Personal Data Protection Bill, 2019

The Personal Data Protection Bill, 2019, has been at the top of discussions for the last two years. With both appreciation and criticism, the Bill has been tabled at the house of parliament for the winter session. The PDP Bill has some constructive inclusion in the data protection sphere. Still, a few exceptions towards data processing by the government entities have put it in the spotlight in the legislative houses. 

The year 2021 has been the year of data breaches, and with more and more companies getting vulnerable to such attacks, it is the data of people that are put at risk. Taking inspiration from the European Union's GDPR, India introduces new data protection and regulatory acts. The framework is developed with the intention to make it an enabler of data security in India. 

What is the Personal Data Protection Bill all about?

The PDP bill primarily focuses on fiduciary or body corporate to attain prior consent from individuals before using their personal data, limits its use by the companies, restricts it to its collection purposes. The Bill introduces the concepts of DPO, i.e., a Data Protection Officer to eye the compliance process across India. The Bill also talks about Data Localization that would ensure the processing of data within the jurisdictional boundaries of the Bill. 

The Bill categorizes specific personal data as sensitive personal data. This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.

The Bill will impose stricter procedures on the disclosure of sensitive personal data of citizens of India and its processing by business entities within and outside India. The introduction of three new terms in the Bill has gotten some clarity over the entities processing data of individuals. Let's take a look at what they mean -

• Data Fiduciaries: Data Fiduciary refers to an individual or an entity who decides on the means and methods of processing personal data. With PDP Bill, the processing of personal data will be subject to certain explicit and lawful purposes on its collection and storage. Additionally, the Bill directs all Data Fiduciary to adopt encrypted mediums and avoid data misuse or compromise. And have a data redressal mechanism to address any aggrieved by a data breach. Lastly, have age verification and parental control mechanism while processing children's data.

• Data Principals: Data Principals are individuals subjected to data collection or processing. The Bill has set our certain rights of Data Principals like - 

(i) Obtaining confirmation from the Data Fiduciary if their data has been processed. 

(ii) Approach Data Fiduciary for correction of submitted data if they are incomplete, inaccurate, or out of date.

(iii) Right to get personal data transferred to any other fiduciary in some exceptional circumstances.

(iv) Withdraw consent and restrict constant disclosure of an individual's data when it is no longer necessary.

• Data Protection Authority: The Personal Data Protection Bill introduces DPA, i.e., a Data Protection Authority whose sole purpose would be to protect the interest of individuals, prevent any kind of misuse of the data, and ensure utmost compliance with the Bill. The DPA will consist of 1 chairperson, 6 members with at least 10 years of experience in the data protection and IT industry. Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.

Controversies associated with the Bill - 

With the magnitude of changes the Bill is expected to get along, the Bill does come with a few concerning provisions. To name a few - 

1. Data localization 

2. Govt processing of data 

3. Surveillance reform 

Other Issues Raised - 

1. Should public service providers be exempt from asking for consent? Are broad exemptions justified for the investigation and prevention of offenses?

2. The power allocated to DPA and its efficiency. ?

3. Should data fiduciaries have the discretion to report a data breach?

Details: 

(i) Ambiguous legislative provisions could infringe the DPA's functioning for political benefits. 

(ii) DPA - Learned members of the legal industry have raised concerns on the conceptualization and functioning of DPA, especially given it has a wide-ranging power. 

• DPA has to exercise law-making power

• Monitor compliance

• Receive complaints and resolve these disputes. 

It also has various burdensome administrative duties, such as approving each contract or intra-group scheme for cross-border transfer of sensitive personal data by data fiduciaries. All of these are to be done by the six members of the body. This could make DPA grossly insufficient to implement the Bill on every level, given it is not just applicable to digital data but also manual data. Also, a bunch of interpretations has been left to the DPA. e.g., setting the boundaries of the law. 

(iii) Self-reporting of a breach is at the discretion of the fiduciary; this can lead to underreporting.

Technology grows faster than regulation, and it will be challenging to keep up. The requisite to be the backbone of any technological migration of data, as massive as that of India's, would need a herculean effort. Hence, the need for technical competence is of paramount importance too. The provision of the Bill makes it bound to fall into the pit of conflicts. So let's eye out for what the future of the Protection of Data Privacy Bill brings to the table!

Stay tuned for what's happening in the legal space by following Rest The Case. Read more such simplified legal bills on the 'Amendment Simplified' segment of Knowledge Bank. 

Author: Shweta Singh