DATA PROTECTION IN INDIA

What is personal data?

Data can be broadly classified into two types: personal and non-personal data.  Personal data
pertains to characteristics, traits or attributes of identity, which can be used to identify an
individual.   Non-personal data includes aggregated data through which individuals cannot be
identified.  For example, while an individual’s own location would constitute personal data;
information derived from multiple drivers’ location, which is often used to analyse traffic
flow, is non-personal data.  Data protection refers to policies and procedures seeking to
minimise intrusion into the privacy of an individual caused by collection and usage of their
personal data.  

Why was a bill introduced?

Data protection currently falls under the purview of the IT Act. However, after the Right to
Privacy judgment, the need for a specific legislation for data protection was realised. In
furtherance of this realisation a committee was set up to look into the possible provisions of a
legislation. The objects and reasons clause of the 2019 bill claims to have derived its
provisions from the recommendations of this expert committee chaired by Justice B N
Srikrishna. The bill is currently under review and is being analysed by a joint parliamentary
committee.

The bill’s preamble identifies three motivations for the creation of such a legislation:

 “The right to privacy is a fundamental right and it is necessary to protect personal data
as an essential facet of informational privacy.”
 “The growth of the digital economy has expanded the use of data as a critical means
of communication between persons.”
 “It is necessary to create a collective culture that fosters a free and fair digital
economy, respecting the informational privacy of individuals, and ensuring
empowerment, progress and innovation through digital governance and inclusion.”

A critical reason behind the introduction of such a bill was in the interest of maintain data
sovereignty, as a lot of data from Indians is stored in foreign data hubs, especially the west.
The need for data localization and sovereignty was realized post the shocking disclosure by
Edward Snowden on the usage of such data. The worrisome situation led to the creation of
data protection laws around the world, famously the GDPR in the European Union. The
Indian PDP Bill is said to be modelled majorly on the lines of the GDPR.

The bill has created certain rights and obligations for the persons and groups involved in data
transactions. The data principal, whom the data belongs to, has the right to seek confirmation
on the processing, correction and deletion of their data. Confirmation is to be taken from the
principal before the transfer of data to other entities. All processing of data will be on the
basis of the consent of the principal.

The bill has created certain other classifications as well. A data fiduciary is an entity (govt. or
company) or an individual who decides the means and purpose of processing personal data.
The processing of any and all personal data by fiduciaries should be for a certain lawful
purpose and subject to limitations. The fiduciaries also need to implement security safeguards
and maintain grievance redressal mechanisms. The amount of security and other mechanisms
would be specified on the basis of the volume of data a fiduciary maintains. Greater volume
would lead to greater security mechanisms. Any personally sensitive data would be processed
only after a data protection impact assessment.
The bill requires social media companies, called significant data fiduciaries, based on the
volume of their data and turnover, to develop their own user verification mechanism.
A Data Protection Authority is also provided for under the Bill, which would be the redressal
forum for any violations of the bill.

Contentions against the Bill

The PDP Bill has received a great deal of criticism for certain provisions. While the bill has
created an important framework of rules and regulations vis-à-vis corporates and other
private entities with the citizens, the provisions with regard to the government have been
heavily criticised. The government has the authority to exempt any of its agencies in the
interest of the security of the state, public order etc. Processing of personal data is also
exempted from provisions of the Bill for certain other purposes such as prevention,
investigation, or prosecution of any offence, or research and journalistic purposes.  Further,
personal data of individuals can be processed without their consent in certain circumstances
such as: (i) if required by the State for providing benefits to the individual, (ii) legal
proceedings, (iii) to respond to a medical emergency. Furthermore, the government has the
right to seek and extract data from fiduciaries for the “better targeting of services”.

Suggested links:

https://www.prsindia.org/theprsblog/migration-india-and-impact-lockdown-migrants

https://www.lawfareblog.com/key-global-takeaways-indias-revised-personal-data-protection-
bill

https://carnegieindia.org/2020/03/09/what-is-in-india-s-sweeping-personal-data-protection-
bill-pub-80985