Personal Data Protection Bill, 2019: An Analysis
Written by: Kajal Kumari & Abhishek Yadav, Students, School of Law, Galgotias University
On 11th December 2019, the Personal Data Protection Bill, 2019 was introduced by the Shri Ram Shankar Prasad, Ministry of Law and Justice, Communication and Electronics and Information Technology in the Lok Sabha. The bill is revised version of 2018 draft bill which was prepared by the committee headed by retired Justice B.N. Srikrishna. And the purpose for introducing this bill was to provide the protection to personal data of individuals and create a framework for processing such personal data, and establish a Data Protection Authority. The Bill is broadly based on the principles of the Europe’s General Data Protection Regulation, 2016.
Need for data protection
I) Protection of privacy,
II) Check snooping or surveillance by various agencies,
III) Economic looses by cyber crimes,
IV) Increasing sophistication by cyber crimes.
Protection of privacy: In India, there are more than 62 crore internet users, whose personal data is shared online. In K.S. Puttaswamy & Anr. v. Union of India & Ors., the Honourable Supreme Court declared that right to privacy is a fundamental right. It is constitutional duty of the State to protect the individual’s privacy.
Check snooping or surveillance by various agencies: Recently, Israeli software, Pegasus hacked 121 Indian Citizen’s WhatsApp accounts. The Facebook- Cambridge Analytical data Scandal of 2018, where personal data of millions of people’s facebook profiles were used without their consent for the purpose of political advertising.
Economic loses by cyber crimes: As per the study of IBM, in India, the average cost of data breach is Rs. 12.8 crore, with per capita cost per lost or stolen record reaching Rs. 5019 in 2018. Moreover, data is being considered as new oil in 21st century. Without proper data regulations or data localization norms, global firms like Google, Facebook are getting benefit from data collected from Indians.
Increasing sophistication by cyber crimes: As per the study of IBM, in India, the root cause for 51% of data breaches was malicious or criminal attacks.
Key features of the Bill
Personal Data: Data that can be used to identify an individual. This Bill deals with various types of personal data:
1. Sensitive Personal Data: Data related to finances, health, official identifiers, sex life, sexual orientation, biometric, genetics, transgender status, intersex status, caste or tribe, religious or political belief, affiliation.
2. Critical Personal Data: Military or national security and it is up to the Central Government that determines what is to be considered as Critical Personal Data.
3. General Personal Data: Data other than sensitive personal data and critical personal data.
The bill applies to both government and private entities. In other words, the bill governs the processing of personal data by government, companies incorporated in India, foreign companies dealing with personal data of individuals in India.
Obligations of Data Fiduciary
Data Fiduciary is an entity or individual who collects and decides the means and purposes for which personal data is being collected or processed.
Chapter II of the Personal Data Protection Bill, 2019 deals with obligations of Data Fiduciary:
I) Only for specific, clear and lawful purpose, personal data can be processed.
II) All Data Fiduciaries must undertake certain transparency and accountability measures such as:
a) Implement security safeguards like data encryption and prevent misuse of data,
b) Institute grievance redressal mechanism for the complaint addressed by individual.
Rights of Data Principal
Data Principal is an individual whose data is being collected.
Chapter V of the Personal Data Protection Bill, 2019 deals with the rights of the Data Principal:
I) Right to enquire the status of data processing,
II) Right to ask the Data Fiduciary to transfer the data to another Data Fiduciary for certain purposes,
III) Right to modification/correction of data,
IV) Right to be forgotten which allow Data Principal to erase their personal data which are published online and give them freedom to ask the Data Fiduciaries to delete any data which they don’t want in public domain.
Grounds for processing personal data
If individual give consent then only Bill allows Data Fiduciaries to process the individual’s personal data.
Chapter III of the Personal Data Protection Bill, 2019 deals with the grounds for processing of personal data without individual’s consent:
I) if required by the State for providing benefits to the individual,
II) in legal proceedings,
III) in respond to a medical emergency.
Social Media platforms
Social Media platforms that connects people online with certain threshold of users and having implication over democracy and the public order and have certain obligations such as providing a voluntary user verification mechanism for users in India. For example: Facebook, twitter, etc.
Data Protection Authority
This Bill establish a Data Protection Authority of India:
I) To enforce the bill,
II) To look into the implementation,
III) Pass order on the data protection,
IV) To prevent misuse of personal data.
It is compulsory for sensitive personal data to be stored in India, it can be transferred outside India only for the purpose of processing with the explicit consent of the Data Principal and subject to certain additional conditions.
As notified by the Government of India, Critical Personal Data can not be transferred outside India even for the purpose of processing.
Under section 35 of the Personal Data Protection Bill, 2019, the Central Government may exempt any of its agency from the provisions of the Bill:
I) In interest of security of state, public order, unity, integrity and sovereignty of India and friendly relation with foreign states.
II) Central Government, if wants to prevent any crime related to above subjects.
Other exemptions to the Bill:
a) Investigation purposes,
b) Journalistic purposes.
Sharing of non-personal data with Government
The Central Government may direct data fiduciaries to provide it with any:
I) Non-personal data,
II) Anonymized data (personal data which is modified so that individual can not be identified) for better targeting of services.
I) In violation of the Bill, processing or transferring the personal data is to be punishable with a fine of Rs. 15 crore or 4 percent of the annual turnover of the Data Fiduciary whichever is higher.
II) Failure to conduct a data audit, punishable with a fine of Rs. 5 crore or 2 percent of the annual turnover of the Data Fiduciary whichever is higher.
III) Re-identification and processing of de-identified personal data by Data Fiduciary without the consent of Data Principal is to be punishable with imprisonment up to 3 years or fine or with both.
Amendments to other laws
The Bill amends the Information and Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to personal data.
Loopholes in the Personal Data Protection Bill, 2019
Central Government has uninterrupted power to define Critical Personal Data.
Under this Bill, Data Principals have right to be forgotten but how would they know that their information is deleted, it could be possible that Data Fiduciaries stored the information personally.
Consent is not required in the case where State providing benefits to the individual but there could be a chance that individual don’t need that benefit by State like LPG.
Members of the Data Protection Authority is to be selected by government dominated panel so in this there is more chances that members are closed to the government and this could reduce the transparency of Data Protection Authority, India.
There is blanket power to the Central Government as Central Government may exempt any of its agency from the provisions of the bill. This could amount to surveillance.
In India for the protection of the data, a powerful law is need of the hour. The Bill tries to provide safeguard for the protection of privacy of individuals with respect to their personal data.
 Ministry of Law and Justice, The Personal Data Protection Bill, 2019, PRS LEGISLATIVE RESEARCH, https://www.prsindia.org/billtrack/personal-data-protection-bill-2019.  Key Changes in the Personal Data Protection Bill, 2019 from the Srikrishna Committee Draft, SFLC.IN (Dec. 11, 2019, 10:58), https://sflc.in/key-changes-personal-data-protection-bill-2019-srikrishna-committee-draft.  Regina Mihindukulasuriya, More power & data access to govt — all about personal data protection bill, THE PRINT (Dec. 13, 2019, 4:21 pm), https://theprint.in/theprint-essential/more-power-data-access-to-govt-all-about-personal-data-protection-bill/334650/.  (2019) 1 SCC 1.  T.K. Rajalakshami, The Pegasus fiasco: Privacy in peril, FRONTLINE (Dec. 20, 2019), https://frontline.thehindu.com/science-and-technology/article30148934.ece.  Alvin Chang, The Facebook and Cambridge Analytica scandal, explained with a simple diagram, VOX (May 2, 2018, 3:25pm EDT), https://www.vox.com/policy-and-politics/2018/3/23/17151916/facebook-cambridge-analytica-trump-diagram.  Indo Asian News Service, Average cost of data breach in India rise to ₹12.8 crore: IBM report, HT TECH (July 23, 2019, 06:31 PM), https://tech.hindustantimes.com/tech/news/average-cost-of-data-breach-in-india-rise-to-12-8-crore-ibm-report-story-7pLOB9DYMRLmTeOwKUO3gM.html.  Indo Asian News Service, Average data breach cost hits Rs 12.8 crore in India: IBM, ETCIO.COM (July 23, 2019, 17:44), https://cio.economictimes.indiatimes.com/news/digital-security/average-data-breach-cost-hits-rs-12-8-crore-in-india-ibm/70347629#:~:text=The%20root%20cause%20for%2051,in%20India%2C%20the%20findings%20showed.  Section 3(28), the Personal Data Protection Bill, 2019.  Section 3(36) and 15, the Personal Data Protection Bill, 2019.  Section 2(A)(b), the Personal Data Protection Bill, 2019.  Section 3 (13), the Personal Data Protection Bill, 2019.  Section 3(14), the Personal Data Protection Bill, 2019.  Section 11, the Personal Data Protection Bill, 2019.  Arun Prabhu & Moleshree Shrivastava, The Personal Data Protection Bill, 2019: An Analysis, INDIA CORPORATE Law (Dec. 12, 2019), https://corporate.cyrilamarchandblogs.com/2019/12/personal-data-protection-bill-2019-analysis-india/.  Section 41, the Personal Data Protection Bill, 2019.  Section 33 and 34, the Personal Data Protection Bill, 2019.  Ibid.  Supra note 1.  Section 82, the Personal Protection Bill, 2019.  Supra note 1.