The Personal Data Protection Bill, 2019: An Analysis
Written By – Shivam
With digital technology impacting the lives of Indians, including transfer and exchange of data, the threat to breach of privacy and personal data rises without any coherent regulatory framework . Personal Data Protection (PDP) Bill, in order to control, has been formulated as India’s first step to domestically legislate on data protection.
The objective of the bill is to build a robust digital economy, protect personal data and govern individual’s data being processed by entities. The model of PDP Bill is based on the reports submitted by the nine bench committee headed by Justice B.N. Srikrishna to Ministry of Electronics and Information Technology (MeitY), however, there have been some modifications and improvisations made in it. It adhered to the judgement in landmark case Justice K.S. Puttaswamy and Ors. Vs. Union of India (UOI) and Ors, wherein, it was ruled that right to privacy is an integral part under Article 21 of Constitution of India, 1950, and ‘informational privacy’ is the key element of right to privacy .
The Bill incorporates ‘data’ by trifurcating it into personal data, sensitive personal data (SPD) and critical personal data. It omits Data Mirroring, the act of copying data from one location to a storage device in real time . Consent of individual is required only when data is transferred abroad. The bill emphasises social media companies to create their own verification mechanism. For the purpose of independent regulation, the Bill establishes Data Protection Authority, which watches over assessments, audits and decision making. Moreover, the bill favours individual by granting them right to data portability and the ability to access one’s own data, along with right to be forgotten .
The applicability of the PDP lies on the basis of identification rather than jurisdiction. Therefore, the processing of personal data of individuals located in India by entities located outside India for its business purposes would also come under the purview of the Bill .
There are contentious provisions in the Bill which has propped up a plethora of problems after being made public. Firstly, it has given broad exemptions to Central Government and its agencies under Section 35 and Section 36(1), on grounds of ‘national security’ and ‘reasonable purpose’, to access the data of Indians which may lead to intrusion in the lives of private citizens . Secondly, the composition of DPA seems to be under control of Government which rejects the notion of DPA being independent regulator. Thirdly, though the preamble of the bill aims to protect data, government using data for ‘business purpose’ and ‘governance interests’ are contradictory provisions in the bill .
While PDP Bill has been sent to Joint Parliamentary Committee, ‘privacy of citizen’ should be the end goal of the data protection legislation. Utilisation of personal data as a tradable commodity should be avoided as it complicates drafting of legislation. Sensitization of public on data protection should be promoted- which isn’t the case in India. Finally, government has to take into consideration that implementation of data localisation comes with economic risks which can lead to trade wars.
 McKinsey Global Institute (2019). Digital India: Technology to transform a connected nation, McKinsey.
 MeitY (2018), “Draft Personal Data Protection Bill 2018,” [online] Ministry of Electronics and Information Technology, Government of India. Available at: https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
 Justice K.S. Puttaswamy and Ors. Vs. Respondent: Union of India (UOI) and Ors., (2019) 1 SCC 1
 EY (2018). Personal Data Protection Bill-2018: An initiative to enforce privacy principles in India, Ernst & Young.
 PRS (2018), Draft Personal Data Protection Bill, [online] PRS Legislative Research. Available at: http://www.prsindia.org/billtrack/draft-personal-data-protection-bill-2018
 Department of Industrial Policy and Promotion, Draft National E-Commerce Policy, February 23, 2019
 “India: Comparing the Personal Data Protection Bill 2018 with the GDPR” dated December, 2018 Available at: https://platform.dataguidance.com/opinion/india-comparing-personal-data-protection-bill-2018-gdpr
 Desai, R. (2019). India’s Data Localization Remains A Key Challenge For Foreign Companies. [online] Forbes. Available at https://www.forbes.com/sites/ronakdesai/2019/04/30/indias-data-localization-remains-akey-challenge-for-foreign-companies/#5e44356ee0a3