The Personal Data Protection Bill, 2019

Right to privacy is a fundamental human right which has been expressed in various international laws. As well as reiterated in the case of Justice K.S. Puttaswamy v. Union of India.[1]Protection of personal data is an essential aspect in the same. And many countries have laid down specific law concerning same. For India, it is the Personal Data Protection Bill which was introduced on December 11, 2019, contains laws and rules which lists people’s right on how their data processes. As India is on its way to achieving “Digital India” status, protection of personal data becomes much more relevant as many different entities process information of people and this increases the vulnerability of data principal.

Nearly all companies across India’s economy including foreign companies having personal data of individuals in India would have to follow the terms of the bill. These cover not only e-commerce, social media and IT businesses, but also stores, real estate businesses, hospitals, and pharmaceutical firms. The only exceptions are “small entities” where individual merchants and enterprises manually gather information and satisfy conditions in the bill.[2]

Personal Data and Sensitive Data

Personal data is those data which directly or indirectly identifies a person. This include those which relate to characteristics, traits or other features, combined also that can help identify a person.[3]

In Chapter III The personal data is further divided into sensitive data which is defined in Section 3(36) of the bills. It includes, Passwords, financial data, health data, official identifiers, genetic data, and biometric data and more.[4]Section 15 of the bill defines other kinds of sensitive data such as data that can cause harm to Data principal if processed, data expecting confidentiality.

Sensitive Data can be processed under the following situations.

I) Explicit consent of the data principal

II) Certain functions of the state

III) in compliance with the law, court/tribunal

IV) for immediate action such as a medical emergency.

The bill covers processing of sensitive data of children which bars data fiduciaries from profiling, tracking, or behavioural monitoring of children; also targeted advertising and any other processing that can cause significant harm to the child.[5]

Rights of Data Principal

 The Bill lays down the rights of data principal also in Chapter V

1. Consent of the data principal is an essential part of the bill. Consent must be received by providing the data principal sufficient detail about the forms of data to be gathered and the reasons for which it is gathered.[6]
2. Right to confirmation and access (Section 17), includes right to enquire whether the data has been processed or not, summary of processed/processing data. The section also states how the information is provided should be clear, concise and comprehensible.
3. Right to correction (Section 18) of inaccurate or misleading data, completing incomplete data and updating of out of date data. The data fiduciary must take reasonable steps to inform the correction to all relevant entities to which the data is disclosed. If data fiduciary denies such a correction an adequate justification has to be given for the same.
4. Right to Data Portability. (Section 19) i.e. to receive the personal data and to transfer it to another data fiduciary.
5. Right to Be Forgotten. (Section 20). The data fiduciary has the right to prevent the continuing usage of data or restrict it if there is withdrawal of consent, the purpose serves or is contrary to any law.

The exercising of these rights has further conditions which has been explained in Section 21 of the bill.

Offences

Chapter XIII of the bill explains offences under the bill. By Section 83 any offence under the bill shall be non-bailable and cognizable. The offences include processing or transferring personal data in violation of the Bill, failure to conduct a data audit and Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.

Data Protection Authority

Chapter IX of the bill establishes the Data Protection Authority and this is one of the major features of the bill. The DPA gains power to establish specific additional legal requirements.  This would also have the authority to define regulatory requirements such as age and consent authentication processes, notification and consent processes and formats, and data security compliance and accountability measures and to enforce fines for legal violations.[7]

It should be noted that unlike many other committees, DPA doesn’t have part-time members on the board i.e. outside expert which have called out for significant criticisms but one of the members in the board should be a person qualified in law.[8]

Exemptions

The bill allows exemptions to government and its agencies for different interest but such processing should be for lawful purposes only.

1. in the interest of the security of the state, public order, sovereignty and integrity of India and friendly relations with foreign states, and
2. for preventing incitement to the commission of any cognisable offence (i.e. arrest without warrant) relating to the above matters.
3. prevention, investigation, or prosecution of any offence, or personal, domestic, or journalistic purposes. 

The new bill adopts a robust preventive mechanism which applies to varied data collection and usage.  It imposes a range of responsibilities for companies that gather and use customer data and establishes customer data-related protection. Because the law forbids the processing of any personal data without meeting such requirements, it would protect small grocery stores with fairly uncomplicated data collection methods, as well as businesses employing advanced machine-learning systems and massive data sets.

The bill isn’t without its faults and there is a lot of vagueness and criticisms in various issues regarding the same. Privacy critics contend that to give the exceptions to executive compromise the adjudicative control of the Data Protection Authority.[9] In words of Udhav Tiwari(Policy advisor to Mozilla) “This latest bill delivers real privacy in regards to processing by companies. But (it) is a dramatic step backwards in terms of processing and surveillance by the government”.[10]

It is an undeniable fact that the PDP bill is an ambitious attempt that brings a huge impact once it is passes. Only time and judgments based on the same will tell how effective the bill will be.

---

References:

[1](2017) 10 SCC 1

[2] Anirudh Burman, Suyash Rai (March 9, 2020), What Is in India’s Sweeping Personal Data Protection Bill?, https://carnegieindia.org/2020/03/09/what-is-in-india-s-sweeping-personal-data-protection-bill-pub-80985

[3] Section 3 (29), PDP Bill, 2019

[4] Section 3 (36), PDP Bill, 2019

[5] Section 16, PDP Bill, 2019

[6] Section 11, PDP Bill, 2019

[7] Anirudh Burman, (MARCH 09, 2020)Will India’s Proposed Data Protection Law Protect Privacy and Promote Growth?, https://carnegieindia.org/2020/03/09/will-india-s-proposed-data-protection-law-protect-privacy-and-promote-growth-pub-81217

[8] Smriti Parsheera, Regulatory governance under the PDP Bill: A powerful ship with an unchecked captain?, https://www.medianama.com/2020/01/223-pdp-bill-2019-data-protection-authority/

[9]Economic Times (December 11 2019),  Personal Data Protection Bill: Exemptions for government agencies worry experts.

[10] Ibid