PERSONAL DATA PROTECTION BILL, 2019
Author: APURV KUMAR
Co-Author: Saksham Khanna
LLOYD LAW COLLEGE
In this modern era, where the advancement in technology is happening so rapidly it is quite obvious that the data of every individual is at a huge risk. Since our country is the 2nd largest nation which has the most number of Internet users. It lies surely under the ambit of data hackers which is a major threat to our Privacy. So, to curb this problem the Personal Data Protection Bill has been tabled by our electronics and I.T. minister Sri Ravi Shankar Prasad in Lok Sabha. The paper focuses particularly on every aspect of the Personal Data Protection Bill. The writers have profoundly researched and presented each branch of this bill is a very lucid way. We have discussed how the bill originated, who was behind the making of the bill, the purpose of the bill, merits, and loopholes of the bill, certain exceptions of the bill, where the provisions of the bill is exempted as well as the penalties that an entity will have to pay if they did not abide with the compliances of the bill and we had shown comparisons of this bill from other countries law so that our viewers to get acquainted properly. We have explained all the types of data in a very detailed manner and their localizations. It is crystal clear that in a digitally revolutionized country like India the personal data protection bill is going to make a huge impact. Amidst all the previous data stealing and data leakages that have been happened earlier are now going to stop after the introduction of this bill. Overall after viewing every side of this bill I conclude that our government must be focusing on that every individual of this country will get the data protection that he deserves.
Privacy, GDPR, Personal Data, Data fiduciary, Data protection
According to the privacy rights center, up to 10 million Americans are victims of ID theft each year. They have a right to be notified when their most sensitive health data is stolen.
Data is the new oil. Weather data is the oil or water, it is flowing everywhere, and that too without any halt. In this modern era, with the advancement of technology and everything is connected to the internet. Almost 4.57 billion people are active users of the internet as of July 2020, which comprises around 59% of the total global population. Our country ranks 2nd globally among the most numbers of people who are using the internet, 50% of India’s current population are active users of the internet. Over the year’s internet has emerged as the most effective way to gain knowledge, communicate, research, network building, and many other ways to obtain information. As we all know, that India has risen as an IT base which had brought us an enormous number of amenities and benefits but at the same time, it had put our privacy at threat.
So as social networking sites are becoming more and more omnipresent it is high time to look at the variety of data we put on these sites. Nowadays, people are using social networking sites more often and for more secretive and confidential types of communications. People tend to forget that by doing these things ultimately they are digging their own grave. We have to keep this thing in mind that privacy plays a very vital role in the life of any human being. Privacy is the key that opens the attributes of oneself that are the most private and close. That which can bring the person’s life in a situation of peril. Your confidential chats, body-related problems or diseases, medicines your financial transactions everything is at a huge risk. Your apprehension, your catastrophes, your defeats. The foulest stuff you have ever done. Your scarcities, your mental agony, the blunders you have committed in past. Each and everything either it is good or bad committed by you or you are sharing it with another person it might put your life at risk.
When you give the code of your privacy to your loved ones, then they will use it to benefit you. But the deceivers might use your privacy to intimidate you while they are executing a wrong. Companies might use your data to attract you with poor choices of deals. Your colleagues, friends, relatives, or hidden foes might use your darkest secrets and insecurities to frighten and destroy you by using your data to suffice their own hidden plans. Privacy is very crucial because its deficit gives others authority over us.
Sometimes, you may think that you are not a celebrity, you are not such a big personality of this society. So your privacy is hidden and safe and there is nothing so unique, fascinating, and pivotal to view there. It is the biggest misconception because if you were not that important then companies and governing bodies would not be spending so much to keep an eye on you. You have a body and a brain, every kind of organization will be eager to grasp more about it, possibly try to analyze it in a more detailed way, and try to be more familiar with the other bodies and minds.
When we talk about privacy and that too when we are talking about the personal data protection bill, we cannot afford to forget GDPR (General Data Protection Regulation) because the data protection bill is majorly based on GDPR’s principles. It is the law of the European Union. It has been clearly stated that this GDPR law is going to bring one of the biggest revolutions in the history of Data regulation. This law has been approved by the EU parliament in the year 2016 April, but it came into force after 2 years is on the 25th of May, 2018. In the 21st century, we all were waiting urgently for a bill like this because as I have previously also said that nowadays Data is the most precious thing. Our personal data has been easily traced. The companies are continuously processing our data and storing it. Big companies are now using separate databases for further selling it to 3rd parties. One of the implications was since the 3rd party was processing our data by buying it, it was avidly used in the U.S elections of 2016 to know the political ideology of the public. Still, normal people have yet not realized that how precious their data is. The famous Facebook Cambridge Analytica scandal was known for selling data from 3rd party app. Talking about GDPR, it’s basically working on a set of rules that abides the European companies to follow a protocol in processing the personal data of its users. There should be proper storage of data and there should be a clear-cut way to store and process and sharing it with 3rd person. Now, this onus is completely on European companies.
Now the question arises, who does the GDPR affect?
The GDPR not only affects the companies of the European Union but also the organizations located outside the European Union if they offer their services or monitor the behavior of European Union people’s personal data. In a nutshell, regardless of the company’s location, it applies to all the companies which hold or store the data of the European Union.
Penalties for Non-Compliance
A company can be charged 4% of its total annual turnover if the company violates the guidelines of GDPR. For breaching the guidelines of GDPR this is the maximum fine that can be imposed. But this GDPR law excludes the smaller companies from this punishment who have a capacity of fewer than 50 employees.
But since, now the giant companies have decided that they will be keeping an eye on the smaller organizations if they are processing the data or not. Many provisions in the personal data protection bill sound quite similar to those enshrined in the European Union’s General Data Protection Regulation (GDPR).
Origin of the bill
In the year 2017, on the 24th of August a constitutional bench of nine judges of the Supreme Court of India in Justice K.S. Puttaswamy v. Union of India upheld that privacy is a fundamental right which is entrenched in Article 21 [Right to life and Liberty] of the constitution. This led to the formation of the comprehensive Personal Data Protection Bill, 2019. Before the bill was introduced in the parliament, a committee of experts has been made in the year, 2018 under the leadership of Justice B.N. Srikrishna and the name of the committee were B.N. Srikrishna committee. Data Protection and Outsourcing amendments were brought in the Information Technology Act, 2000 to provide the measures of Data Protection in India which may assuage the fears of misuse of data/information being dealt with by the outsourcing industry or the IT sector or with the e-commerce companies. This Bill amends the Information Technology Act, 2000 (“IT Act”) to repeal the provisions (Sections 43A and 87) that currently deal with data protection. Thus if the bill gets passed it will replace the existing data protection framework under the IT Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
The bill has been tabled by Sri Ravi Shankar Prasad electronics and I.T. Minister of India in the Lok Sabha in the year 2019. It is pending in Rajya Sabha. Things such as credit cards, financial transactions, voter ID cards, admission to any educational institution. All these things require some specific data. These things are directly connected to our privacy. The common thing which is happening in all these scenarios is that our privacy is being infringed.
Data Protection Authority
It is a nodal body that regulates everything relating to our personal data. Basically, it will enforce provisions of this Bill. It will look into implementation and pass orders on data protection. It will also prevent the misuse of data.
Data Protection Authority will consist of seven members. One chairperson and 6 members. All members will be having experience in the field of data protection. The tenure of members will be of 10 years and the members are going to be selected from a government panel. Another loophole is that the members of the Data Protection Authority is selected by a panel of government, so indirectly they will be working on their direction.
What is the purpose behind bringing this bill?
The purpose is to regulate sharing, collecting, storage, usage, transfer, and processing of our Personal data. The definition of Personal Data which is given in the bill is that “Personal Data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute, or any other feature of identity of such natural person, or any combination of such features with any other information. By knowing the personal data of any person anybody can know about his or her character, trait, and attribute. Let us understand with an example suppose if I can know about your Aadhar Data then your iris, your photograph, your Biometric is very helpful in figuring about the other details of yours. In the same way, a bank employee will keep an eye on your financial transactions by knowing every detail of your credit card. These all things come under Personal Data Protection Bill.
Further, Personal Data is been divided into two subcategories. One is Sensitive Personal data, and the other is Critical Personal Data. Sensitive Personal data are that kind of data that includes data relating to health, religion, sex life, political beliefs, biometric, genetic, finance, etc. Some more examples are like National Population Register in which a separate database for individuals has been made. Suppose if a person buys an electoral bond then we can easily know about the person’s political inclination. It can be transferred outside India but can be stored only in India. In Critical Personal data, the government is showing its draconian nature, since it is completely at the discretion of the government what Critical Personal Data is. There is no clear-cut definition of Critical Personal Bill which is defined in the bill. Not the Legislature, not the judiciary, the Executive is playing the role of the master here. It cannot be transferred outside India.
This bill talks about two major parties. First is the person who is sharing his data is the data principal. The second part is data fiduciary. The entity which is receiving or collecting the data is known as data fiduciary. It is completely a trust-based relationship which is between data fiduciary and data principal. Some examples of data fiduciaries are listed below:-
- Foreign Companies
- Companies incorporated in India
- Social Media
- Central Government
- State Government
- Local Level Government
Data fiduciary plays some extremely vital functions with regards to provisions of the bill. To define the means and purpose for which data is collected. In simpler terms, how the data will be collected, what will be the procedure? The purpose behind the collection of data should be legal and just. It should be well defined by law. To protect data by encryption techniques and by various other methods, it is the responsibility of data fiduciary only.
As we all know that Article 21 of the Indian Constitution talks about the Right to Privacy which had come after the K.S. Puttaswamy judgment. So this signifies that if a state or government infringes any person’s privacy he or she can directly move to the Supreme Court under Article 32 writ jurisdiction. But if social networking site like Twitter, Facebook or Instagram leaks our data then we cannot move to Supreme Court since it is a private entity. Under Article 21, the Right to Privacy is given to individuals against the state, not to private entities. In case of leakage of data from a private entity, the person can maximum go to the High Court under Article 226 of the Data Protection Authority which is given under the provisions of the bill.
Grievance Redressal Mechanism should be there. It is the responsibility of data fiduciary to make a platform for its data principal to address every query or grievance. If data fiduciary is collecting data of children, then parental consent is a must. There must be a mechanism for age verification, data verification.
Role of Social Media Platforms in context of Personal Data Protection Bill.
It is a platform that connects people online.
The platforms must have a certain threshold of users.
Having implications for democracy and public order.
The above-mentioned three conditions is a must for social media platforms with regards to the bill. Now, social media platforms must have to comply with certain regulations of the bill. Government can do voluntary verification of its users from the platforms like Instagram, Facebook, and Twitter. Matrimonial sites have been excluded because they did not have implications for democracy and public disorder.
Certain rights are given to Data Principal. Data Principal can enquire about the status of data processing. We can ask data fiduciary to transfer data from one fiduciary to another for a certain specific purpose. The Ministry of Finance has also said clearly, that there should be no use in doing KYC two times. Data principal has the right to modify or correct data.
The fiduciary has the right to revoke consent to share data. Some examples are if you want to close an account on social media then you can deactivate your account same or you will revoke your consent. In the same manner, if you want to close an account, you have to ask the bank to return your KYC documents. Here also, you have revoked your consent.
But now the question arises what is the proof that social media site or that bank in which you have closed your account has permanently removed your data or dismissed the database in which your data was stored.
Now, this is a major loophole of the bill.
Exceptions of the bill
There are some grounds on which data of data principal can be shared without his consent. There are a total of three exceptions in which the consent of the Data Principal is not needed for sharing his data.
State action – State can use personal data to deliver benefits to individuals without their permission of individuals. But here again, the question arises that if, that if an individual does not want the benefit then who permits to steal data from the state.
Now, here again, the state shows its draconian nature.
Legal Action- when any legal action is taken against any individual then both private and state can steal your data without any consent.
During a medical emergency, both state and private can pull your data. Any type of surgery or any type of accident your data can be pulled.
Data protection authority has authority here in all three grounds.
Some exemptions where the provisions of the bill is exempted:
Now let’s talk about the cases where data protection authority has no authority or we can say that Data Protection Bill is not applicable there.
Central Government can exempt any of its organizations from provisions of the bill if it comes under the purview of security of the state, unity, and integrity, sovereignty, friendly relations with foreign states. Here, again it totally depends upon the discretion of the central government. The organizations which are exempted from the provisions of the bill are the Reserve Bank of India, the Central Bureau of Investigation, and the National Investigation Agency. But again it completely depends upon the discretion of the central government that to exempt which organizations or not. State government has no role to play here. Also, Data Protection Authority has no jurisdiction here. These are complete exemptions that I had talked about. There are some limited exemptions also like to prevent a crime there are some exemptions for investigative purposes and journalistic purposes also there are some limited exemptions with regards to the bill.
Central Government can ask any data fiduciary to share data of its data principles with the central government all across India. But data that should be shared with the government is Non-Personal Data of individuals. Non-Personal Data are those data that is not personal in the context of the bill. It is because with regards to the personal data protection bill major emphasis has been laid on Personal data only. In this part also the dictatorship of the central government has been seen since it is completely at their discretion.
Central Government can also ask about the anonymized data of individuals. Talking about anonymized data, it is a type of personal data which has been modified so that individuals cannot be identified. Basically, some encryptions have been made in it so the identity of the individual cannot be identified. The government has said that they are pulling non-personal data and anonymized data for providing better services to the public only.
But according to technical experts, the anonymized data can easily be decrypted. So again it is a risk to the privacy of the public. It is also a loophole in the bill.
Difference and Similarities of this bill concerning other countries:
We can clearly see after knowing about this bill that it works majorly on principles of European GDPR. GDPR just came in 2018 and had made its impact in European Nations. It marked the beginning of the biggest revolution in the past 20 years of the data regulation Industry. There are a lot of similarities that have been factored in the concern that emanates from a privacy standard of human beings almost human universal. Even if you look at the American senate judicial hearing on an issue of sensitive personal data, everything is almost discussed on the same line. That the concern has been same here in our country. So we are par or legislative approach, here has been at par with what the developed countries are thinking because India’s involvement on a global level is whatever norms and setting. Each and everything that is being now done at a much larger level also beyond the individual data and individual interest is also increasing. So, we get a flavor of what is expected out of it because we deal with a lot of data from many other nations. Through many ways like corporate and service legal agreement. We have been good in our track record in all these years if you look at sensitive personal data, initially, the thought was that they also should be processed here, but when a lot of foreign elements and entities were even talking to us expressing their concern in the bill which we have introduced in sensitive personal data also to be processed out all the critical personal data are subject to individual consent. But critical personal data will not be processed out, and it will remain or relive in their country. This is the reason a lot of things were harmonized.
According to Supreme Court judgment K.S. Puttaswamy (Right to Privacy) is a fundamental right and it is necessary to protect personal data as an essential facet of informational Privacy whereas the growth of the digital economy is also essential to open new vistas of socio-economic growth. In this context, the government policy on data protection must not defer framing any policy for the growth of the digital economy to an extent that it does not imp on Personal Data privacy. This personal data protection bill is a unique opportunity for India as a country with some 740 million Internet users to forge a path-breaking agenda that will act as a standard-setter in a still-developing field of National Data Protection Legislation. However, there is some part in this bill where the central government is showing its supremacy and dominance. Data protection authority must be allowed to function more independently and there should not be any interference from the government. On the other hand, the joint parliamentary committee has encouraged the stakeholders to give their honest feedback along with the valuable suggestions of people are also being welcomed by the committee is a big positive step.
As a way forward, we all are aware that a joint parliamentary committee is supposed to give its report on the Personal Data Protection Bill. In this budget session of parliament, probably thereafter we will get to see that is deliberated in the parliament and it will become a law. But do not think that commercial organizations should wait for that long because what is truly getting debated in the parliament may not impact a commercial organization to that extent. The point of data localization is a very different concept but apart from that, we know the gold standard is already there. We should start moving and start training our people in that direction because the GDPR experience has shown that two year time that they gave for organizations to ramp up was not sufficient for them and even at the end of two years, they were grappling for us. So as of now, it is a good time to start right now so that we are complaint within time.
 Arindrajit Basu, Justin Sherman, Key Global Takeaway from India’s revised Personal Data Protection Bill, Lawfare (June 11, 2021, 9:25 p.m.), https://www.lawfareblog.com/key-global-takeaways-indias-revised-personal-data-protection-bill
 Vakul Sharma, Seema Sharma, Data Protection Laws of the world, DLA Piper (June 11, 2021, 9:36 p.m.) DATA PROTECTION LAWS OF THE WORLD – ADISA
 Kumar Mihir, Data Protection and Outsourcing, http://www.atharvalegal.in( June 12, 2021, 2:21 p.m.), http://www.legalservicesindia.com/article/1199/Data-Protection-and-Outsourcing.html
 Rajat Mishra, Rajat Grover, Future of Privacy; Evaluating the Personal Data Protection Bill, 2019 in light of Contract for the web, Social Science Research Network (June 12, 2021, 2:25 p.m.), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3592363
 Devika Sharma, Personal Data Protection Bill 2019- Examined through the prism of fundamental Right To Privacy- A Critical Study, SCC Online (June 12, 20121, 2:36 p.m.), https://www.scconline.com/blog/post/2020/05/22/personal-data-protection-bill-2019-examined-through-the-prism-of-fundamental-right-to-privacy-a-critical-study
 Writ Petition ( Civil) No 494 of 2012; (2017) 10 SCC 1; AIR 2017 SC 4161