Personal Data Protection Bill, 2018

Data is considered the new oil of 21st century. So for India to tap the full potential of data driven innovation and entrepreneurship, a comprehensive data protection regime for digital communications and appropriate institutional mechanism needs to be established. It is this light that Personal Data Protection Bill 2018, was released to safeguard the privacy, autonomy and choice of individuals and secure digital communications, infrastructure and services.

"Data protection" law in general, refers to policies and procedures seeking to minimize intrusion into the privacy of an individual caused by collection and usage of their personal data.

Current Status Quo

  • In India, usage of personal data or information of citizens is currently regulated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, under Section 43A of the Information Technology Act, 2000
  • To deal with the issue of data protection, "The Committee of Experts on a Data Protection Framework for India" chaired by Justice B. N. Srikrishna was constituted. The committee examined issues relating to data protection, recommended methods to address them, and drafted a Data Protection Bill. The Personal Data Protection Bill 2018 makes consequential amendments to Information Technology Act 2000 and also amends the Right to Information Act 2005 and permits non-disclosure of personal information where harm to the individual outweighs public good.

Key Provisions of the Bill

  • The Bill regulates processing of personal data of individuals (data principals) by government and private entities (data fiduciaries) incorporated in India and abroad.Processing is allowed if the individual gives consent, or in a medical emergency, or by the State for providing benefits.
  • The data principal has several rights with respect to their data, such as seeking correction or seeking access to their data which is stored with the fiduciary.
  • The fiduciary has certain obligations towards the individual while processing their data, such as notifying them of the nature and purposes of data processing.
  • The Bill allows exemptions for certain kinds of data processing, such as processing in the interest of national security, for legal proceedings, or for journalistic purposes.
  • Data Localizations: The Bill requires that a serving copy of personal data be stored within the territory of India.Certain critical personal data must be stored solely within the country. This is in line with similar mandate imposedby Reserve bank of India on payments systems providers to store payments system data only in India.
  • A national-level Data Protection Authority (DPA) is set up under the Bill to supervise and regulate data fiduciaries.

Criticisms of the Bill

  • Data Localizations: The bill requires data fiduciaries to store "at least one copy" of personal data on a server or data centre located in India. This has run into controversy with multinational companies who would be required to physically host user data in India.
  • Law enforcement agencies easy access to personal data in the name of national security is in direct violation of Supreme Court judgement on right to privacy.
  • The executive oversight over the proposed Data Protection Authority and lack of financial independence.

Way Forward

  • Parliament needs to legislate a comprehensive law that establishes a regulatory oversight over intelligence gathering activities.
  • Provide stringent safeguards with respect to data collection of children especially behavioural monitoring of their profiles in Facebook, Instagram or their viewing patterns in YouTube.
  • Fix penalty provisions in case of data security breach. Example- Fine imposed on Facebook by Europe over data breach.
  • Establishment of an appellate tribunal to appeal against the decisions taken by Data Protection Authority.
  • Codify specific reasons on which national security reasons could be invoked.