The first codification of the fundamental right to privacy as affirmed by the Supreme Court, the Personal Data Protection Bill aims to provide individuals protect their personal data privacy and keep their fundamental rights whose personal data are processed, along with creating a framework for measures in the processing of data and remedies for unauthorised and harmful content. To achieve these, the Bill proposes to build the Data Protection Authority of India.
Introduction of Personal Data Protection Bill
Introduced by Union minister Ravi Shankar Prasad, the Ministry of Electronics and Information Technology in 2017 set up a committee to check on issues related to personal data and its protection.
The initial draft was prepared and presented a year later in July 2018 by the committee headed by retired Supreme Court judge Justice B N Srikrishna. The delay has reportedly been caused by multiple amendments and inter-ministerial consultations. In 2019, the Bill was cleared by the Union Cabinet and was tabled on 11 December.
The Bill was introduced in the Lok Sabha in February 2020 and has been referred to a Joint Parliamentary Committee (JPC) of both the Houses, headed by BJP MP Meenakshi Lekhi, for examination and report.
Provisions of the Bill
The provisions of this Act shall apply to:
1. The processing of personal data where such data has been collected, disclosed, shared, or otherwise processed within the territory of India.
2. The processing of personal data by the state, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law.
3. The processing of personal data by data fiduciaries or data processors not present within the territory of India, if such processing is in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or in connection with any activity which involves profiling of data principals within the territory of India.
The provisions of this Act shall not apply to the processing of anonymised data, other than the anonymised data referred to in section 91.
What is personal data and personal data breach
According to the draft, "Personal data" means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute, or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.
Whereas, "personal data breach" means any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction of, or loss of access to, personal data that compromises the confidentiality, integrity, or availability of personal data to a data principal.
Sensitive personal data
The "sensitive personal data" means such personal data constitute—
1. Financial data
2. Health data
3. Official identifier
4. Sex life
5. Sexual orientation;
6. Biometric data;
7. Genetic data;
8. Transgender status;
9. Intersex status;
10. Caste or tribe;
11. Religious or political belief or affiliation; or
12. Any other data categorised as sensitive personal data under section 15.
Criticism of the Bill
On November 22, 2021, Congress’ Jairam Ramesh, Manish Tewari, Vivek Tankha, and Gaurav Gogoi, the Biju Janata Dal’s (BJD) Amar Patnaik, and the Trinamool Congress’ (TMC) Derek O’Brien and Mahua Moitra sent dissent notes to the committee chairman P P Chaudhary.
The committee's Opposition members are concerned that the proposed Bill, in the guise of national security, may encroach on the powers of state governments. This is reflected in the objections flagged by parties like the TMC and even the BJD.
While praising the “democratic, transparent and consultative” approach taken by the JPC, Ramesh has proposed that the government not be given sweeping powers by keeping it out of the purview of the proposed legislation.
Gogoi has also raised the same issue, along with questioning the rationale for the removal of a clause that penalised companies for data breaches.
“Previously, the government had brought very high and strict penalties. It is only when penalties are high that technology companies are forced to comply with the regulations. That is what we have seen in Europe and other parts of the world,” said Gogoi. The removal of this clause at the last minute does not have the unanimity of the committee, he added.
Penalties in the earlier draft of the Personal Data Protection Bill ranged from Rs 5 crore to Rs 15 crore, or 2-4 per cent of the worldwide turnover of the entity depending on the nature of the offence.