Adwitia Maity, Department of Law, University of Calcutta
Sheetal Sharma, Faculty of Law, University of Delhi
Shivangi Khattar, Jim's School of Law, IP University
Shivangi Mugdha, NMIMS Kirit P Mehta School of Law Mumbai
Editor : Sheetal Sharma, Faculty of Law, University of Delhi
In May 2018, the European Union effectuated the General Data Protection Regulation, to meet the various requirements of protection and privacy of data across the Union. Thereafter, India started taking initiatives to formulate a data protection regime on the lines of the GDPR. A Committee of Experts on Data Protection Framework was appointed by the Indian Government, which submitted a report in July, 2018.
In December 2019, the Personal Data Protection Bill was introduced before the Indian Parliament. The main object of this proposed legislation is to protect the private data of individuals and to formulate institutions for the same purpose. While this bill does finally address the need for a legislation centring data protection in India, it has also been heavily criticised for not addressing the same in a manner which was necessary.
In this regard, mention may be made of the Personal Data Protection Bill, 2006. This Bill was loosely based on the European Union Data Privacy Directive of 1996, and aimed at providing a comprehensive framework for collecting, processing as well as distributing personal data. Thereafter, in 2011, the Government of India came up with the Privacy Bill which was an improvised version of the previous proposition and tried address the crucial aspects of collection, processing, storage and disclosure of personal data.
The 2019 Bill was built upon these precursors. In 2017, Right to Privacy was declared to be a fundamental right under Article 21. The report which was submitted by the Committee of Experts didn’t provide a detailed analysis of the financial impacts of adopting such a data protection regime. Therefore, it is absolutely necessary for the Government to consider the impact that the adoption of the Data Protection Bill will have on the economy of the country.
However, the various vital aspects that have been covered by this Bill are those of obligations of the data fiduciaries, rights of individuals and data principals, aspect of data processing without consent, transference of data outside India and the Data Protection Authority.
Overview of the Bill
The Personal Data Protection Bill as introduced in Lok Sabha, protecting the privacy of an individual and ensuring the free flow of the economy is applicable on: personal data processed within the territory of India, by the State, Indian Company, any citizen of India or body of persons incorporated under Indian Law. The bill is not restricted to the territorial boundaries of India and thus also makes it applicable on data processed by data fiduciaries or data processors not present within the territory of India if the data processing is in connection with a business/ activity carried out in India.
It also gives an exception processing of anonymised data but a special power has been given to the government which presents the government as omnipotent who can direct any data fiduciary to provide any personal anonymised or non- personal data.
Personal Data as defined under Section 3 of the bill: “personal data means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.”
The bill provides a detailed chapter on the obligations of data fiduciary to ensure protection of privacy of data principal. The data should only be processed in a lawful manner and with the full (free and clear) consent of the data principal explaining the purpose. And the data shall not be stored after the purpose is complete. The data principal also has right to withdraw his consent. It is the duty of data fiduciary to ensure that the personal data is updated and if the personal data is being shared with other data fiduciaries, the data principal has a right to be notified about it.
The bill distinguishes between personal data and sensitive personal data of children and provides guidelines as to how to personal data of children should be treated with sensitization.
The data principal has been given some rights under the bill to collect the information regarding his data through data fiduciaries. He can confirm, whether his data has been processed or not by the data fiduciary and can ask for corrections, completion, updating and erasure his data.
Even though these rights are provided to the data principle, it is the duty of each and every data fiduciary to take relevant measures in order to protect the personal data of individual. In case any breach of data occurs during processing which can cause harm to the individual, that breach shall be reported to the authority by giving a notice. Every data fiduciary shall have effective mechanism to redress the grievances.
There are some exemptions provided in the bill through which data can be transferred outside India. The Central government has been given powers under which it can exempt any agency of the government from the application of this bill when it is in the interest of sovereignty and integrity of India, security of the state, friendly relations with the foreign states, public order and to prevent any incitement to the commission of any cognizable offences.
Chapter IX of the bill lays down that for the protection of personal data an authority can be established which is called as “Data Protection Authority of India”. Section 42 of the bill provides that authority shall consist of a chairperson and not more than six whole time members, of which one shall be the person having qualification and experience in law. The chairperson and members of the authority are selected by the Central government on the recommendations made by the selection committee.
Bill also imposes penalties and ask data fiduciaries to pay compensation if they contravene certain provisions of the bill or fail to comply with the request of the data principal, the orders issued by the authority or to furnish.
Chapter 11 of the bill talks about the establishment of the Appellate Tribunal which shall consist of a chairperson and the appointed members with at least 10 years' expertise in the field of data protection and information technology to hear and dispose of cases arising from various sections of the bill. The tribunal shall not be bound by the process laid down by Code of Civil procedure, 1908 but shall be led by the principles of natural justice.
Clauses 78-79 talk about a fund dedicated to the bill called the Data Protection Authority Fund to which the Central Government may send funds and all the sums received by the Authority from any source as may be decided upon by the Central Government.
It further says that any person who, knowingly or intentionally re-identifies personal data which has been de-identified shall face imprisonment for a term not exceeding 3 years or with fine which may extend to 2 lakh rupees or both. Any act which is punishable under this bill shall be cognizable and non-bailable.
Section 91 of the Bill enables “the Central Government to require Data Processors or Data Fiduciaries to provide it with anonymized Personal Data, or other non-personal information (which was expressly excluded from the scope of the Draft Bill) to enable the targeting or delivery of services, or the formulation of evidence-based policies. The provision does not provide for any form of compensation or remuneration for such data. It also reaffirms the right of the Central Government to formulate policies for the digital economy to the extent that such policies do not govern personal data. This is particularly relevant because of the proposed E-Commerce Policy”.
The bill has looked into some important concepts such as consent, protection, and keeping of personal data, reasonable apprehension to such data, reasonable purpose, consent while processing personal data.
While it has paid attention to mix in itself some of the most important features of law concerning protection of privacy rights of data principle it has also relaxed some of the stringent laws found in the 2018 bill.
Remembering the developing need of the advanced economy, having an administrative sandbox set up might be the need of great importance, be that as it may, giving the administration unregulated and expansive forces to exclude government organizations from the arrangements of the 2019 Bill for specific conditions may nullify the point of the 2019 Bill and endanger a person's fundamental right to security.
 Article 12 of Indian Constitution, 1949  Section 3(13) of PDP,2019  Section 3(15) of PDP,2019  Department of Industrial Policy and Promotion, Draft National E-Commerce Policy, February 23, 2019.