The Personal Data Protection Bill, 2019 was introduced in the Parliament on December 11, 2019, and is based on the draft law presented by the Ministry of Electronics and Information Technology, by a nine-member committee of experts led by Justice B.N. Srikrishna in July 2018. A significant Supreme Court judgment to the Bill is the K.S. Puttaswamy vs. Union of India, wherein a nine-judge bench upheld the importance of the right to privacy as guaranteed under Article 21 of the Indian Constitution. The Personal Data Protection Bill, 2019 aims to protect the privacy of individuals concerning their personal data and regulates the relationship between individuals and entities that process their personal data. At the same time, it aims to create a resilient digital economy by ensuring innovation through digital governance. Key provisions of the Bill are ‘Data localization and individual consent would be required for the processing of personal data. Data Protection Officer to be appointed by the Significant Data Fiduciary, and instituting grievance redressal mechanisms to address complaints by individuals.

Key provisions of the Bill

• Applicability: The processing of data to be done within the territory of India by either the government, any individual in India or any foreign company having the data of people in India. 
• Data Fiduciary: Data fiduciaries are bound to have a transparent way of processing data, make sure the data is secured with the necessary safeguards, the data processed should have a lawful purpose, notice is supposed to be given to the individual whose data is being processed and the consent of the individual should be taken for the processing of data. 
• Consent: There are cases where the consent of the individual is not taken for the data processing. If the data is processed for any legal proceedings, by the government for the benefit of the individual, reasonable purposes. 
• Data Principal: The data principal has the right to know the information about the data fiduciary, right to erasure of data, make corrections in the data, restrict the data or remove the data (except the sensitive data)
• Data Protection Authority: The Data Authority makes sure that the data is not being misused and the processing and usage of the data is in compliance with the provisions of the Bill. 
• Transfer of Data: Sensitive personal data can be transferred outside the territory of India with the consent of the individual. Whereas the critical personal data cannot be transferred outside the territory of India.
• Exemptions: The Government has the right to remove any agency given in the provisions of the Bill, for the security and integrity of the country.
• Penalties: Penalties up to five crores for violations.

Comparison to International Conventions

• Comparing the provisions of the European Union’s General Data Protection Regulation (GDPR), Brazil’s General Data Protection Law and India’s Personal Data Protection Bill (PDPB).
• The GDPR definition of Personal Data is specific to information used to identify an individual whereas the PDPB definition of personal data is broader including profiling and interpretation of the data with any other information is in accordance with it. 
• The GDPR ensures the basis for processing, whereas the PDPB does not provide a necessary basis for the processing of data.
• The requirements for consent under PDPB are more flexible when compared to the GDPR, where there are certain contractual necessities to be fulfilled.
• In cases where the users withdraw their consent of their data, it is not specified in the new 2019 bill whether the consent would be asked as the Bill fails to address such issues. Whereas GDPR has provisions to re obtain user consent in the transition plan. 
• There are over 10 lawful bases for processing the sensitive data under the GDPR, whereas the PDPB does not have such detailed provisions.
• The PDPB allows the individual to ask the data fiduciaries to delete their data with them, but this does not include the personal data (name, email address, home address and phone number). Whereas, GDPR gives the right to the individual to ask to delete all data from the data fiduciaries.
• The Bill does not give the individual a solid right on the ownership of their data, whereas Brazil’s General Data Protection gives assured ownership to the individuals on their personal data.

Criticism 

• Even though the copy of the data is within the territory of India, the encryption keys can still be not in the reach of the national agencies.
• In every provision that gives the government power over the data, the term ‘national security’ or ‘reasonable use’ is used which is not defined in the Bill and is very vague.
• Even though the Bill aims for transparency, the Right to Information Act cannot be used to know the processing of the data by the government.
• No clear provisions on the implementation of the Bill.
• No solid ownership right is given to the data principal over their data.
• No obligations on the data fiduciaries to notify the affected individuals in case of data breach. 

Advantages 

• Data Localization can help in investigations in law enforcement agencies. 
• Cyber-attacks can be kept on check. 
• Fake news, or wrongful propagandas that is a threat to national security can be kept in check.
• Increase Data Sovereignty in the country. 
• Data localization can help in increasing tax on the internet bodies in the country. 

Suggestions

Although this bill has some loopholes or flaws that need further consideration, such as not properly attending to the concern regarding the right to privacy, ambiguity about the functioning of DPA, etc. If the government really wants this bill to be successful, then you 

• need to relax your guidelines on cross-border data transfer, the operation of the DPA in the actual sense of the word to make it independent, 
• to include retired judges of the Supreme Court or the Supreme Court and persons with experience in the field of data protection in the DPA.  
• To give the individuals full ownership over their personal data, give proper clarification on the provisions and implementation of the Bill, 
• to re obtain the consent from the user and to give RTI Act precedence in circumstances of breach or conflict. 
• Government should give lawful and reasonable exemptions to its national security agencies such as the Central Bureau of Investigation (CBI), Research and Analysis Wing (RAW), Intelligence Bureau etc. so that they can use personal and non-personal data for detection of criminals and prevention of any cognizable offence.

The article has been written by Hiranmayi Rajeev,  a 2nd-year law student at Alliance University Bangalore.

The article has been edited by Shubham Yadav, a 4th-year law student at Banasthali Vidyapith, Jaipur.

Latest Posts

• Job opportunity at EXO Edge, Sahibzada Ajit Singh Nagar, Punjab, India: Apply Now!!
• Internship opportunity at Vishwas Advisors, Kalyan, Maharashtra, India: Apply Now!!
• Internship opportunity at Kulfi Collective, Mumbai, Maharashtra, India: Apply Now!
• Job opportunity at The Neotia University, Diamond Harbour, West Bengal, India: Apply Now !!
• Job opportunity at Morgan Stanley, Mumbai, Maharashtra, India: Apply Now!!
• Job opportunity at VISA INTELLIGENCE CONSULTANCY LLP, New Delhi, Delhi, India: Apply Now!!  
• Job opportunity at Amazon Web Services (AWS), Gurugram, Haryana, India: Apply Now!!
• Job opportunity at Stelcore Management Services Private Limited, Mumbai, Maharashtra, India: Apply Now!!
• Job opportunity at Zscaler, Sahibzada Ajit Singh Nagar, Punjab, India: Apply Now!!
• Job opportunity at Irish Expert, Delhi, India: Apply Now!!
• Job opportunity at UnitedLex · Gurgaon, Haryana, India: Apply Now!
• Internship opportunity at Vineforce · Nabha, Punjab, India: Apply Now!!

---

• CLAT-Peeps! (10)
  • Current Affairs (2)
• competitions (132)
• Conferences and Seminars (201)
  • Webinar (1)
• Course and Workshops (107)
• Debates (46)
• Eassy Competitions (69)
• Fellowships & Scholarships (56)
• Guest Blogs (6)
• important (29)
• Internships and Jobs (2,317)
• interviews (8)
• moot court (180)
• Opportuintes (2,731)
  • Job Opportunity (1,191)
• opportunity (2,559)
  • Call for papers (475)
  • Quizes,fests and others (298)
  • Work Opportunity (836)
• Our Blog (1,049)
  • Administrative Law (17)
  • ADR (13)
  • Arms Act (2)
  • Case Analysis (205)
  • Company law (36)
  • Constitutional Law (143)
  • Consumer Protection Act (17)
  • Contract Law (62)
  • CPC (10)
  • Criminal Law (140)
  • Cyber Law (13)
  • Environmental Laws (30)
  • Evidence Act (20)
  • Family Law (12)
  • General (205)
  • International Humanitarian Law (8)
  • International law (23)
  • IPR (10)
  • Jurisprudence (13)
  • labor laws (7)
  • Maritime Laws (1)
  • Partnership Act (2)
  • personal law (33)
  • Taxation (10)
  • Tort (64)
  • Transfer of Property (2)
• Our Services (11)
  • career advice (2)
  • others (6)
• Top Stories (524)
• Uncategorized (720)

Archives

• November 2023 (26)
• October 2023 (1)
• September 2023 (5)
• August 2023 (2)
• July 2023 (25)
• June 2023 (23)
• May 2023 (40)
• April 2023 (136)
• March 2023 (124)
• February 2023 (138)
• January 2023 (61)
• December 2022 (39)
• November 2022 (103)
• October 2022 (178)
• September 2022 (342)
• August 2022 (240)
• July 2022 (273)
• June 2022 (196)
• May 2022 (27)
• April 2022 (99)
• March 2022 (190)
• February 2022 (196)
• January 2022 (193)
• December 2021 (152)
• November 2021 (203)
• October 2021 (189)
• September 2021 (177)
• August 2021 (192)
• July 2021 (393)
• June 2021 (293)
• May 2021 (179)
• April 2021 (61)
• March 2021 (46)
• February 2021 (56)
• January 2021 (63)
• December 2020 (86)
• November 2020 (94)
• October 2020 (146)
• September 2020 (220)
• August 2020 (173)
• July 2020 (165)
• June 2020 (119)
• May 2020 (136)
• April 2020 (7)
• February 2020 (37)
• January 2020 (3)
• November 2019 (1)