Personal Data Protection Bill, 2019: An Analysis
The Personal Data Protection Bill, 2019 was introduced with an aim to protect the privacy of individuals with respect to their personal data. In July, 2017, the Ministry of Electronics and Information Technology (MeitY) and Government of India constituted a committee of experts under the chairmanship of the retired Supreme Court judge Justice B. N. Srikrishna.[i] The committee was burdened with the responsibility of identifying failures in the present data protection regulations and preparing more comprehensive laws for the data protection as there is no protection provided to the individual’s data and no law has been enacted on data protection. Only two provisions have been provided in Information and Technology Act, 2000 by amendment i.e. Section 43A and Section 72A, which give a right to compensation for improper disclosure of personal information.[ii]
The Indian Central Government has issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under Section 43A of the IT Act for the data protection but these provisions are not sufficient as it does not provide full protection to the private data. Therefore, The Personal Data Protection Bill, 2019 (PDP Bill) was introduced in Parliament on December 11, 2019. The PDP Bill is based on the recommendations given by the nine-member committee constituted under the chairmanship of Justice B.N. Srikrishna.[iii] The committee recommended various changes as well as requirements for data protection in India. The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019.[iv] On the same day, Lok Sabha referred the Bill to the Joint Parliamentary Committee. The report was expected to be out by the first day of the last week of the budget session, 2020 but it got extended to the second week of the monsoon session. Therefore, The Personal Data Protection Bill has not been passed yet. But there is a need of such laws because right to privacy is one of the fundamental rights held by the Supreme Court enshrined under Article 21 which talks about right to life and liberty.[v]
PERSONAL DATA PROTECTION BILL,2019
The Personal Data Protection Bill, 2019 provides a legal framework for protecting the personal data in India. It has been made after the European Union’s General Data Protection Regulation (GDPR). Privacy (also called as data privacy or information privacy) is defined as the ability of an individual or an organization to decide when, whom, and how much data in a computer system may be disclosed to a third party.[vi] PDP Bill introduces the definition of significant data fiduciary which has not been earlier defined anywhere. If there is any data breach in India, then according to PDP Bill, 2019 it is dependent upon the data protection authority that it should be reported to data principal or not. PDP Bill has also introduced the concept of right to be forgotten which says that the data principal shall have the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary in certain disclosures under section 20.[vii]
APPLICATION OF THE PERSONAL DATA PROTECTION BILL, 2019
The Personal Data Protection Bill applies to the territory of India, any Indian Company, companies outside India that process data in connection with a business in India or any other activity in India. Therefore, the Bill also applies outside India but in limited cases. The draft Bill also defines data, data auditor, data fiduciary, data principal, data processor, financial data, genetic data, health data as well as personal data. The Bill specifies that the personal data is the data of the natural person which identifies such natural person or any feature of such natural person by any means directly or indirectly. The Personal Data Protection Bill does not define data of personal communication as these days the communication held on digital platform leaked as personal communication can also include any personal information like passwords, debit card number, etc. But Section 26 of the Bill explains the term ‘social media intermediary’ as a new and separate category of data fiduciaries. It doesn’t apply to those who steal the laptop and mobile phones and leak the personal information from there as these days these cases are increasing day by day.
The Bill has also given the power to Central Government to exempt any agency of Government for the application of this Bill.[viii] The Bill also determined the establishment, composition and qualification of the Data Protection Authority of India. Penalties and compensation have also been provided by this Bill for those who contravenes any provisions of this Bill. The Bill also talks about protecting children’s data. Data controllers are required to create mechanisms for age verification and parental consent to process the personal data of children, defined as persons under the age of eighteen.[ix]
COMPARISON BETWEEN GENERAL DATA PROTECTION REGULATION, 2016 AND THE PERSONAL DATA PROTECTION BILL, 2019
The General Data Protection Regulation (GDPR) (EU)2016/679 was approved by the European Commission in April 2016 and apply to all EU Member States.[x]
1. The GDPR does not allow the Government to access non-personal data but PDP Bill allows the Government to access non-personal data as well.
2. The GDPR also allows data transfer to international organizations[xi] but PDP Bill does not allow sensitive personal data to be stored outside India and can only be processed outside India with proper authority’s approval.
3. The GDPR much more directly addresses personal harm from automated decision-making. The PDP Bill requires an assessment in cases of large-scale profiling but does not give the citizen the right to object to profiling, except in the cases of children.[xii]
4. In PDP Bill, mechanisms for age verification and parental consent to process the personal data of children are eighteen years whereas the parental consent under GDPR is sixteen years given under Article 8(1) of GDPR.
5. GDPR does not apply for the protection of any individual’s fundamental rights but PDP Bill aims to protect one of the fundamental rights i.e. right to privacy given under Article 21 of the Constitution. Article 21 does not directly talk about the right to privacy but the Supreme Court held that the right to privacy is a fundamental right under the right to life and liberty.
SIMILARITIES BETWEEN GENERAL DATA PROTECTION REGULATION, 2016 AND THE PERSONAL DATA PROTECTION BILL, 2019
1. Both GDPR and PDP Bill allows for data processing in terms of prevention, investigation, detection and prosecution of criminal offence.
2. In both GDPR and PDP, consent is required for processing of personal data.
3. Compensation for damages or any harm arising to the data Principal can be claimed by the person affected under both GDPR as well as PDP Bill. Both GDPR and PDP Bill uses the word ‘right’, therefore, the affected person can seek compensation as a matter of right.
4. The jurisdiction of GDPR and PDP Bill allows any processing of personal data only on the local territories, i.e. within the EU or Indian territory. Therefore, both laws apply to foreign countries in a limited way only.
After the introduction of PDP Bill, 2019, it has solved many problems in respect to the protection of data. But the submission of the report of the standing committee to the Lok Sabha is still due. Therefore, for the implementation of the Personal Data Protection laws, the Bill has to be passed by Lok Sabha as well as Rajya Sabha. The Personal Data Protection Bill provides more clarity that how the data should be protected and it also tells that in what situations, the data should be given to the authorities. These days, the concerns of every individual to maintain privacy online. That has also been covered under the Bill under anonymous data. In simple words, The Personal Data Protection Bill, 2019 is India’s regulatory journey towards a comprehensive data protection law.
[i] Data privacy Bill, 2019: all you need to know, PWC, https://www.pwc.in/consulting/cyber-security/data-privacy/personal-data-protection-bill-2019-what-you-need-to-know.html.
[ii] Data Protection laws, LINKLATERS, https://www.linklaters.com/en/insights/data-protected/data-protectedindia#:~:text=General%20data%20protection%20laws&text=India%20has%20also%20not%20yet,improper%20disclosure%20of%20personal%20information..
[iii]The personal Data Protection Bill, 2019, TRILEGAL (Dec 12, 2019), https://www.trilegal.com/index.php/publications/analysis/the-personal-data-protection-bill-2019.
[iv] The Personal Data Protection Bill, 2019, PRS LEGISLATIVE RESEARCH, https://www.prsindia.org/billtrack/personal-data-protection-bill-2019.
[v] Justice K.S. Puttaswamy vs Union of India, (2017) 10 S.C.C. 1 (India)
[vii] The Personal Data Protection Bill, 373 of 2019, introduced in Lok Sabha, 2019 (India).
[viii] Shreya Chandhok, Comparative analysis: General Data Protection Regulation, 2016 and the Personal Data Protection Bill, 2019, IKIGAI LAW (Feb 6, 2020), https://www.ikigailaw.com/comparative-analysis-general-data-protection-regulation-2016-and-the-personal-data-protection-bill-2019/.
[ix] Lothar Determann, India’s Personal Data Protection Act, 2018, POSEIDON, https://poseidon01.ssrn.com/delivery.php?ID=697001127126075121120116072126082074103024036044086003100072099125124093023126095029110032053022109049003121006071097102070119116083094022086123066110118116027117098005065067021088123113108026004070095022023092123006025065005112123088067104064121012100&EXT=pdf.
[x] Wolf Enforcement Services Ltd, Data Protection Policy & Procedures, WOLF COLLECTION SERVICES (Aug 9, 2019), https://wolfcollectionservices.co.uk/wp-content/uploads/Data_Protection_Policy_Procedures-v2.pdf.
[xi] Aditi Chaturvedi, GDPR & India, CIS-INDIA, https://cis-india.org/internet-governance/files/gdpr-and-india.
[xii] Karishma Mehrotra, Explained: How Data Protection Bill compares with it’s EU Counterpart, THE INDIAN EXPRESS (Dec 13, 2019), https://indianexpress.com/article/explained/how-data-protection-bill-compares-with-its-eu-counterpart-6164237/#:~:text=It%20resembles%20the%20list%20of,for%20this%20type%20of%20data.&text=The%20PDP%20Bill%2C%20unlike%20the,data%E2%80%9D%2C%20or%20anonymised%20data..
ABOUT THE AUTHOR
This blog has been authored by Shalini Gupta who is a 4th Year B.A., LL.B. (Hons.) student at Galgotias University, Greater Noida.
[PUBLICATION NO. TLG_BLOG_20_1104]