Personal Data Protection Bill, 2019

• IAS NEXT, Lucknow
• 15, Nov 2021

A Parliamentary panel deliberating on the Personal Data Protection Bill has made the following recommendations:

• Limit the exemptions available to the government under the current version by placing reasonable restrictions on how the exemption can be availed.
• The government be exempted only under a “just, fair, reasonable and proportionate procedure”.
• The government keep non-personal data “including anonymous data” outside the purview of the personal data protection bill.

Background:

The draft Personal Data Protection Bill, 2019 was referred to a Joint Parliamentary Committee (JPC) in 2019 which was tasked to come up with a report on its recommendations on the various provisions in the bill.

What’s the issue?

Currently, the contentious clause 35 of the draft data protection bill allows the government and its agencies to gain blanket exemptions from complying with any and all provisions of the bill, with no checks and balances in place.

• Agencies like the Aadhaar authority UIDAI and the Income Tax Department have already sought to be exempted from the bill.

The Personal Data Protection (PDP) Bill 2019:

The genesis of this Bill lies in the report prepared by a Committee of Experts headed by Justice B.N. Srikrishna.

The committee was constituted by the government in the course of hearings before the Supreme Court in the right to privacy case (Justice K.S. Puttaswamy v. Union of India).

How does the bill seek to regulate data?

The bill constitutes 3 personal information types:

1. Critical
2. Sensitive
3. General

Other Key provisions:

Data principal: As per the bill, it is the individual whose data is being stored and processed.

Social media companies, which are deemed significant data fiduciaries based on factors such as volume and sensitivity of data as well as their turnover, should develop their own user verification mechanism.

An independent regulator Data Protection Agency (DPA) will oversee assessments and audits and definition making.

Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.

The bill also grants individuals the right to data portability, and the ability to access and transfer one’s own data.

The right to be forgotten: This right allows an individual to remove consent for data collection and disclosure.

Exemptions:

The Personal Data Protection (PDP) Bill 2019 has a contentious section 35, which invokes “sovereignty and integrity of India,” “public order”, “friendly relations with foreign states” and “security of the state” to give powers to the Central government to suspend all or any of the provisions of this Act for government agencies.

Why there are Concerns over the bill?

The bill is like a two-sided sword. While it protects the personal data of Indians by empowering them with data principal rights, on the other hand, it gives the central government with exemptions which are against the principles of processing personal data.

• The government can process even sensitive personal data when needed, without explicit permission from the data principals.