Personal Data Protection Bill
Personal Data Protection Bill
Personal Data Protection Bill
Collection of information about individuals and their online habits has become an important source of
profits, but also a potential avenue for invasion of privacy because it can reveal extremely personal
aspects.
Companies, governments, and political parties find it valuable because they can use it to find the most
convincing ways to advertise online.
To prevent the breach of privacy and unwarranted advertising, this bill was a necessity.
Related Terms Explained
Data
Data is any collection of information that is stored in such a way that computers can easily read them.
Data usually refers to information about an individual’s messages, social media posts, online
transactions, and browser searches.
Data Processing
The analysis of data to collect patterns, turning raw data into useful information.
Data Principal
The entity that a fiduciary might give the data for processing, a third-party entity.
The physical attributes of data — where data is stored, where it is sent, where it is turned into something
useful — are called data flows.
Personal Data
It is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an
individual.
Sensitive Personal Data
Data related to finances, health, official identifiers, sex life, sexual orientation, biometric, genetics,
transgender status, intersex status, caste or tribe, religious or political belief or affiliation. This data can
only be sent abroad with authority approval.
Right to data portability
The right to receive the data from the fiduciary in a machine-readable format.
The right to be forgotten
The right to restrict continuing disclosure of personal data.
Data Protection Authority (DPA)
A government authority tasked with protecting individuals’ data and executing this Act through codes of
practice, inquiries, audits and more.
Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing,
grievance redressal, recording, maintenance and more.
Adjudicating Officers:
Officers in the DPA with the power to call people forward for an inquiry into fiduciaries, assess
compliance, and determine penalties on the fiduciary or compensation to the principal.
Adjudication decisions can be appealed in the appellate tribunal.
Appeals from the Tribunal will go to the Supreme Court.
o Government
o Companies incorporated in India
o Foreign companies dealing with personal data of individuals in India
Obligations of data fiduciary: Personal data can be processed only for a specific, clear and
lawful purpose. Additionally, all data fiduciaries must undertake certain transparency and
accountability measures such as:
o Implementing security safeguards (such as data encryption and preventing misuse of data), and
o Instituting Grievance Redressal Mechanisms to address complaints of individuals. They must
also institute mechanisms for age verification and parental consent when processing sensitive
personal data of children.
Rights of the individual
o Seek correction of inaccurate, incomplete, or out-of-date personal data.
o Have personal data transferred to any other data fiduciary in certain circumstances.
o Restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or
consent is withdrawn.
Grounds for processing personal data: The Bill allows the processing of data by fiduciaries
only if consent is provided by the individual. However, in certain circumstances, personal data
can be processed without consent. These include:
o If required by the State for providing benefits to the individual,
o Legal proceedings,
o To respond to a medical emergency.
Exemptions
The central government can exempt any of its agencies from the provisions of the Act:
In the interest of the security of the state, public order, sovereignty and integrity of India and friendly
relations with foreign states, and
For preventing incitement to the commission of any cognisable offence (i.e. arrest without warrant).
Offences:
Processing or transferring personal data in violation of the Bill is punishable with a fine of Rs 15 crore
or 4% of the annual turnover of the fiduciary, whichever is higher, and
Failure to conduct a data audit is punishable with a fine of five crore rupees or 2% of the annual turnover
of the fiduciary, whichever is higher.
Private organisations will have a lot to do, from making technical changes in engineering
architecture to modifying business processes. At the core, they need to place limits on data collection,
processing and storage, but there’s a lot more.
Technical security safeguards, including de-identification—preventing an individual’s identity to
be inadvertently revealed—and encryption needs to be built-in. Any instance of data breach needs to
be reported to the regulator.
Larger organizations—depending on the volume of data, annual turnover and other factors—and social
media companies with users above a defined threshold will have additional responsibilities. This
includes conducting data protection impact assessments for specific tasks defined by the regulator,
periodic security audits and appointing a data protection officer. Additionally, social media platforms
would be required to enable users to voluntarily verify their accounts, similar to the “blue tick” on
Twitter.
How is it different from the draft?
In the Bill, there are significant changes from the version drafted by a committee headed by Justice BN
Srikrishna.
Data Protection Authority’s composition is dominated by the government, as contrasted with the diverse
and independent composition as suggested in the committee’s draft.
o In the current bill, the authority’s chairperson and six whole-time members will be appointed on
the recommendation of a committee comprising the cabinet secretary, IT secretary and law
secretary.
The draft had said all fiduciaries must store a copy of all personal data in India — a provision
that was criticized by foreign technology companies that store most of Indians’ data abroad and
even some domestic startups that were worried about a foreign backlash.
o The Bill removes this stipulation, only requiring individual consent for data transfer abroad.
Similar to the draft, however, the Bill still requires sensitive personal data to be stored only in
India.
o It can be processed abroad only under certain conditions including approval of a Data
Protection Agency (DPA). The final category of critical personal data must be stored and
processed in India.
The Bill mandates fiduciaries to give the government any non-personal data when
demanded. Non-personal data refers to anonymised data, such as traffic patterns or demographic
data.
o The previous draft did not apply to this type of data, which many companies use to fund their
business model.
All personal data (characteristic, trait, attribute or other feature of the person) online or offline, shall
require the explicit and informed consent of the individual to whom it belongs to before such data
can be collected or subjected to any form of analysis.
Section 6 of the Bill provides that any data collected should only be to the extent necessary for the
processing of such personal data. Section 7 mandates that a notice be given to the person whose data is
being collected, of the nature and categories of personal data, and the purposes for which the data is to
be processed, among other things.
o This should put a huge spoke in the wheels of organisations that thrive on processing and
monetising data collected from individuals.
Data localisation will help law-enforcement access data for investigations and enforcement.
o As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal
assistance treaties” — a process that almost all stakeholders agree is cumbersome.
o In addition, proponents highlight security against foreign attacks and surveillance, harkening
notions of data sovereignty.
Many domestic-born technology companies, which store most of their data exclusively in
India, support localisation.
o PayTM has consistently supported localisation.
o Reliance Jio has strongly argued that data regulation for privacy and security will have little teeth
without localisation, calling upon models in China and Russia.
Many economy stakeholders say localisation will also increase the ability of the Indian
government to tax Internet giants.
The appointment of members to the DPA will not be made through an independent body but by a
handful of people, mostly bureaucrats, selected by the government.
Civil society groups have criticized the open-ended exceptions given to the government in the Bill,
allowing for surveillance.
o There is a blanket power of exemption from all provisions of the law (including access to
personal data without consent, citing national security, investigation and prosecution of any
offence, public order) in favour of a government agency.
A new watchdog without teeth, with no functional autonomy, would mean governments are
legally immune from charges of data-mining.
o Justice (Rtd) BN Srikrishna, who headed the committee that formulated the original draft of the
Bill, has reportedly called it “a piece of legislation that could turn India into an Orwellian state”.
Technology giants like Facebook and Google and their industry bodies, especially those with
significant ties to the US, have slung heavy backlash.
o Many are concerned with a fractured Internet where the domino effect of the protectionist
policy will lead to other countries following suit.
o Much of this sentiment harkens to the values of a globalised, competitive internet
marketplace, where costs and speeds determine information flows rather than nationalistic
borders.
Allowing the government to force companies to transfer non-personal data raises serious
intellectual property concerns, and can still threaten users even if they’re not individually
identified.
Comparison of Personal Data Protection (PDP) Bill and General Data Protection Regulation
(GDPR)
Where are they alike?
The exceptions are given to the Indian Bill and the EU Regulation look similar. Both allow data
processing for prevention, investigation, detection, or prosecution of criminal offences. Both also
discuss “public security”, “defence”, and “judicial” proceedings.
o The GDPR states: “This Regulation does not apply to issues of protection of fundamental rights
and freedoms or the free flow of personal data related to activities which fall outside the scope of
Union law, such as activities concerning national security. This Regulation does not apply to
the processing of personal data by the Member States when carrying out activities in relation to
the common foreign and security policy of the Union.”
Consent: The PDP Bill and the GDPR are founded upon the concept of consent. In other words,
data processing should be allowed when the individual allows it. Consent carries similar
meanings, with words like “free”, “specific”, and “informed”.
Individual’s rights: Both have similar rights given to the individual, including the right to
correction, the right to data portability (transferring your data to another entity), and the right
to be forgotten (the right to erase the disclosure of your data).
o But the right to object to profiling is in the GDPR and not the PDP Bill.
Other similarities: Both place responsibility on the fiduciaries, such as building products that
include privacy by their design and transparency about their data-related matters.
o The European Data Protection Board in the GDPR and the Data Protection Authority in the PDP
Bill have some similar duties, such as dispute resolution and codes of conduct.
Where do they differ?
Data Transfer Abroad: One significant difference between the GDPR and the PDP Bill is the
framework built around deciding whether or not data can leave the country. Both give a government
authority the power to decide if data transfers can occur, but the GDPR more clearly lays out the
parameters of this decision.
o Their “Adequacy Decision” is made based on the country’s rule of law, authorities, and other
international commitments. The transfer can be made without this decision if there are legally
binding rules or other codes of conduct that allow for it.
o The PDP simply states that the Authority has to have the approval of the transfer of any sensitive
personal data abroad, without specifying as many details about the other country’s “adequacy” in
receiving the data.
Automated Decisions: The GDPR much more directly addresses personal harm from automated
decision-making.
o The PDP Bill requires an assessment in cases of large-scale profiling but does not give the
citizen the right to object to profiling, except in the cases of children.
Conclusion
The sweeping powers the Bill gives to the Government renders meaningless the gains from the
landmark K.S. Puttaswamy vs. Union of India case, which culminated in the recognition that privacy
is intrinsic to life and liberty, and therefore a basic right. Read more about the right to life.
The idea of privacy is certainly not reflected in the Bill in its current form and hopefully, the
parliamentary committee looks into it and due changes are initiated.