, and procedures that reduce the intrusion of the collection, storage, and disclosure of sensitive personal data into individual privacy.

Will Section 91 curb innovation?

To analyze consumer trends, profitability, and/or for other similar purposes, companies and enterprises or data fiduciaries collect and systematically process data. The data fiduciary is known as the agency or person who decides on the means and purposes of data processing. In the description of literary works, these organized data sets or ‘databases’ are included and may be protected under the Copyright Act.

Most large corporations that are known for their unique products and distinguished taste carry with them certain trade secrets known only to founders. For example, the Coca-Cola Company’s Coca-Cola syrup formula, which suppliers mix to make the company’s flagship cola soft drink with carbonated water, is a tightly guarded trade secret. Coca Cola has taken such stringent steps to ensure that its trade secret is locked away in a vault unreachable to anyone else, that it has become the most elucidated example of trade secrets’ business value.

The security given to trade secrets by the terms of the Copyright Act violates Section 91 of the Bill. The data obtained, analyzed, and processed by businesses rewards them with a strategic edge over the rest. It is protected from exploitation by others, regardless of the amount of originality in such a collection. Compelling businesses to provide the government with such data puts potential investment at risk in creating such databases. While raising concerns about Section 91 of the Bill, the National Association of Software and Service Companies (NASSCOM) notes that potential apprehension of compulsory licensing or data acquisition could restrain innovation. It suggests that the clause be eliminated, or adequate protections be added.[6]


The bill imposes restrictions on processing a user’s data.  Under this bill, personal data can only be processed for reasons that are relevant, transparent, and lawful. Besides, all data fiduciaries must pursue certain steps of transparency and accountability, such as the introduction of security protections and the establishment of grievance resolution mechanisms to resolve individual grievances. Given the complex and continuously expanding current India’s condition, which is fraught with problems, rising foreign investment, and development in economics et al., there is an ever-expansion of the digital age, an unparalleled need to update online privacy and data security laws and norms with global programs worthy of the evolutionary times. The new bill is a step in that direction. data protection laws specifically are made to ensure digital autonomy and the free flow of information. The bill clearly states “AND WHEREAS it is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress, and innovation through digital governance and inclusion and for matters connected therewith or incidental thereto”. However, its true test lies in its implementation and enforcement of penalties and warnings as and when needed. Every data protection policy must be designed and drawn up in a way that offers as much legal clarity as possible to ensure the greatest protection of individual privacy rights and the protection of personal data, while also encouraging innovation.

Frequently asked questions

  • When was the first draft of the Personal Data Protection Bill released?

The first draft of the Personal Data Protection Bill was released in July 2018.

  • What is Data privacy?

Data privacy shows how data is handled and shared with regards to a third party.

  • What does section 91 say?

It states that govt retains the right to interpret some policies for the benefit of the digital economy of India, as long as this does not include the use of personal data that can be used specifically to identify an individual.

  • When did the Supreme Court of India declare the right to privacy as a fundamental right?

On 24 August 2017, the Supreme Court of India in a historic judgment declared the right to privacy as a fundamental right.


Leave a Reply

Your email address will not be published. Required fields are marked *