The Realm of Data: India’s Data Protection Bill 2019

  • Home
  • The Realm of Data: India’s Data Protection Bill 2019

The Realm of Data: India’s Data Protection Bill 2019

By Manasvini Abhyankar

In July 2017, a committee chaired by Justice B. N. Srikrishna, was set up to assess the various issues related to data protection in India. Soon after, in August 2017, the Supreme Court of India held that privacy is a fundamental right, flowing from the Right to Life and Personal Liberty under Article 21 of the Constitution. The Court also observed that privacy of personal data and facts is an essential aspect of the right to privacy. The Committee submitted the report alongside a draft of Personal Data Protection Bill 2018, to the Ministry of Electronics and Information Technology in July 2018. Finally, the Indian government introduced the Personal Data Protection Bill in Parliament on 11 December, 2019.

The Personal Data Protection Bill sets rules for the way personal data should be processed and stored, enlisting people’s rights with reference to their personal information. It also proposes to create a new independent Indian regulatory authority to carry out this law, the Data Protection Authority (DPA). Almost all businesses across India will have to meet the conditions of the bill. These will include not just e-commerce, social media, and IT companies, but also brick-and-mortar shops, real-estate companies, hospitals, and pharmaceutical companies.

Personal Data Protection and Provisions of the Personal Data Protection Bill

Data is often broadly classified into two categories — personal and non-personal data. Personal data refers to characteristics, traits or attributes of identity, which may be used to identify an individual while non-personal data includes aggregated data through which individuals cannot be identified. Data protection refers to the set of policies and procedures seeking to minimise intrusion into the privacy of a person caused by collection and usage of their personal data.

The Bill regulates personal data associated with an individual and the processing, collection and storage of such type of data. As per the Bill, a data principal is an individual whose personal data is being processed. The entity who decides the means and purposes of data processing is known as data fiduciary. This bill governs the processing of personal data by both, government and companies incorporated in India. It also governs foreign companies if they deal with personal data of Indian citizens.

Many of the consent-related provisions in the recent data protection bill of India are quite similar to those enshrined within the European Union’s General Data Protection Regulation (GDPR). According to the new Indian bill, to collect personal data, entities classified as data fiduciaries must obtain consent from the individuals whose data is in question.

The Bill provides the data principal with certain right to their personal data, which include seeking confirmation on whether their personal data has been processed, seeking correction, completion or erasure of their data, seeking transfer of data to other fiduciaries, and restricting continuing disclosure of their personal data if it is no longer necessary or if consent is withdrawn. Moreover, the Bill also provides for certain obligations of data fiduciaries with respect to processing of personal data. All data fiduciaries ought to undertake certain transparency and accountability measures such as implementing security safeguards and instituting grievance redressal mechanisms to address complaints of individuals. The fiduciaries must undertake additional accountability measures such as conducting a data protection impact assessment before conducting any processing of large scale sensitive personal data.

Changes in the New Bill

The updated Bill retains the core structure of the previous draft, which closely adheres to the model provided by the GDPR. However, there are noteworthy changes in the recent Bill that include some of the more controversial features of the 2018 draft such as data localization requirements and provisions carrying criminal penalties. Further, the Bill also includes requirements that did not appear in the first draft, such as an enhanced right to erasure, obligations that attach to ‘anonymous data’, and specific requirements for ‘social media intermediaries.’

While much of the Draft Bill remains unchanged, a number of notable changes have been made to specific provisions and several new provisions have been added to the new draft.

  • Identifying Categories of Sensitive Data: the Data Protection Authority (DPA) is not the only authority which specifies further categories of sensitive data, but also the Central Government in consultation with the authority and the sectoral regulator concerned.
  • Social Media Intermediaries: The category of significant data fiduciary now includes any social media intermediary with users above a certain threshold notified by the Government in consultation with the DPA and whose actions have or are likely to have significant impact on electoral democracy, security of state, public order or the sovereignty and integrity of India.
  • Data Localization: The previous data localization requirement that a copy of personal data be stored in India has now been removed from the Draft Bill. There also appears to be no specific restriction on data transfers except for sensitive data and critical personal data. However, sensitive data that had to be transferred outside of India but must continue to be stored in India.
  • Sharing Anonymized Data with the Government: The Indian Government in consultation with the Indian DPA, may direct any data fiduciary or processor to provide them with the anonymized or other non-personal data in order to enable better targeting of delivery of services and/or formulation of evidenced-based policies by the government.

Points to Consider

It seems necessary to throw some light upon the points as acclaimed by the critiques that the proposed data protection bill seems to have deviated from the original goal and the emphasis is now more on the security and accessing of data by the government. The biggest concerns here, about the bill, among academics and activists are the exemptions granted to the government for data collection. The section 35 states that exceptions can be made to collection rules, reporting requirements, and other requirements as and when the government finds that it is ‘necessary or expedient’ in the interests of sovereignty and integrity of India, national security, friendly relations with foreign states and public order. The government perceives the data as a national resource which gives rise to a dilemma — between protection of personal data of the citizens and/or to have access and control over data by the government.

The introduction of a data protection bill appears to be a very small step toward occupying a leadership position on democratic data governance. However, the text of the bill largely appears to be a melange of provisions in the GDPR with some authoritarian leanings. In the context of the new Indian bill, these include the enabling framework for government surveillance in the bill which undoubtedly entrenches government power to undermine citizen privacy. The blurring of the distinctions between non-personal data and personal data thus becomes concerning. The bill ultimately seems to dilute the protection of individual data rights by enabling the government to access anything it feels would fit within the laid-out categories of exemptions.

India’s strategic interest likely lies in ensuring that it upholds its constitutional responsibility to its populace and privileges citizen rights and economic welfare over mere business or bureaucratic interests. However, due to concerning exemptions in the draft of the Personal Data Protection Bill, it is obscure whether this objective is satisfied. Further, the authoritarian leanings, as acclaimed by experts, would ultimately undermine India’s potential in the global sphere to guide emerging market economies and smaller democratic states and thus render Indian model less appealing for nations looking to chart out a new vision of data governance that merges the right to privacy with important civil liberties.

About The Author

Manasvini is a graduate in Economics from St. Xavier’s College, Mumbai. She has done her Masters in Public Policy. She’s interested in the areas of Development, Economics and Policy Research.

Research Recent

The Criminal Procedure Act gives a new angle to data collection and retention in India
The Urban Reality of Indian Cities
The Conflict of Interest Ahead of Winter Olympics
How Would Climate Change Look for Europe?
The Battle isn’t won yet: LGBTQ+ COMMUNITY IN PRESENT TIME

Our weekly newsletter

Analysing the policies, plansand
parities of the 21st Century