I had first written about this in July 2018. Justice B. N. Srikrishna and his committee had submitted the first draft proposal. A lot has changed since then. Since its introduction last year, MeitY (Ministry of Electronics and Information Technology), has solicited comments and suggestions on the PDP Bill from the public, various stakeholders, ministers and consultants. Based on these suggestions, a revised Personal Data Protection Bill, 2019 (Draft Bill), was cleared by the Union Cabinet on December 4, 2019. The bill was introduced in Lok Sabha on Dec. 11 and passed on to the Standing Committee. The final report from the Standing Committee is expected by the first day of the last week of the Budget Session, 2020.
The initial bill covered the following issues in detail:
- Territorial applicability
- Grounds for data processing
- Sensitive personal data:
- Rights of the data principal
- Obligations of the data fiduciary
- Data Protection Authority
- Cross-border storage of data
- Transfer of data outside the country
- Offences and penalties
The biggest cause of concern currently is how effectively does the revised bill meet the objective of protecting privacy? There is this fear of unrestrained access to personal data by government agencies. In sharp contrast, the 2018 draft had many privacy protections.
After having provided for privacy safeguards, the bill empowers the central government, in Section 35, to allow any government agency to bypass all these:
- in the interest of the sovereignty and integrity of India, security of the State, friendly relations with foreign states or public order and
- for preventing any cognizable offence relating to the above (a).
The only safeguards in this context are: (i) a written order from the central government specifying the reasons for breaching privacy and (ii) in a manner (procedures, safeguards and oversight mechanism) “as may be specified” in future. Nobody knows how this can be used or misused.
The revised bill as per the government website lists some of its key features:
- Promote concepts of consent, purpose limitation, storage limitation and data minimisation etc.
- Lay down obligations on agencies collecting personal data (data fiduciary) to collect only that data which is required for a specific purpose and with the express consent of the individual (data principal)
- Confer rights on the individual to obtain personal data, correct inaccurate data, erase data, update the data, port the data to other fiduciaries and the right to restrict or prevent the disclosure of personal data
- Establish Data Protection Authority of India (DPAI) to protect the interests of individuals, prevent misuse of personal data, ensure compliance and promote awareness about data protection
- Notify “social media intermediary” as a significant data fiduciary whose actions have a significant impact on electoral democracy, security of the state, public order or sovereignty and integrity of India
- Confer the “right of grievance” to individuals to complaint against data fiduciary
- Empower the central government to exempt any government agency from application of the proposed law
- Empower DPAI to specify the “code of practice” to promote good practices of data protection and facilitate compliance and
- Provide for “Adjudicating Officer” for deciding penalties and award compensation for violations and “Appellate Tribunal” to hear appeals against these.
Two points that need to be considered are:
- Processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.
- The central government may direct data fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised personal data (where it is not possible to identify data principal) for better targeting of services.
So, are the penalties significant? And is it right for the government to seek data about its citizens from corporates and businesses? There are no easy answers. However, it is beyond debate that India needs the PDP Bill badly. The need of the hour is that vested interests should not be able to navigate their way around the bill. Tomorrow’s wars are going to be about data. A country needs to protect all information about its citizens and corporates without compromise and at the same time ensure that is does not violate privacy of citizens. This is a fine line. Hopefully, the elected representatives will do the right thing by its citizens and by the country.Personal Data Protection Bill, 2019