In this allied, information lavish, and data-affluent world, access to the data by the government authorities and other organizations are fundamental but at the same time the mechanism for seeking and securing this data should be intact and transparent to ensure proper national security outcomes and since the nature of such data is highly cynical, digital protection of such right of privacy is indispensable in this dynamic digital world.

Personal Data Protection Bill, 2019 is one of the finest and revolutionary attempts to codify the law on data security and data protection. The bill proposes to protect Personal Data relating to the identity, characteristics trait, etc., and Sensitive Data such as health data, sexual orientation, biometric data, etc. Bill provides for the formation of the Data Protection Authority of India to prevent misuse of personal data, promote awareness about data protection and also attribute rights to Data Principals and impose obligations on Data Fiduciary.

The Right to Privacy is recognized by the Supreme Court of India as a Fundamental Right[1] in Justice K. Puttaswamy case.[2]

In 2015, the Supreme Court in Aadhaar Card case[3] held that Aadhaar Scheme of Government of India under which it is collecting and compelling the residents of India for biometric and other personal data which may be used for various purposes would amount to a violation of Right to Privacy and thereafter the Supreme Court in case of Justice K. Puttaswamy case[4], held that the Right to Privacy is protected as an intrinsic part of the right to life and personal liberty[5], as a part of the rights guaranteed by Part-III of the constitution.

This Right restrains the State from committing an intrusion upon the life and personal liberty of a citizen and imposes an obligation on the State to take all necessary measures to protect the privacy of the individual[6].

2. Major highlights of the Personal Data Protection Bill, 2019:

1. Application of provisions of the bill:

   Provisions of the bill shall apply to the processing of personal data by the State, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law where such data has been collected, disclosed, shared or otherwise processed within the territory of India or by data fiduciaries or data processors not present within the territory of India, if such processing is— (i) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or (ii) in connection with any activity which involves profiling of data principals within the territory of India[7].
   
   The Bill shall not apply to the processing of anonymized data, other than the anonymized data or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government[8].
    

2. Data Protection Authority of India (DPAI):

   The Bill proposes the establishment of the Data Protection Authority of India as a body corporate. DPAI shall take steps to protect the interests of individuals, prevent misuse of personal data, and ensure compliance with the Bill and promote awareness about data protection[9]. DPAI also has powers to issue directions to data fiduciaries and data processors[10] and has the power to call for information[11] and conduct Inquiry[12]. Bill also provides for the establishment of the Appellate Tribunal[13] and Orders of the Adjudicating Authority can be appealed to an Appellate Tribunal[14]. Appeals against the order of the Tribunal can be filed at the Supreme Court.
    

3. Rights of Data Principals:

   The Bill figure out certain rights of data principal which includes the right to: (i) obtain confirmation from the fiduciary on whether their personal data has been processed[15] and the data principal shall also have the right to access in one place the identities of the data fiduciaries with whom his personal data has been shared by any data fiduciary together with the categories of personal data shared with them in a specified manner[16]; (ii) Right to seek correction or completion of inaccurate or incomplete data, or update or erase personal data[17]; (iii) Right to data portability and have the personal data referred to any other data fiduciary in certain circumstances[18]; and (iv) right to be forgotten under which an individual restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn[19].
    

4. The obligation of Data Fiduciary:

   The processing of personal data by the data fiduciary will subject them to certain obligations such as:
   
   1. No personal data shall be processed by any person, except for any specific, clear, and lawful purpose[20] and that too shall be collected only to the extent that is necessary for processing such personal data[21]
   2. Every person processing personal data of a data principal shall process such personal data fairly and reasonably and ensure the privacy of the data principal; and for the purpose consented to by the data principal or which is incidental to or connected with such purpose, and which the data principal would reasonably expect that such personal data shall be used for[22].
   3. Notice is required to be given to the individual/data principal for collection or processing of personal data[23] and such data shall be retained only for the purpose for which it is processed and shall be deleted at the end of the processing[24].
   4. The personal data shall not be processed without the consent of data principal at the commencement of its processing and the consent of the data principal shall be valid if it is consistent with the requirements of the other statutes like the Contract Act,[25] or Information & Technology Act.[26]
      
      Apart from these obligations Data Fiduciary must undertake all the necessary measures to protect and proper processing of an individual's personal data and maintain transparency and accountability for their actions.
       
5. 2.5 Processing of Sensitive Personal Data & Critical Personal Data:
   Data Fiduciary can process the personal data only with the consent of individual but there are certain exceptions provided under which Personal Data can be processed without consent such as:

1. if required by the State for providing benefits to the individual;
2. legal proceedings;
3. to respond to a medical emergency;
4. employment-related;
5. necessary for reasonable purposes such as prevention of fraud, mergers, etc.[27]

Sensitive personal data means such personal data, which may reveal, be related to, or constitute:

1. financial data;
2. health data;
3. official identifier;
4. sex life;
5. sexual orientation;
6. biometric data, etc.[28]

Every data fiduciary shall process sensitive personal data of a child in such a manner that protects the rights of and is in the best interests of, the child. The data fiduciary shall, before processing of any personal data of a child, verify his age and obtain the consent of his parent or guardian, in a specified manner.

The sensitive personal data shall be stored in India only but it may be transferred outside India for processing when explicit consent is given by the data principal for such transfer[29]. Sensitive personal data shall also be transferred outside India if such transfer is made pursuant to a contract or intra-group scheme approved by the Authority or if the Central Government, after consultation with the Authority allows such transfer or if authority allows transfer for any specific purpose.[30]

Critical personal data means such personal data as may be notified by the Central Government to be the critical personal data.[31] The critical personal data shall only be processed in India[32] and maybe transferred outside India, only where such transfer is to a person or an entity engaged in the provision of health services or emergency services or where such transfer in the opinion of the Central Government does not prejudicially affect the security and strategic interest of the State.[33]

3. Personal Data Protection Bill, 2019 vis-a-vis Right to Privacy:

Personal Data Protection Bill, 2019 provides an individual with several rights but it is highly inequitable to grant such rights at the cost of the fundamental rights of the person. Certain provisions in the bill are required to be interpreted in light of the fundamental right to privacy, the fundamental right to life & liberty[34], and the right to equality[35].

Firstly, Section 35[36] of the bill is one of the most controversial provisions which gives power to the central government to exempt any of its agency from the application of the act and this provision act as the blanket of protection for the central government to breach the right to privacy on various vague and nebulous grounds.

The bill has significantly expanded the scope of exceptions and thereby diluting the right to privacy. The report of the committee provides that to ensure that the pillars of the data protection framework are not shaken by a vague and nebulous national security exception[37].

For protecting the spirit of law, the government and its agencies should not be explicitly exempted from the application of the Act and if exemptions will be given to them, it should subject to the test of reasonability and the government will process the personal data only when such circumstances exist which render it necessary to do so. The exercise of such power should not be arbitrary, artificial, and evasive and should be just and reasonable.

As far as the concept of consent is concerned, it is not legitimate for the government or its agencies to use the personal data of the citizen unlawfully unless it is authorized by the law and such intrusion should be proportionate and must be backed by the legitimate aim as the right to privacy is a fundamental right in itself and the court is also of the opinion that it is not open to a citizen to waive any of the fundamental rights conferred by Part-III of the constitution. These rights have been put in the constitution not merely for the benefit of the individual but as a matter of public policy for the benefit of the general public. It is like an obligation imposed on the state by the constitution and no person can relieve the state of this obligation[38].

There may exist two standpoints. First, since the Right to Privacy is being declared by the Supreme Court as Fundamental Right and any exercise of power by the government under section 35 of the bill should be subject to Article 14 & Article 21 of the constitution and if government arbitrarily exercise its power then such action will be challenged in the court of law for the violation of Fundamental Right. Second, Inconsistency of section 35 of the bill with the Indian Constitution[39] to the extent, it is repugnant to the fundamental right to privacy.

Secondly, Section 91 of the Bill is also considered to be the center of the altercation as it grants power to the government to ask any data fiduciary or data processor to hand over anonymized non-personal data for the purpose of better governance, and inform its policies and deliver services to citizens[40].

Though this provision is inculcated to provide people with various government services as well as other state functions such as growth, security, integrity, and prevention of misuse[41] but the bill does not prescribe complete standards for anonymization and quantum of risk involved to the personal data if any. Also, it is very difficult to trace whether the non-personal data is used by the government for the said purposes only or whether it is used for certain other purposes which will affect the privacy standards, constitutional and other rights of the person.

4. Concluding Remarks:
The bill has been influenced by the European Union's GDP Regulations[42] and imposes high obligations and compliances on data fiduciary and also require technology companies to garner consent from citizens before collecting and processing their personal data. The Bill continues to require that Personal Data[43] be processed fairly and reasonably while ensuring the privacy of the Data Principal[44].

The Bill fails to hold the state accountable for processing personal data and the government is provided with possible excuses to process the personal data and at the same time holds the power to issue directions to DPAI and authority has no option other than to follow the directions.

It is reasonable to state that the bill was a substantial attempt to eliminate the data breach and it was also the need for an hour for the country like India where the campaign of Digital India is led by the Prime minister himself to propose an enactment for the digital protection of this right to privacy, but at the same time, it is not untrue to state that the bill was a chaotic and disorganized proposed piece of legislation in itself drafted out of the political agenda of providing safeguard to the ruling government and its agencies by providing explicit protection to them from the applicability of the bill's provisions.

The bill, although incomplete and rushed, is still a step in the right direction, and hence the most prominent step towards a comprehensive law on personal data protection in India and thereby the most remarkable stride for the digital protection of the fundamental right to privacy in this dynamic world.

End-Notes:
[1] See, INDIA CONST. art 21.
[2] Justice K. Puttaswamy vs. Union of India, 4161 AIR (2017).
[3] Justice K.S. Puttaswami vs. Union of India, 3081 AIR (2015).
[4] Justice K. Puttaswamy vs. Union of India, 4161 AIR (2017).
[5] See, INDIA CONST. art 21.
[6] Justice K. Puttaswamy vs. Union of India, 4161 AIR (2017).
[7] The Draft Personal Data Protection Bill, 2019, Bill No.373, § 2 (2019), introduced in Lok Sabha, Parliament of India by Ministry of Electronics and Information Technology, ( May 10, 2020, 7:14 PM ), http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf (hereinafter Personal Data Protection Bill, 2019)
[8] See, Personal Data Protection Bill, Id., § 91 (2), The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymized or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.
[9] Personal Data Protection Bill, Supra Note 6, § 49.
[10] Personal Data Protection Bill, Supra Note 6, § 51.
[11] See, Personal Data Protection Bill, Supra Note 6, § 52.
[12] Personal Data Protection Bill, Supra Note 6, § 53.
[13] Personal Data Protection Bill, Supra Note 6, § 67.
[14] See, Personal Data Protection Bill, Supra Note 6, § 72.
[15] Personal Data Protection Bill, Supra Note 6, § 17 (1) (a).
[16] Personal Data Protection Bill, Supra Note 6, § 17 (3).
[17] Personal Data Protection Bill, Supra Note 6, § 18.
[18] See, Personal Data Protection Bill, Supra Note 6, § 19.
[19] Personal Data Protection Bill, Supra Note 6, § 20.
[20] Personal Data Protection Bill, Supra Note 6, § 4.
[21] Personal Data Protection Bill, Supra Note 6, § 6.
[22] Personal Data Protection Bill, Supra Note 6, § 5.
[23] See, Personal Data Protection Bill, Supra Note 6, § 7.
[24] Personal Data Protection Bill, Supra Note 6, § 9.
[25] See, Indian Contract Act, § 14 (1872).
[26] See, Information & Technology Act, § 7 (2000).
[27] Personal Data Protection Bill, Supra Note 6, § 12.
[28] See, Personal Data Protection Bill, Supra Note 6, § 3 (36).
[29] See, Personal Data Protection Bill, Supra Note 6, § § 33, 34.
[30] Personal Data Protection Bill, Supra Note 6, § 34.
[31] See, Personal Data Protection Bill, Supra Note 6, Explanation § 33 (2).
[32] Personal Data Protection Bill, Supra Note 6, § 33 (2).
[33] Personal Data Protection Bill, Supra Note 6, § 34 (2).
[34] See, INDIA CONST. art. 21.
[35] See, INDIA CONST. art. 14.
[36] Personal Data Protection Bill, Supra Note 6, § 35, Where the Central Government is satisfied that it is necessary or expedient,— (i) in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order; or (ii) for preventing incitement to the commission of any cognizable offense relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, it may, by order, for reasons to be recorded in writing, direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of the processing of such personal data, as may be specified in the order subject to such procedure, safeguards and oversight mechanism to be followed by the agency, as may be prescribed.
[37] See, Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, A Free and Fair Digital Economy, Protecting Privacy, Empowering Indians.
[38] Olga Tellis v. Bombay Municipal Corporation, 180 AIR, (1986)
[39] See INDIA CONST. art. 13, § 2.
[40] Personal Data Protection Bill, Supra Note 6, § 91.
[41] The Draft Personal Data Protection Bill, 2019, Bill No.373 (2019), introduced in Lok Sabha, Parliament of India by Ministry of Electronics and Information Technology, ( May 10, 2020, 7:14 PM ), http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf (hereinafter Personal Data Protection Bill, 2019).
[42] The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (May 9, 2020, 5:20 PM), https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679 (hereinafter GDPR).
[43] Protection Bill, Supra Note 6, § 3 (28).
[44] Personal Data Protection Bill, Supra Note 6, § 5 (a).