Personal Data Protection Bill To Be Tabled In Parliament
Ministry of Information and Broadcasting, quoting the Minister Mr. Prakash Javadekar, through a
Press Release dated 04 December, 2019 stated that the Personal Data Protection Bill, 2019 has received the approval of the Cabinet, and will be tabled in this winter session of the Parliament.
Background:
In 2012 a committee headed by Justice A P Shah had submitted a Report by Group of Experts on
privacy, which proposed a conceptual framework for a privacy statute in India and how Indian
Privacy law should take shape. This was followed by a consultation paper on Privacy, Security
and ownership of Data in the Telecom sector published by the Telecom Regulatory Authority of
India on the 9th August 2017. This was another endeavor to effectively enforce the
“fundamental right to privacy” recognized by the Supreme Court of India in the Justice K.S.
Puttaswamy judgment earlier in 2017 wherein the Court observed:
“Informational privacy is a facet of the right to privacy. The dangers to privacy in an age
of information can originate not only from the state but from non-state actors as well.
The Parliament needs to examine and put into place a robust regime for data protection
in India. The creation of such a regime requires a careful and sensitive balance between
individual interests and legitimate concerns of the state.”
Subsequently, the Ministry of Electronics and Information Technology, vide its NotificationNo.3
(6)J2017-CLES (hereinafter referred to as “Notification”) had constituted a “Committee of
Experts” under the Chairmanship of former Supreme Court Justice „Shri B N Srikrishna‟ on issues
relating to data protection in India and draft a bill on data protection.
The Committee released a „white paper of the committee of experts on a data protection
framework for India‟ (hereinafter “white paper”) on 27th November 2017. The White paper
highlighted key principles for the data protection law like legal flexibility, informed consent,
controller accountability, data minimisation etc. This white paper was open for comments from
the public and held stakeholders‟ consultation in Delhi, Hyderabad, Bengaluru and Mumbai till
31st January, 2018.
The Committee of Experts under the Chairmanship of Justice B N Srikrishna on the 27th of July
2018, submitted its Report to the Ministry of Electronics and Information Technology titled “A
Free and Fair Digital Economy-Protecting Privacy, Empowering Indians”, making
recommendations on principles underlying data protection, identifying key data protection issues and recommending methods of addressing them.
The Committee of Experts also submitted a draft Bill titled “The Personal Data Protection Bill,
2018” (hereinafter referred to as the “Bill”) with primary objective to
“protect the autonomy of individuals in relation with their personal data, to specify where the
flow and usage of personal data is appropriate, to create a relationship of trust between
persons and entities processing their personal data, to specify the rights of individuals whose
personal data are processed, to create a framework for implementing organisational and
technical measures in processing personal data, to lay down norms for cross-border transfer of
personal data, to ensure the accountability of entities processing personal data, to provide
remedies for unauthorised and harmful processing, and to establish a Data Protection Authority
for overseeing processing activities”
Scope and Applicability of the Bill
Applicability:
The draft Bill provides for horizontal applicability of the proposed legislation, whereby
section 2(1)(b) provides that the same shall be applicable to both government and private
entities.
Further, the draft Bill under Sections 3 (13) and (14) provides for the reformulation of the
relationship between the “data subject” and the “data controller” as a fiduciary
relationship between the “data principal” and the “data fiduciary” to emphasize greater
accountability and trust between the two.
Definition of personal data:
The draft Bill underscoring the importance of defining what constitutes personal
information as critical to determine the extent of the law defined Personal data on the
parameters of identifiability under provisions of Section 2(3) of the Bill. While the said
definition does not specifically mention any particular form of data or attribute, the bill
expressly mentions the exclusion of anonymized data from the application of the law.
While the definition of sensitive personal data, has been expanded has been expanded
under Indian law to include passwords; financial data; health data; official identifier; sex
life; sexual orientation; biometric data; genetic data; transgender status; intersex status;
caste or tribe; religious or political belief or affiliation1
.
Additionally, data fiduciaries are required to establish mechanisms for age verification
and parental consent and Processing of personal and sensitive personal of children by
data fiduciaries should be done in a manner that protects and advances the rights and
best interests of the child.
Besides as per provisions of Section 23 of the proposed draft Bill, it has been laid down
that fiduciaries that operate commercial websites or online services directed at children
or process large volume of children personal data would be classified as guardian data
fiduciaries and barred from performing certain processing operations.
