116 B, Mittal Towers, Nariman Point, Mumbai, India

“Privacy is not an option, and it shouldn’t be the price we accept for just getting on the internet.”
- Gary Kovacs

The internet has given birth to entirely new markets which deal in the collection, organization, and processing of personal information, whether directly, or as a critical component of various business model. India presently does not have any express legislation governing data protection or privacy. However, the relevant laws in India dealing with data protection are the Information Technology Act, 2000 (“IT Act, 2000”) and the (Indian) Contract Act, 1872.

The Indian legislators were awakened and felt the need to draft the subject legislation when the Supreme Court recognized the right to privacy as a fundamental right under Article 21 of the Constitution of India. Thereafter, a Committee of Experts was set up to analyze the various aspects of data protection thereby resulting in birth of first draft of the Personal Data Protection Bill in the year 2018.

WhatsApp’s latest update on its privacy policy has created a stir among the WhatsApp users of India as the loopholes in the Indian data protection laws have now come to light. The Personal Data Protection Bill, 2019 (“PDP Bill, 2019”) has been pending approval from both houses of the Parliament for a while now due to the constant changes proposed in data protection laws. The Bill is inspired from the provisions of the General Data Protection Regulations (“GDPR”) of the European Union and seeks to protect personal data of individuals which is time and again collected by the digital media for countless purposes. In such cases, a layman may not be aware as to how far along his/ her data has travelled and who may have access to it.

As mentioned above, the law governing data privacy and protection in India at the moment is the IT Act, 2000 wherein an entity can be held liable for unauthorizedly using an individual’s data or personal information and for committing any act of negligence regarding such information. However, one of the shortcomings of such law is that the scope and definition of ‘sensitive personal information’ is narrow and that the provisions of the law are not applicable to the government authorities which are using data of the citizens.

Principles that constituent good data protection policy include control over their data by individuals, ability to track as to who is collecting their data, where it is being stored, how it is being used and what is the available recourse for them against misuse of such data. There have been one too many occurrences where personal information, anonymised or not, has been used with mala fide intentions. Therefore, the PDP Bill, 2019 is an attempt to protect the privacy of individuals with respect to their personal data and govern the relationship between individuals and entities processing this data. It also aims to create a robust digital economy by ensuring innovation through digital governance.

Birth of the PDP Bill
The PDP Bill, 2019 was introduced in the Lok Sabha by the Minister of Electronics and Information Technology on 11th December, 2019 to bring about a comprehensive overhaul to India’s data protection management, which was subject to governance under the IT Act, 2000 and the rules thereunder. PDP Bill is broadly inspired by the principles of the European Union’s GDPR, 2016 and has been articulated largely in line with the provisions of the Draft Personal Data Protection Bill, 2018.

Key Features of the PDP Bill
The aim of the PDP Bill, 2019 is to regulate the personal data of the individual, its collection, storage, processing and divulgence:
  • It introduces the definition of "Sensitive Personal Data” as financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political beliefs.
  • It attempts to govern companies as well as the government agencies involved in processing of an individual’s data which is currently limited to companies under the IT Act, 2000.
  • An individual whose data is being disclosed, processed and used is termed as ‘data principal’, who has been conferred with the rights of information, correction, completion, erasure, transfer, restricting disclosure and withdrawal of their data.
  • The entity collecting and storing the data of a data principal is termed as a ‘data fiduciary’. Data fiduciaries have certain obligations regarding processing of personal data. For example, such processing should be subject to certain purpose, collection and storage limitations. Personal data can be processed only for specific, clear and lawful purpose.
  • Further, all data fiduciaries are required to undertake certain transparency and accountability measures such as implementing security safeguards and instituting grievance redressal mechanisms to address complaints of individuals. Certain fiduciaries may be notified as ‘significant data fiduciaries’ who shall be obliged to undertake additional accountability measures such as conducting a data protection impact assessment before conducting any processing of large scale sensitive personal data (including financial data, biometric data, caste, religious or political beliefs).
  • The PDP Bill, 2019 will extend to data fiduciaries or data processors who are not present within the territory of India, if they carry out processing of personal data in connection with (a) any business carried on in India, (b) systematic offering of good and services to data principles in India, or (c) any activity which involves profiling of data principals within the territory of India.
  • It proposes to set up a Data Protection Authority which will act as a grievance redressal forum for an aggrieved induvial whose grievances were inadequately dealt with by the data fiduciary.
  • Exemption has been provided for processing of personal data without the data principal’s consent in certain cases such as (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.
  • Personal data has been defined on set standards of identifiability. ‘Anonymised data’ is not covered under the provisions however, the Central Government is empowered to create polices to direct data fiduciaries or data processors to share Annoymised data or non-personal data to enable better targeting of delivery of services.
  • The PDP Bill emphasises on compliance requirements for all forms of personal data, extends the rights given to individuals over their data, introduces a central data protection regulator, highlights the restrictive conditions for transfer of personal data, lists the penalties for reckless de-identification/misuse of data, as well as establishes data localization requirements for certain forms of sensitive data.
  • Penalty has been provided for any entity which re-identifies and processes de-identified personal data without consent which can be imprisonment of up to three years, or fine, or both.
Analysis and Impact of the PDP Bill
With the digitalisation of the Indian economy, having a regulatory sandbox in place may be the need of the hour. Exemption to government agencies from the provisions of the PDP Bill for certain circumstances may defeat its purpose and endanger an individual's fundamental right to privacy. The data localization rules may raise cybersecurity and national security concerns.  The PDP Bill specifies that “critical” or “sensitive” personal data, related to information such as religion, or to matters of national security, must be accessible to the government if needed, to protect national interest but such open-ended access could lead to misuse of the data.

Furthermore, the concept of right to be forgotten has been vaguely inserted in the PDP Bill under the right to erasure. The underlying logic for the creation of this right is that a person must be able to control their data by seeking erasure of data being processed by a data fiduciary.

Users will have the right to ask firms to delete their personal data which means that they will have the right to be forgotten if their purpose is served or if they wish to withdraw their consent. However, this is a limited and arbitrary right given under the PDP Bill where the right to erase the data stored is subject to the approval and examination of an Adjudicating Officer.

Conclusion
The PDP Bill is yet to be reviewed by the Joint Parliamentary Committee and the shortfalls will hopefully be fixed before the same is finalized and brought into effect. The Lok Sabha has once again, and for the fourth time extended the Joint Committee’s timelines, up to the first week of monsoon session 2021 of Parliament for presentation of the report on the PDP Bill. The Joint Committee has been making substantial efforts and has interacted with various stakeholders such as Facebook, Twitter, Amazon Ola, Google, Paytm, etc. in order to get recommendations on implementation of the PDP Bill. It is of immense importance to mention that the pandemic has forced the world to depend on the digital world and therefore, the need to implement the PDP Bill now, is more pressing than ever before. While the PDP Bill is a positive step to recognize and protect the sensitive data, it may dilute the fundamental right of privacy by provisions such as increased State power to surveillance without creating adequate checks and balances. The blurring of the distinctions between non-personal data and personal data remain is still a matter of concern. The citizens can now hope for the best as the ball is in the legislature’s court!