The Personal Data Protection Bill, 2019, which seeks to regulate the use of individual data by the government and private companies has been referred to a joint Parliament committee. The proposed law, as cleared by the Union cabinet, allows the government to access personal data. The provision has attracted much controversy, for being in sharp contrast to what was proposed by an expert group headed by former Supreme Court Judge B.N. Srikrishna in its first draft in July 2018. Currently, there are no laws on the use of personal data and preventing its misuse. The Bill is that the first legislation that focuses on privacy of citizens, and will potentially end in significant overhaul of digital businesses and corporation.

The Puttaswamy judgment and therefore the colloquy round the data protection in India ascended with the context of Aadhar, where the State was seen because the chief privacy violator. The Personal Data Protection Bill has been taken as an opportunity to correct that. This bill tries to protect the privacy of individual's data, regulate the processing of sensitive and critical personal data and establish a Data Protection Authority of India (DPAI) for regulations.

The bill has faced a lot of criticism from the experts over the country. Few of which have been discussed below.

Section 35 Of Bill

Section 35 empowers the central government to exempt any government agency from the provisions of the Act for purposes of public order, national security, etc. It is argued by the critics of the bill that it grants government agencies too much power with respect to processing citizens' personal data.

However, any misuse of Section 35 would still be subjected to the legal protections given in the Justice Puttaswamy case verdict delivered by a nine judge bench of the Supreme Court, which includes tests for what is "necessary" or "proportionate".
Some definitions too broad under the bill: Another concern raised is that a number of terms in Section 35, such as security of the State and public order, are very vague and has not been defined elaborately.

The term Public order has been used several times in several bills which finally became law. It has also been used in Section 144 of CrPC where the state has been given the authority to do the needful to maintain public order.

The State must be a model actor given the asymmetry of power between State and citizen. The data that is collected by private companies such as Facebook, it shall be of more concern than when the State does it, this is because the State has the power of law behind it and any misuse of such collected data shall be within judicial scrutiny.

The exemption clause in Section36 of the bill allows exempted agencies to take any measure to ensure safety of or provide assistance or services to any individual during any disaster or any breakdown of public order, aside from the State, it also gives power to an individual to work out what's a public order situation then without consent process your data or seek your data.

Do you think it's violation of Right to Privacy?

Exercise of right to privacy guaranteed by the Constitution of India is not absolute, and the government can impose reasonable restrictions as and when the situation arises in the interest of the community.

It is essential for the Government to impose reasonable restrictions on the exercise of Right to Privacy of its people, in view of larger public interest of strengthening the security of the state for various reasons such as to bring down the level of corruption, to ensure free and fair elections and to ensure welfare entitlements provided by the government properly reach the deprived sections of the Society. Article 19(2) of the Constitution of India provides that restrictions can be imposed on rights guaranteed under Article 19(1)(a), if there exists a threat to the security of the state.

Several International Conventions as well as legal provisions in other countries recognize that fundamental rights of the people can be restricted in the interest of the security of the state.
Lord Denning expressed that the English law must recognize Right to Privacy, and that the exercise of the same cannot be free from limitations. Thus right to privacy is an inalienable right and its curtailment is necessary for stability of the society.

European Convention on Human Rights also recognizes that right to privacy is not absolute and lays down certain circumstances which include national security, public safety and the economic well-being of the country, protection of health, rights and freedoms of others, inter alia under which the right can be interfered with, by the state.
Even in India it is not the first time that any public data collection law is being made by state.

The Information Technology Act, 2001 is the legislation which recognizes and regulates electronic communication, electronic data-interchange and in general, electronic commerce. Section 69 of the act states that if the controller is satisfied that it is necessary for the interest of the sovereignty or integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence; the state authority can direct any concerned branch of the government to seize any information transmitted through any computer resource.

Conclusion
It is obvious from above that the Indian Parliament's approach to privacy safeguards has been rather relaxed. The bill draft was to be presented to the joint parliamentary committee in this first week of April. However, this could not happen amid global pandemic. The draft of the bill is open for suggestions for everyone and a number of recommendations to bill have been received by various experts of the field.

For processing of personal data consent of the individual would be required. The Organizations have to review and update data protection policies, codes to ensure these are consistent with the revised principles such as update their internal breach notification procedures, implement appropriate technical and organisational measures to prevent misuse of data, based on the type of personal data being processed.

The Significant Data Fiduciary should appoint a Data Protection Officer and he should be instituting grievance redressal mechanisms to address complaints by individuals.

Authentication No: AG30735640816-9-820