This research draft analyses the Personal Data Protection Bill presented by the Ministry of Electronics and Information Technology (MeiTY), in 2019. The bill was brought up on the recommendations of a committee, chaired by Justice BN Srikrishna after examining the issues related to data protection in India.

Security of personal data is a global issue that many countries are trying to tackle including India. In India, the use of technology has increased to a great extent thus, it is imperative to have such legislation for regulating entities while processing the personal information of individuals. Since we have legislation now, it is important to analyze the aspects of the bill and how it will help citizens to protect their personal data from being harmed. This research paper also includes a brief analysis of the JPC1

Introduction
The idea of the Personal Data Protection Bill first came to light, in one of the most celebrated cases in India, Justice KS Puttaswamy vs. Union Of India, in 2017, which declared 'privacy' as a fundamental right under Article 21 of the Indian Constitution. The nexus between data and privacy and the need for such regulations were found. With the constant growth of digitalization in India, offenses as personal data breaches, are touching the skies.

With such legislations, it will be easier to regulate the data processing entities and ensure that there is no harm to the personal data of an individual. With the advent of technology and digitalization the threat to personal information and personal data breach is increasing. As India is trying to adapt to the new technology, these data breaching activities have become an obstacle. Not just India, but many other countries are coming up with such legislation in order to safeguard their citizens' personal information. Data released by

UNCTAD 2 (https://unctad.org/page/data-protection- and-privacy-legislation-worldwide) says that 1% of the countries have legislation on data protection, 9% of countries have draft legislations, 15% of countries have no legislations, 5% countries have no data.

The bill was presented in Lok Sabha on December 11, 2019, by Dr. Ravi Shankar Prasad the then Minister of Electronics and Information Technology (MeiTY). The bill was presented on the recommendations of the BN Srikrishna committee. Further, it was referred to the Joint Parliamentary Committee of both the houses of Parliament (called JPC)*. The JPC was headed by a Member of Parliament Meenakshi Lekhi.

Some other aspects of the bill which were discussed, were 'Right to privacy and 'Right to be forgotten.' These two judgements had given the basis for the formation of the personal data protection bill in 2019. Since the breach of personal data or information leads to interference in an individual's private life, it is very important to safeguard such data from physical as well as digital domains. As this being one of the challenges of digitalisation, it is the duty of the law makers of a country to come up with such dimensions which would give a safe atmosphere to an individual.

The proposed bill gives us an insight of such an environment where there will be timely checks on the activities of the data processing entities so that the personal data of an individual is not harmed. The bill is designed in such a manner that it regulates entities not only while processing data but also after the process is complete.

It literally means that the entities are firstly required to delete the personal data of an individual after the processing is complete and secondly remove it from all the sites used while processing such data. This indicates to the 'right to be forgotten or erasure' of personal information of any person.

No personal shall be discriminated on the basis of his past deeds of which he has been acquitted from or for the personal ailments from which he might be suffering. Thus, the bill gives us an insight of regulating data processing entities keeping in mind the rights of data principals.

Definition Of The Terms Discussed In The Bill

• Data: is the large collection of information, facts, opinions etc.
• Data Principal: the person whose data is collected and processed.
• Data Fiduciary: the person who collects and processes data. It can be any state, a company, a firm etc.
• Data Processor: any state, company, any entity that processes data on the behalf of a data fiduciary.
• Data Auditor: it means to audit data to establish how a company's data fits in the purpose of the data processing.
• Biometric Data: facial images, fingerprints, iris scans, etc. are known as biometric data. It is the recognition of an individual based on his biological characteristics and the unique identity of a natural person.
• Adjudicating officer: it shall be a person having ability and professional experience of not less than 7 years in the field of law, cyber and internet, data protection and related subjects.
• Anonymisation: it refers to the transformation of personal data of an individual in such a manner in which the identity of the data principal remains hidden in an irreversible process, it also meets the standards of irreversibility specified by the authority.
   
• Anonymised data: the data which had gone through the process of anonymisation.
   
• Child: under the bill, any person less than eighteen years of age is termed as a child.
   
• Consent: it is the meeting or of minds or consensus between two parties (here, the data principal and the data fiduciary) in accordance to perform some activity. A data fiduciary cannot collect information without the consent of the data principal.
   
• De-identification: it means that the data fiduciary can hide the identity or the name of the data principal by using some fictious name or in any other way which might indicate to that person, but not directly.
   
• Financial data: Any financial information of an individual as account, card, payment history or payment platform of the data principal or the relationship between a finance institution and the data principal which includes financial status and credit history.
   

Joint Parliamentary Committee Report: Discussed In Brief

1. Data: Transforming India As Well As A Global Threat

   Data is the collection of large information at one place easy to access. Digitalisation and technology has made the lives of people much easier. It has helped India to reach the skies in terms of technological advancements. India has a huge population being the second most populous country in the world. An enormous amount of data is collected every day. Collecting such data at one place is a huge task. The effective use of this data can take an economy to greater heights. As every situation comes with a but, here also a 'BUT' arrives with capital letters. Since a huge chunk of data is available, there is a possibility of data breach as well. This being a giant question on the earth, a lot of countries are coming up with the legislation to tackle this issue. Brazil, Australia, Canada, USA already have such legislations and many more countries are trying to give their citizens a safe environment to live.
    

2. New Asset And Dwindelling Consumer Trust

   As the new technologies are coming up, people are concerned about the use of such technology and
   whether it will be safe for them or not. It is difficult for the older generations to adapt with the new aspects of technology. It is very natural to think so, because everyone is concerned about the personal data of them and their whereabouts.
   
   The personal data protection bill assures the citizens that there will be regular checks on the data fiduciaries to ensure that the personal information of an individual is not leaked to the third party. At the same time, checks are also done on the companies so that they keep the personal information of any person safe with themselves. The whole idea behind this is to make the consumer feel free to share their information with the entities concerned without leaving any doubt in their minds.
    

3. Impact Of Data Breach On Health And Wellbeing

   Not just a person is getting affected financially, socially, emotionally but also experiencing a threat to health as well. Because of such activities of personal data breach a personal is not willing to trust people he is surrounded by. This creates a sense of insecurity in a person's mind and a fear to reside in any place.
   
   Constant fear in the minds of people can directly affect their body and thus affect the society as a whole. This has to be taken into consideration that the health of people is also getting affected to a great extent in connection with the protection of personal information of data principals. People can suffer from various emotional attacks as excessive fear, anger, frustration, outrage, insomnia, increase in stress level, depression, unable to feel safe and trust people, lack of concentration, lack of interest in activities and hobbies, helplessness etc.
    

4. Proliferation Of Bots And Fake Account

   Though digitalisation and technological advancements have made lives easier but some other concerns have also emerged. A major issue that has taken up the course is making of fake accounts of people with other names. They hack accounts of people and extract personal information leading to personal data breach.
   
   The most prevalent ones are the social media platforms. The present generation is the most active on such platforms, and the most vulnerable to phishing and blackmailing activities. It is really important for them to be very vigilant regarding their personal information to whom they are sharing with.
    

5. Growing Importance Of Data Protection And Localisation

   As far as data protection is concerned, every person wants to give live in a very safe environment both physically and digitally. Moreover, the confidentiality of personal information of any person is extremely important to be maintained. This is the responsibility of both the person himself and the state. The policy makers of a country should ensure to safeguard the personal information of their citizens in a befitting manner. As more and more companies enter the digital domain, the more protecting data becomes a herculin's task. Now comes data localisation, firstly it refers to the cross- border movement of data. The authorities ensure that the personal data of an individual does not get intervened by any alien international agency.
   
   Some of the provisions discussed by the bill include:
   
   1. Personal data of an individual cannot be transferred without the consent of that particular individual.
   2. Sensitive personal data can be transferred but has to be stored in India.
   3. Critical personal data can be transferred but can be processed in India only.
   4. Data of the data principal can be transferred in health emergencies.
   5. The central government can transfer data of the data fiduciary outside India or to any other entity when there is a question of national security.
       

6. Data Security As National Security

   Data protection of citizens of a country is the responsibility of the law makers of a country. Thus, it is in the hands of bureaucrats to safeguard personal information of the citizens. Moreover, the technical information of any country specially defence is very important to keep safe from any kind of breach. People are the asset of any country be it direct breach to the personal data of a citizen or be it indirect in the form of harm to the national security of a country, in both the cases there is a threat to the life of citizen of a country. Thus, is imperative to have such legislation in hand to prevent such issues.
    

7. Legal Mechanisms In India To Deal With Data Protection In India

   India did not had any legislation before. To deal such privacy issues related to data protection we had Information Technology Act 2000. After an amendment to it some rules were added known as, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. Other provisions related to it are Aadhaar (Targeted Delivery of Financial, and other Subsidies benefits and services) Act, 2016 and RTI (Right To Information) Act, 2005. But these didn't suffice the requirements of our country.
   
   We needed a legislation which specifically and completely talked about the protection of personal data of an individual in India. As per the examinations and the recommendations of BN Srikrishna committee, the existing government in its previous tenure, in 2019, came with the legislation for personal data protection. But the process does not end here, the above mentioned acts will also be framed in a way that these may include some of the provisions of the data protection.

BN Srikrishna Committee Recommendations: Discussed In Brief.

The committee recommendations were presented before the Lok Sabha by the committee head, Supreme Court Judge Justice BN Srikrishna. The committee's recommendations were presented in accordance with the Personal Data Protection Bill 2019, and making Data Protection Framework. The recommendations were presented after a very famous Supreme Court case KS Puttaswamy vs. Union Of India, in which right to privacy was discussed. This gave birth to the idea of data protection.

The major key points discussed were:

1. Obligations of the data fiduciary:
   The data processed by the data fiduciaries has to be clear, specific and lawful. The use of such personal information of a data principal has to ensured that the processing and profiling is done in a fair and reasonable manner. The data collected by the data fiduciaries should satisfy the purpose of the data processing. The data fiduciary is entitled to give prior notice to the data principal before collecting data and the reason behind it.
    
2. Consent of the data principal
   Since data protection is directly related to privacy, it is absolutely necessary for the data fiduciaries to have consent of the data principal. Personal information processing has to be done with the free consent of the data principal. But in certain cases processing of data can be done even without consent of the data principal by the State or the authorities concerned. Issues related to national security, confidentiality of the State, in compliance with any order of the Courts and Tribunals, providing assistance to an individual during some national calamities or disaster breakdown etc.
    
3. Protection of children from personal data breach
   The bill defines a child as an individual less than eighteen years of age. Since a child is also an individual, it has to be ensured by the data fiduciaries that the processing of personal information of children should be done keeping in mind the rights and the best interest of the child. If the child is not of the consenting age, the data fiduciaries must approach the parents or the guardian of the child.
    
4. Rights of the data principals.
   The rights of data principal have been give importance in the bill.
   
   Some of the primarily concerned rights given to the data principals are:
   
   1. Right to confirmation and access:
      As the name suggests, it is the right of an individual to have a check whether the personal data given to the data fiduciary is being processed for the right purpose or not.
       
   2. Right to correction and erasure:
      This right ensure data principals that they can any time ask data fiduciaries to correct the information provided. Right to erasure also includes the new concept raised in as 'right to be forgotten'. It implies that the data fiduciary has to remove the personal data of the data principal once processing of personal information in complete from the system and the site used wile processing.
       
5. Exemptions.
   There are certain exemptions available for which personal data can be processed without consent of the data principals. The grounds for such interventions can be public welfare, law and order, emergencies, friendly relations with foreign countries, security of State, legal proceedings etc. Apart from these, personal data breach or misuse of personal information of the data principal shall not be done. It is the responsibility of the authorities to keep personal information of data principals confidential.
    
6. Data Protection Authority (DPA)
   The data protection law will set up a Data Protection Authority (DPA), which will be an independent regulatory body responsible for the enforcement and Effective implementation of the law.

The DPA shall perform the following primary functions:

• Monitoring And Enforcement
• Legal Affairs, Policy, And Standard Setting
• Research And Awareness
• Inquiry, Grievance Handling, And Adjudication.3.

Conclusion
The personal data protection bill safeguards the personal information of an individual from being breached. The step taken by the government is extremely appreciable. Data protection has become a problem with technological advancements. This bill provides citizens a safe environment where they can sustain their lives with privacy and no third- party interference.

This bill regulates the data protection authorities or data fiduciaries who are assigned by the government to process the personal information of an individual. Addressing this issue the Joint Parliamentary Committee came up with certain recommendations to tackle the problems which can come into effect on individuals with personal data breach activities followed by the concerns on national security.

Another committee was constituted having Justice BN Srikrishna as its head, the committee discussed the actions that would be taken by the government if there is a breach on the part of the data fiduciaries and what are the duties they must perform while processing the personal data of an individual. This research paper gives a holistic idea about the Personal Data Protection Bill, 2019.

Bibliography

1. PRSIndia: https://prsindia.org/billtrack/the-personal-data- protection-bill-2019
2. Personal Data Protection Bill, 2019: PRSindia Bill Text 4173LS(Pre).p65 (prsindia.org)

End-Notes:

1. JPC: Joint Parliamentary Committee report and the recommendations of the BN Srikrishna committee, in connection to the bill.
2. UNCTAD: United Nations Conference on Trade and Development.
3. https://www.drishtiias.com/pdf/justice-bn-srikrishna-committee-submits-data-protection-report.pdf page no 2/5