Explained: All You Need To Know About Personal Data Protection Bill, 2019
The contentious Personal Data Protection Bill 2019, (PDP Bill) which was introduced in the Lok Sabha on December 11 by IT and Communications Minister Ravi Shankar Prasad, has been referred to the joint select committee of Parliament for scrutiny.
The select committee will comprise of 20 members of the Lok Sabha and 10 members of the Rajya Sabha. The committee is expected to submit its report before the end of Parliament’s budget session.
A draft of the PDP bill was prepared by the Justice BN Srikrishna Committee, in 2018. However, the government made some changes in the Srikrishna draft before tabling the PDP bill in the Lok Sabha.
Highlights Of The Bill
1. The bill defines data as “a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means.”
2. The bill has called data that’s stored and processed of an individual as data principal.
3. It has laid down the procedure to govern the processing of personal data, by the (i) government, (ii) foreign companies that deal with the personal data of individuals living in India, and (iii) any Indian company.
4. The bill has designated certain personal data as sensitive personal data, which includes financial data, biometric data, data on political beliefs, or any other data as specified by the govt. in consultation with the Data Protection Authority (DPA), and the concerned sectoral regulator.
5. Data Protection Authority of India – The DPA will take steps to ensure the compliance of the bill by the data processing entities, in order to ensure that the personal data of an individual is not being misused. The authority will comprise of a chairperson and six members, all having at least 10 years of experience in the field of data protection and Information Technology.
6. It specifies the purpose and obligations of the data fiduciary. A data fiduciary is an entity (govt. or company) or an individual who decides the means and purpose of processing personal data. Any personal data will only be processed when there is a clear and lawful purpose.
It’s the data fiduciary’s responsibility to ensure that personal data of the data principal that’s processed is complete, accurate, non-misleading and updated. They will also have to undertake certain transparency and accountability measures for personal data.
The bill says that personal data of data principal will only be processed by data fiduciary after their consent. However, there are exceptions in certain cases where the consent is not required, (i) if required by the state to provide benefits to the individual, (ii) for a medical emergency, (iii) if required for legal proceedings.
7. The bill requires social media companies, called significant data fiduciaries, based on the volume of their data and turnover, to develop their own user verification mechanism.
8. The bill exempts agencies of the central govt. from the provisions of the act, if the govt. feels necessary that personal data processing is necessary for the purpose of (i) national security, (ii) friendly relations with the foreign states, and (iii) for public order. This processing shall also entail taking safeguard measures.
9. The bill gives the central govt. the authority to direct data fiduciaries to provide it with (i) non-personal data, and (ii) anonymised personal data as it will help the govt. in better targeting of services.
How PDP Bill Differs From Srikrishna Draft
1. The Srikrishna draft didn’t specify the significant data fiduciaries to develop their own user verification mechanism. The process of verification will reduce the anonymity of users and prevent trolling, officials told The Indian Express.
2. The Srikrishna draft in Section 42 allowed the govt. agencies to access the personal data of individuals for the reason of national security, with respect to the principle of proportionality and necessity.
However, as per the PDP bill, the govt. can make any of its agency completely exempt from all the provisions of the bill. The bill in Section 35 doesn’t provide any clarity on what ‘safeguards and oversight mechanisms’ will be undertaken.
3. The right to the erasure of data was not applicable under the Srikrishna draft, but the PDP bill has given the data principal the right to request the data fiduciary for the erasure of data, which is no longer needed for the purpose of processing.
4. The Srikrishna draft recommended the appointment of a judicial member — Chief Justice of India or a Supreme Court judge — to the selection committee which will be empowered to give recommendations to the central govt. for appointments of the members of the DPA. But, the PDP bill has removed the need for the appointment of a judicial member. The recommendation panel will comprise of, (i) the Cabinet Secretary, (ii) Secretary, Department of Legal Affairs, (iii) Secretary, Ministry of Communications and IT.
Criticism of The Bill
Justice B N Srikrishna, while speaking to The Economic Times, has called the PDP bill “dangerous” and can turn India into an “Orwellian state.” On govt. agencies getting exemptions, he said, “They have removed the safeguards. That is the most dangerous. The government can at any time access private data or government agency data on grounds of sovereignty or public order. This has dangerous implications.”
The US India Business Council President, Nisha Desai Biswal, has expressed concerns over certain provisions of PDP bill related to the private sector, PTI reported. “The bill contains several new provisions outside the core issue of data privacy that raise serious concerns for the private sector, particularly the inclusion of requirements around non-personal data and social media intermediary liabilities,” she said.
Biswal added, “Given the need for additional discussion, we urge the government to remain focused on essential data privacy issues and to take up these matters in existing policy efforts that already being done in parallel to the PDPB.”
While Some Came In Support
“With there being constant news about how user data has been compromised/misused by people with malicious intent, there is an increasing need to have proper guidelines in place to secure confidential data. We welcome the initiative by the Government of India to table the data protection bill in the current session of parliament. The bill is expected to spell out a framework, which would include the processing of personal and private data by public and private entities,” says Bhavin Turakhia, Founder & CEO, Flock to News18.
“This bill will help India and its citizens to fight threats and safeguard our country’s data integrity, sovereignty and security,” says Ramesh Mamgain, Area Vice President India and SAARC Region from Commvault.
Earlier in October, the data released by UK research firm, Compritech noted that India is the third most vulnerable country place on the chart when it comes to surveilling citizens.
On the company’s privacy index, India scored 2.4 out of 5, indicating a “systemic failure to maintain (privacy) safeguards.”
India frequently shares information with the US and has multiple Mutual Legal Assistance Treaties with different countries that demand user data be shared regularly.