THE PERSONAL DATA PROTECTION BILL, 2018

the Act shall not apply to processing of anonymised data.

“Anonymisation”in relation to personal data, means the irreversible process of transforming or

converting personal data to a form in which a data principal cannot be identified, meeting the
standards specified by the Authority.

the Authority may issue codes of practice in respect of the following matters—methods of de-
identification and anonymisation;

PDP BILL 2019

EVERYTHING SAME AS ABOVE

S. 91 - (2) The Central Government may, in consultation with the Authority, direct any data fiduciary
or data processor to provide any personal data anonymised or other non-personal data to enable
better targeting of delivery of services or formulation of evidence-based policies by the Central
Government, in such manner as may be prescribed.

REPORT- ADD NON -PERSONAL (IMP

DPDPA 2022- NOTIHG

Dpdpa 2023 bill – no

Act- no

Action-

google search

 2018 bill PDP and PDP BILL 2019

 ALONG – JC REPORT 2019 BILL KE BAAD (nothinh available online khud dekhne)

See white paper and final report of justice saikrishna again !! to see about anonymised/nonpersonal
data +google search

1. PDP 2018

The Bill will not apply to anonymized data13, i.e. Personal Data which is irreversibly transformed
such that a Data Principal cannot be identified from it14. This exclusion will not extend to mere
de-identification, a potentially reversible process where identifiers have either been removed,
masked, or replaced with unique codes15 . Data Protection Authority 28. DPA: The Bill proposes
 the creation of an independent regulatory body responsible for its effective implementation, the
DPA75. The duties of the DPA are wide ranging and include: (a) identifying additional categories
of SPD and grounds for Processing Personal Data76; (b) mandating breach notifications to Data
Principals77; (c) prescribing various codes of practice78 including for notice, transparency,
security standards79, de-identification and anonymization80, contractual clauses and inter-group
schemes for cross-border transfer81; (d) identifying Significant Data Fiduciaries82, Guardian Data
Fiduciaries83, and certifying Data Auditors84; (e) monitoring Data Fiduciaries and cross-border
data flow85; and (f) advising Parliament and the Government86.

Criminal Penalties: Imprisonment (ranging from 3 to 5 years) is prescribed for persons who
knowingly, intentionally, or recklessly obtain, disclose, transfer or sell Personal Data (or SPD)
provided that such acts result in harm to a Data Principal103. Such harm is very broadly defined
to include loss of employment/reputation, discriminatory treatment and/or restrictions on
speech or movement104. A new offense has been proposed for knowingly reversing de-
identification105. For corporate Data Fiduciaries, these consequences will extend to persons in
charge of operations, or, where consent or neglect is attributable, directors, managers,
secretaries or other officers106. 1

2. PDP 2019

the 2019 Bill which applies to all forms of personal data (i.e. in offline and online
mode),2

 Sharing of non-personal data and anonymised personal data with the government: The
central government may direct data fiduciaries to provide it with any: (i) non-personal data
and (ii) anonymised personal data (where it is not possible to identify data principal) for
better targeting of services.3

Expands the scope under the 2018 Bill to cover certain anonymised personal data

Section 91: Government Access to Anonymised and Non-personal

Data
Section 91 of the PDP Bill enables the Central Government to
direct data fiduciaries and data processors to grant access to
all anonymised or non-personal data. This provision is
predicated on the assumption that unfettered access to certain
categories of data is essential for the targeted delivery of
government services as well as other state functions such as
“growth, security, integrity and prevention of misuse”. [13]

1
https://www.cyrilshroff.com/wp-content/uploads/2020/10/Personal-Data-Protection-Bill-2018.pdf
2
...

https://www.scconline.com/blog/post/2022/12/16/digital-personal-data-protection-bill-
2022-juxtaposing-the-old-and-the-new/
3
https://prsindia.org/billtrack/prs-products/prs-legislative-brief-3399#:~:text=Sharing%20of%20non
%2Dpersonal%20data,for%20better%20targeting%20of%20services.
Participants agreed that non-personal data is likely to serve a
wide range of public functions. However, they felt that
introducing such a provision in the present Bill was premature,
given that the Ministry of Electronics and Information
Technology has constituted an expert committee to establish a
framework for the governance of non-personal data.

Participants argued that in the absence of complementary

provisions and legislations in other fields, Section 91 in its
current form is unlikely to serve the stated objective of
supporting public service functions.

1. Grounds for government access to non-personal and/or anonymised

data
Participants pointed to the need for clearer definitions or
legislative standards for state functions that warrant access to
non-personal and anonymised data. Most businesses store
mixed data sets, which contain both personal and non-personal
data, and afford these data sets differential protection
depending on whether these were collected based on human
input, statistical inferences, or other means. Participants
stressed that a lack of shared taxonomy between state,
business and civil society could undermine the ease of doing
business, complicate data sharing efforts and undermine
privacy rights.

2. Definitions and standards for anonymised data

Anonymised data defined under Section 3(2) is data that has
undergone an “irreversible process of transforming or
converting personal data to a form in which a data principal
cannot be identified”. Participants overwhelmingly agreed that
irreversible anonymisation is impossible— an assertion that is
supported by the Justice Srikrishna Committee Report along
with other government[14] and academic[15] research. They
stressed that the Data Protection Authority must first prescribe
standards for anonymisation and penalties for breach—ideally
differential standards based on the type of data and level of
risk—before enabling the state to access non-personal data.

5. Ethical considerations
Participants noted that non-personal or anonymised data may
contain biased inputs or inferences. Deploying these data sets
for public functions risks exacerbating existing social, political
and economic inequities. Participants suggested that data that
has been acquired or licensed for public functions must
 undergo a social impact or ethics audit before being deployed
towards fulfilling public policy objectives4

3. DPDPA 2022 bill

The 2022 bill has omitted non-personal data and anonymized data from the
scope.5 The Bill solely applies to 'digitized' personal data and makes no
mention of non-personal data or anonymized datasets that shield the
identity of an individual. This will become the fourth attempt at a data
protection law in India, as the first draft of this law was proposed by the
Justice Sri Krishna Committee set up by the MeitY in 2018 as the

Non-Personal
Personal Data Protection Bill, 2018.6

Data (NPD) Not Covered Under

India’s Latest Data Protection
Bill. This is in contrast with last year’s version, the Data
Protection Bill 2021, which was the first version to bring NPD
under the ambit of the Data Protection Act, with the JPC
noting that NPD is essentially derived from one of the three
sets of data— personal data, sensitive personal data, critical
personal data — and then anonymised or converted into
7
non-identifiable data.
The bill does not include non-digital personal data, anonymized
personal data, and non-personal data in its ambit, thus no
protection is available to these kinds of data. It goes against the
recommendations of the Joint Parliamentary committee on the
Personal Data Protection Bill, 2019.8

4
https://www.orfonline.org/research/the-personal-data-protection-bill-2019-61915

5
https://niiconsulting.com/checkmate/2023/01/digital-personal-data-protection-bill-2022/#:~:text=The
%202022%20bill%20has%20omitted,scope%20of%20the%202022%20bill.

6
https://www.livelaw.in/articles/an-analysis-of-the-digital-personal-data-protection-bill-231161
7
https://www.medianama.com/2022/11/223-non-personal-data-digital-pdp-bill-2022/
8
https://www.medianama.com/2023/08/223-dpdp-bill-power-exemptions-government-agencies-mp-john-
brittas-dissent-note/