The Data Protection Bill – Significance, withdrawal, and criticism

Analysis

The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha by the Minister of Electronics and Information Technology on December 11, 2019. The purpose of this Bill was to safeguard the data of several individuals and establish a Data Protection Authority. The Personal Data Protection Bill was a great initiative for those who process personal data. This would include the government, companies incorporated in India and foreign companies which deals with the personal data of the citizens of India.

The Personal Data Protection Bill 2019 has been withdrawn by the Indian government after over three years of discussion. The Bill had attracted major criticisms from industry stakeholders, NGOs, privacy activists and tech platforms as it proposed strict rules for international data transfers and giving the Indian government the authority to request user data from businesses. The Government is now considering to work on a new comprehensive legislation that would adequately capture needs and concerns of data privacy, cybersecurity, and overall digital ecosystem to meet the global privacy standard.

In order to understand the concept of the Bill, it is vital to understand what constitutes sensitive personal data. This would include financial data, biometric data, caste, religious or political beliefs, or any other data that has been categorised as such by the government. However, it is relevant to note is that after deliberating upon the Bill for almost three years, during which countless amendments were made to the Bill, the same was withdrawn by the Union Minister of Information and Technology.

Unique features of the Personal Data Protection Bill, 2019

The Personal Data Protection Bill was set to safeguard an array of interests of citizens through rights and, at the same time, place certain obligations on the giants that use the personal data of their users. The following are some of the specifications which made the bill unique:

1. Obligations of data fiduciary

A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. The information could only be possessed with the consent of the individual. However, there are circumstances under which the data can be possessed without consent as well.

The Personal Data Protection Bill, 2019 obliges data fiduciaries to process personal data, but it should be subject to certain purpose, collection, and storage limitations. For instance, personal data can be processed only for specific, clear, and lawful purposes. Additionally, all data fiduciaries must undertake certain transparency and accountability measures, such as implementing security safeguards (such as data encryption and preventing misuse of data) and instituting grievance redressal mechanisms to address complaints of individuals.

2. Rights of the individual

The Personal Data Protection Bill, 2019 establishes specific rights for the individual (or data principal). These rights include the ability to obtain confirmation from the fiduciary as to whether their personal data has been processed; seek correction of inaccurate, incomplete, or out-of-date personal data; have personal data transferred to any other data fiduciary in certain circumstances; and limit continuing disclosure of their personal data by a fiduciary if it is no longer necessary or consent is withdrawn. 

3. Social media intermediaries

The Personal Data Protection Bill, 2019 defines that all such intermediaries that have users above a notified threshold and whose actions can impact electoral democracy or public order have certain obligations, which include providing a voluntary user verification mechanism for users in India.

4. Data protection authority

The Personal Data Protection Bill, 2019 sets up a Data Protection Authority which may take steps to protect the interests of individuals, prevent misuse of personal data, and ensure compliance with the Bill. It would consist of a chairperson and six members, with at least 10 years’ expertise in the fields of data protection and information technology.

Orders of the Authority can be appealed to an Appellate Tribunal which further ca be appealed to the Supreme Court.

5. Exemptions

The Data Protection Bill, 2019 gives authority to the central government to exempt any of its agencies from the provisions in the interests of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, and to prevent incitement to the commission of any cognisable offence (i.e., arrest without warrant) relating to the above matters.

Reasons for withdrawal of the Data Protection Bill, 2019

The notion behind the bill was to safeguard citizens’ privacy by properly defining personal data, establishing a Data Protection Authority (“DPA”), and chalking out a policy framework for data use, including by big technology companies like Meta and Google.

However, the bill received criticism from opposition parties as well as some civil society groups who alleged that while it sought to introduce more controls for data use by private companies, it granted too many exemptions to the government and its agencies.

The withdrawn Bill had proposed restrictions on the use of personal data without the explicit consent of citizens. It had also sought to provide the government with powers to give exemptions to its probe agencies from the provisions of the Act.

Consequences

This Bill was the first step towards the protection of the rights and privacy of Indian citizens. Similar efforts have been launched around the world, including the European Union’s General Data Protection Regulation (GDPR) and state data privacy laws in the United States. Brazil has even implemented data privacy legislation.

While India has laws to regulate sensitive data under the Information and Technology Act of 2000, no legislation has been passed so far to implement the ethos of the Puttaswamy judgment, which guaranteed Indians their right to privacy. As Indians increasingly onboard onto digital platforms, there is an urgent need to protect citizens’ personal data and make the data utilisation process transparent.

The bill had become a bone of contention between the government and the tech giants. A statement containing the reasons for the withdrawal was circulated to the members of Lok Sabha. Reportedly the statement included that the government was working on a comprehensive legal framework considering 81 amendments and 12 recommendations proposed by the JPC.