INTRODUCTION:
The personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Ministry of Electronics and Information Technology on December 11, 2019. The Bill mainly governs the Governments, the companies in India and also the foreign companies that deal with the data of the individuals in India. One of the main features of this bill is setting up of Data Protection Authority of India. The main purpose behind introducing this bill was to protect the right to privacy of Indian citizens relating to their personal data, specify the flow and usage of data, create a fiduciary relationship between individuals and entities processing the data for specific purpose and lay down certain regulations and norms for entities processing personal data. As of on March 2021, the bill is being analysed and examined by a Joint Parliamentary Committee (JPC) as there is still much confusion as to the enactment and implementation of the legislation.
WHY WAS THE BILL PASSED?
In August 2017, in the case of K.S Puttaswamy VS Union of India, the Supreme Court held that right to privacy is a fundamental right flowing from right to life and liberty given in Article 21 of the Constitution. Considering that, privacy of personal data is an essential aspect of right to privacy. During this case, the Indian Government set up an expert committee to devise India’s data protection framework, the committee submitted a draft of Data Protection Bill which was eventually introduced in the Parliament.
Prior to the Data Protection Bill, the usage and transfer of personal data of citizens was governed by IT Act, 2011. Under the IT Act, 2011, the companies handling the personal data of a citizen will be liable to compensate in case of any negligence while maintaining security in dealing with the data. One of the major drawbacks of the IT Act was that it was only applicable to the corporations and not to the Governments. This Bill was necessary to foster a culture that creates free and fair digital economy as well as respecting the informational privacy of an individual.
SOME TERMS RELATED TO THE BILL:
Before getting into the provisions of the Bill, let us first understand some terms mentioned in the Bill. Under this Bill, data principal is an individual whose personal data is being processed. Now, what is personal data? Personal data is any piece of information that can be used to identify person’s identity. For e.g. PAN or Aadhar no. The Bill categorizes certain personal data as sensitive personal data. This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.
The entity or the individual who decides the means and purpose of data processing is known as data fiduciary. Such processing will be subject to certain purpose, collection and storage limitations. To collect personal data, the entities classified as data fiduciary should take consent from individuals whose data is in question. The definition of data fiduciary is a wide definition that could include everything from ride sharing applications to social media platforms to data brokers that buy and resell customer data.
PROVISIONS OF THE BILL:
One of the main provisions of this bill is that the data entities cannot collect personal data without consent. This bill grants certain rights to an individual. These rights include obtaining confirmation from the data fiduciary whether their data has been processed or not, seek correction of inaccurate personal data or have their data transferred to some other data fiduciary and restrict disclosure of their personal data if no longer necessary or the consent has been withdrawn. However, in some cases, consent from the data principal will not be required. These are medical emergencies, legal proceedings, the Government providing services or benefits to an individual, sovereignty or public order. One of the major drawbacks of this bill is that the government can access private data on the grounds of sovereignty or public order. For e.g. In case of health insurance where the Government can provide a service alongside private insurers, this raises the question as to why should public insurer be given an exemption from taking consent when the private insurance companies under the bill are required to take consent.
Under this bill, entities processing personal data are required to specify the purpose of the data collection. They should ensure that the data is complete and not misleading. Also, ensure that the data is retained for required period and not beyond. These have also been given certain exemptions in cases of data being processed for prevention, detection, investigation or prosecution of any offence. This clearly means that the fiduciaries can collect more data than required, retain the same for a longer period than necessary. Further, the individual will not have any control over his/her data.
One more provision of this bill is that the individuals can make a complaint to the data fiduciary for any violations of the provision of Bill only if such violation has caused or is likely to cause harm to them. It is unclear as to why the Bill does not allow an individual to file a complaint for violation of their rights.
CONCLUSION:
It has been a year since the Government introduced the Bill in the Parliament. The current status of the Bill still remains unsure. The Joint Parliamentary Committee examining the Bill will not approve the current version of the Bill, BJP MP Rajeev Chandrasekhar has said. This Bill lacks necessary safeguards that are needed to protect the right to privacy. The right to privacy is being jeopardized with the Bill providing unregulated and broad powers to the Government to exempt its agencies from provisions of the Bill. The discretionary power granted to the executive branch of the Government should have certain guidelines or regulations. India’s strategic interest lies in ensuring that it upholds its constitutional responsibility to its populace and privileges citizen rights and economic welfare over mere business or bureaucratic interests. But particularly due to concerning exemptions in the Personal Data Protection Bill it is not clear whether this objective is satisfied or not
Between the lines 