Data Protection

The Personal Data Protection Bill, 2019 was introduced in Parliament.  The Bill has been
referred to a Joint Parliamentary Committee for detailed examination, and the report is
expected by the Budget Session, 2020.  The Bill seeks to provide for protection of personal
data of individuals, create a framework for processing such personal data, and establishes a
Data Protection Authority for the purpose.  In this blog, we provide a background to the 2019
Bill, and explain some of its key provisions.

Why was a Bill brought for personal data protection?

In July 2017, a Committee of Experts, chaired by Justice B. N. Srikrishna, was set up to
examine various issues related to data protection in India.  The Committee submitted its
report, along side a Draft Personal Data Protection Bill, 2018 to the Ministry of Electronics
and knowledge Technology in July 2018.The Statement of Objects and Reasons of the private
Data Protection Bill, 2019 states that the Bill is predicated on the recommendations of the
report of the Expert Committeeand the suggestions received from various stakeholders.
What does the Personal Data Protection Bill provide?
The Bill regulates personal data related to individuals, and the processing, collection and
storage of such data.  Under the Bill, a data principal is an individual whose personal data is
being processed.  The entity or individual who decides the means and purposes of data
processing is known as data fiduciary. 

What does the Personal Data Protection Bill provide?

The Bill regulates personal data related to individuals, and the processing, collection and
storage of such data.  Under the Bill, a data principal is an individual whose personal data is
being processed.  The entity or individual who decides the means and purposes of data
processing is known as data fiduciary.  

Will individuals have rights over their data?

These include seeking confirmation on whether their personal data has been processed,
seeking correction, completion or erasure of their data, seeking transfer of data to other
fiduciaries, and restricting continuing disclosure of their personal data, if it is no longer
necessary or if consent is withdrawn.  Any processing of personal data can be done only on
the basis of consent given by data principal. 
Are there any restrictions on processing of an individual’s data?
The Bill also provides for certain obligations of data fiduciaries with respect to processing of
personal data. Additionally, all data fiduciaries must undertake certain transparency and
accountability measures like implementing security safeguards and instituting grievance
redressal mechanisms to deal with complaints of people ..  Certain fiduciaries would be
notified as significant data fiduciaries (based on certain criteria such as volume of data
processed and turnover of fiduciary).  These fiduciaries must undertake additional
accountability measures such as conducting a data protection impact assessment before
conducting any processing of large scale sensitive personal data (includes financial data,
biometric data, caste, religious or political beliefs). 
What is the grievance redressal mechanism if the above restrictions are not followed?
To ensure compliance with the provisions of the Bill, and provide for further regulations with
respect to processing of personal data of individuals, the Bill sets up a Data Protection
Authority.  The Authority will be comprised of members with expertise in fields such as data
protection and information technology.  Any individual, who is not satisfied with the
grievance redressal by the data fiduciary can file a complaint to the Authority.  Orders of the
Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the
Supreme Court.

Are there any exemptions to these safeguards for processing of personal data?
Processing of personal data is exempt from the provisions of the Bill in some cases.  For
example, the central government can exempt any of its agencies in the interest of security of
state, public order, sovereignty and integrity of India, and friendly relations with foreign
states.  Processing of private data is additionally exempted from provisions of the Bill surely
other purposes like prevention, investigation, or prosecution of any offence, or research and
journalistic purposes..  Further, personal data of individuals can be processed without their
consent in certain circumstances such as: (i) if required by the State for providing benefits to
the individual, (ii) legal proceedings, (iii) to respond to a medical emergency. 

India’s strategic interest likely lies in ensuring that it upholds its constitutional responsibility
to its populace and privileges citizen rights and economic welfare over mere business or
bureaucratic interests. But—particularly due to concerning exemptions in the text of the
Personal Data Protection Bill—it is not clear whether this objective is satisfied. As the Joint
Parliamentary Committee starts its deliberations on the draft of the bill, it remains to be seen
whether the policymaking pendulum swings the right way.