With the rapid growth and advancement in technology, concerns over the data privacy of users have also been rising. Due to the increasing cases of data leakage on social media sites like Facebook, there was an urgent need to regulate the personal data of such users and to protect them from possible infringements. The Personal Data Protection Bill 2019 is a much-needed step in that direction.
This article aims to discuss the background in which the bill was introduced in the Parliament, and also mentions the chapter-wise provisions of the proposed Act.
Robust- strong and healthy
Regime- a system or ordered way of doing things
Deliberation- long and careful consideration or discussion
Erasure- the removal of writing, recorded material, or data.
The Personal Data Protection Bill, 2019 was first introduced in the Parliament on 11th December 2019 by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad. It is divided into XIV Chapters and 98 Sections. According to the bill, its main aim is
“to provide for the protection of the privacy of individuals relating to their data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the rights of individuals whose personal data are processed, to create a framework for organizational and technical measures in the processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorized and harmful processing, and to establish a Data Protection Authority of India for the said purposes and matters connected therewith or incidental thereto.”
In the matter of Justice K.S. Puttaswami and another Vs. Union of India, a nine Judge Constitutional Bench of the Supreme Court, declared “privacy” as a fundamental right under Article 21 of the Constitution. Subsequently, on 26th September 2018, a five Judge Constitutional Bench of the Supreme Court while delivering its final judgment in the above case impressed upon the Government to bring out a robust data protection regime.
Therefore, the Government on 31st July 2017 constituted a “Committee of Experts on Data Protection” chaired by Justice B.N. Srikrishna to examine the issues relating to data protection. The said Committee examined the issues on data protection and submitted its Report on 27th July 2018.
Based on the recommendations made in the said Report and the suggestions received from various stakeholders, the Personal Data Protection Bill, 2018 was presented by the committee. After deliberations and revisions, the final draft, i.e., the Personal Data Protection bill 2019 was introduced in the Lok Sabha. Thereafter, it was referred to a Parliamentary Standing Committee for further analysis in consultation with various stakeholders. The report of the standing committee was to be submitted by the first day of the last week of Budget session 2020, but it was extended up to the second week of the Monsoon session 2020, which has again been extended to the second week of the Winter session 2020.
- Chapter I covers three sections. According to section 2, the Bill governs the processing of personal data by (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India. Section 3 contains definitions of certain important terms like “biometric data”, “data”, “data fiduciary”, “data principal”, etc. Moreover, it categorizes certain “personal data” as “sensitive personal data”, which includes financial data, sex life, sexual orientation, transgender status, intersex status, caste or tribe, religious or political belief or affiliation, to name a few.
- Chapter II is concerned with the obligations of the data fiduciaries. It lays down that the personal data shall be processed for a clear and lawful purpose and that every person processing that data shall do so in a just and fair manner, and only for the purposes consented by the data principal. It also mandates the data fiduciary to give notice to the data principal for the collection or processing of data. Further, it puts restrictions on the retention of such data and makes the data fiduciary accountable for complying with the provisions.
- Chapter III of the bill specifies grounds for the processing of personal data without consent. These include (i) performance of any state function for the benefit of the individual, (ii) legal proceeding, (iii) medical emergency, (iv) for matters related to employment (except sensitive personal data), and (v) other “reasonable purpose” as specified in section 14.
- Chapter IV deals with the personal data and sensitive personal data of children. According to it, the data can be processed only if it is in the best interest of the child, and also requires the fiduciary to obtain the consent of the parents or guardians of such children.
- Chapter V lays down the rights of the data principal. These include (i) Right to confirmation on whether data is processed, and to have access to the identities of fiduciaries with whom such data is shared, (ii) Right to correction and erasure of personal data, (iii) have personal data transferred to any other data fiduciary in certain circumstances (right to data portability), and (iv) Right to restrict or prevent the continuing disclosure of his data by a data fiduciary in certain circumstances (right to be forgotten).
- Chapter VI puts an obligation on the data fiduciaries to make certain transparency and accountability measures, like preparing privacy by design policy; taking necessary steps to maintain transparency in processing personal data and making such information available as is mentioned in section 23 sub-section (1); implementing security safeguards (such as data encryption and preventing misuse of data); undertaking a data protection impact assessment in certain cases; instituting grievance redressal mechanisms to address complaints of individuals; and maintenance of records; etc. It is further provided in section 26 sub-section (4) that, the central government can notify any social media intermediary as a “significant data fiduciary” if it has users above a certain threshold, or if its actions have a significant impact on electoral democracy, the security of the State, public order or the sovereignty and integrity of India.
- Chapter VII puts certain restrictions on the transfer of personal data outside India. Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, certain personal data notified as “critical personal data” by the government can only be processed in India.
- Chapter VIII empowers the central government to exempt any of its agencies from the provisions of the bill in the interest of sovereignty and integrity of India, the security of the State, public order; or for preventing incitement to the commission of any cognizable offense relating to sovereignty and integrity of India, the security of the State, or public order. The processing of personal data is also exempted for certain purposes such as (i) prevention, detection, investigation, or prosecution of any offense, (ii) necessary for the exercise of any judicial function, or (iii) journalistic purposes. However, such processing must be for a specific, clear, and lawful purpose, with certain security safeguards.
- Chapter IX sets up a “Data Protection Authority of India”, whose duty shall be “to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness about data protection”. The chapter lays down in detail the composition, qualifications for appointment, term of appointment, and the powers and functions of the authority.
- Chapter X provides for penalties and compensation for contravening certain provisions or in case any data fiduciary, without any reasonable explanation, fails to comply with any request made by a data principal under Chapter V, or failure to comply with direction or order issued by Authority, etc. It also empowers the Authority to appoint an “Adjudicating Officer” to adjudge the penalties to be imposed and the compensation to be awarded.
- Chapter XI authorizes the central government to establish an “Appellate Tribunal” to hear and dispose of any appeal from an order of the Authority or the Adjudicating Officer. It also lays down that the orders passed by the tribunal shall be executable as a decree of a civil court. Further, appeals from the tribunal’s orders shall be made to the Supreme Court.
- Chapter XII relates to finance, accounts, and audits. It provides for, inter alia the constitution of a fund called the “Data Protection Authority Fund”.
- Chapter XIII deals with the offenses under the bill. These include reidentification and processing of de-identified personal data without the consent of such data fiduciary or data processor. It also clarifies that “offense punishable under this Act shall be cognizable and non-bailable”. Further, it provides for offenses by the companies under section 84 and offenses by the state under section 85.
- Chapter XIV deals with miscellaneous provisions.
The introduction of the Personal Data Protection bill 2019, is a welcome step for the protection of personal data of individuals. It takes a progressive approach as it classifies information relating to transgender status, religious beliefs, sex life, intersex status, etc as sensitive personal data.
Moreover, it establishes a Data Protection Authority of India and also provides for penalties in cases of non-compliance with the provisions. Thus, it sets up a clear grievance redressal mechanism for protecting the interests of data principals.
However, some critics argue that it leads to government surveillance on citizens. It is still under consideration by the standing committee, who will submit its report in the upcoming session of the Parliament.
 WP 494 of 2012