In contemporary times, we are stepping towards an era of Digital Data
Transfer. We are exchanging our sensitive information globally. The security of
this sensitive information has become a challenge nowadays which is often
compromised. This article examines the Personal Data Protection Bill, 2019, that
was introduced in Lok Sabha by the Minister of Electronics and Information
Technology, Mr. Ravi Shankar Prasad on December 11, 2019.
The bill proposes the privacy and regulate the processing of "sensitive" and
"critical" personal data. The bill presented in the parliament overlooks the
draft that was submitted by Justice Srikrishna-led panel in 2018. In this
article, we shall address how the bill passed deals with the preventive approach
rather than the protective approach. In this article, we shall also address
privacy in relation to the 2019 bill.
Major Features Of Personal Data Protection Bill
Data has become the most important resource of the today's world. It has become
subject to misuse and theft. The bill primarily focuses on protecting that data
which is used to identify a person like financial details, biometrics and
religious and caste beliefs. This information is collected by the Data
Fiduciaries. Therefore, the bill obliges the government and companies dealing
with the personal data of the individuals to respect these rights.
The draft of the 2019 bill is largely inspired by the by the European Union's
General Data Protection Regulation (GDPR). The definition of 'personal data'
under the Personal Data Protection Bill, 2019 Bill is read as "personal data
means data about or relating to a natural person who is directly or indirectly
identifiable, having regard to any characteristic, trait, attribute or any other
feature of the identity of such natural person, whether online or offline, or
any combination of such features with any other information, and shall include
inference drawn from such data for the purpose of profiling.”
The Data Protection Bill, 2019 provides for a legal framework for the collection
and use of the data. This bill proposes a Data Protection Authority (DPA) to
collect and regulate the legal framework. The bill makes consent a centerpiece
of the proposed data protection framework.
The bill proposes that personal data should only be processed on the basis of
free, informed, and specific consent, with provisions that allow such consent to
be withdrawn. Any data processing that is used without such consent would be a
violation and could result in penalties.This bill has a separate category of
“sensitive personal data” and states that such data can be processed only with “explicit
Consent has to be taken from the user after bestowing on the adequate
information about the kinds and purposes for which the data would be collected
and processed. The personal data shall be collected only to the extent that
is necessary for the purposes of processing of such personal data.
The data fiduciary will have to ensure the data are accurate and stored only for
the period necessary for satisfying the purposes of data collection. It will
also be accountable for all compliance requirements under the bill. As per the
bill, the data principal can claim to correct the inaccurate data under Sec. 18
(right to correction and erasure).
As per Sec. 20 of the bill, the data principal shall have the right to restrict
or prevent the continuing disclosure of his personal data by a data fiduciary
under specified conditions.” This bill demands the data fiduciary to redress the
grievances of the data principal with efficiency in a speedy manner under Sec.
32. The bill also provides for the “Adjudicating Officer” to decide penalties
and award compensation.
The composition of the selection committee has been changed considerably under
the 2019 Bill. As per the provisions of the 2018 Bill, the Selection Committee
was to comprise of:
- Chief Justice of India or a judge of the Supreme Court,
- the Cabinet Secretary, and
- and expert nominated by the Chief Justice of India or by the judge of
the Supreme Court.
But in 2019 Bill the judicial
representation on the Selection Committee has been quashed and now the selection
Committee constitutes only:
- Cabinet Secretary who shall be the chairperson,
- the Secretary to the government of India in the Ministry or department
dealing with legal affairs,
- the Secretary to the government of India in the Ministry or Department
dealing with electronics and information technology.
Loopholes In The Present
The 2019 Bill states that only “sensitive personal data” and “critical personal
data” may be transferred outside India for processing. Therefore, a requirement
to store the sensitive personal data in India has been put.
Despite abolishing ambiguities from the 2018 bill, there are still some areas
where the new bill constitutes a set of challenges. The proposed bill doesn't
provide for a robust enforcement mechanism for cross-border data transfer. The
GDPR in this regard has presented itself with the comprehensive approach. It
clearly says unless the transferee country has an “adequate level of protection”
mechanism, the data may not be transferred or certain “appropriate safeguards
are to be verified before the transfer of such data.
But in 2019 bill, Section 34 is not clear about 'adequate level of protection'.
Section 34 of this draft empowers the Central Government to exempt any
governmental agency from complying with the provisions provided in the bill.
Here, the scope of misuse is wide and can be misused.' The procedure of
appointments of the members is widely contested. Under this bill, the government
is empowered to use the data in a wide scope including national security,
sovereignty, integrity etc. In this bill, the tech-giants like Facebook and
Google are asked to allow the users to 'voluntarily verify' their accounts in
manner that is to be prescribed in the future.
These policies are criticized widely.
The 2019 bill proposes to impose significant compliance costs on firms engaged
in data processing. While smaller ones are exempt from many obligations, these
exemptions will only apply to businesses that manually process data. As a
result, a large cross-section of economic actors would have to incur significant
costs to implement the bill.
Mass Violation Of Privacy During Covid-19
Amidst this lockdown, there has been mass violation of privacy, the Central
Government has forced the public and private employees to download 'Aarogya
' App. A writ petition has been filed by the Kerala High Court
challenging the steps taken by the Central Government. John Daniel by whom the
petition is filed, contends that these directions issued by the government
violate right to privacy and personal autonomy as explained in K.S Puttaswamy
decision in 2017.
This app takes away the right of the person to control and decide the
information related to him. The penal action is imposed over the employees of
the enterprises under Section 58 of the Disaster Management Act, 2005, in case
they fail to comply with the orders to use this app. However, this is arbitrary
as penal action cannot be imposed without the mens rea.
There has been another violation of privacy via zoom app predominantly used for
the video conferencing. Because of the restriction of movement of people this
app has gained momentum mainly used for attending meetings and online classes.
It has been found that this app is not secured with end to end encryption as
safety feature and it has been reported that some ransom emails have been
received by the users of this app.
Although 2019 Bill has relaxed some stringent provisions that were present in
2018 bill. However, there are certain provisions of the 2018 Draft that were
questioned, they still remain unaddressed in 2019 draft also. Most of the
provisions lack clarity and enforcement mechanism. If it would be passed that
will only increase petitions in the court. As we all know that the 2019 Bill is
still to be reviewed by the Joint Parliamentary Committee and the shortcomings
will hopefully be taken into account and the Committee will come out with best
Written By: Vanshika Sharma
- The Personal Data Protection Bill, 2019, § 2
- The Personal Data Protection Bill, 2019, § 11 and 57.
- The Personal Data Protection Bill, 2019, §11.
- The Personal Data Protection Bill, 2019, §7.
- The Personal Data Protection Bill, 2019, § 6.
- The Personal Data Protection Bill, 2019, § 62.
- The Personal Data Protection Bill, 2019, § 42 (2).
- General Data Protection Regulation, art. 45.
- Anirudh Burman, Protection Law Protect Privacy and Promote
Growth?, CARNEGIE INDIA( May 13, 2020, 3:35 P.M.)