In the matter between Puttaswamy v India, the Hon’ble Apex Court vide its order dated 24/07/2017 declared “Right to Privacy” as a fundamental right under the Constitution of India on the basis of which the Hon’ble Supreme Court asked for the formation of strong Data Protection Rules. As such a committee was formed by the Supreme Court Judge, Mr B. N. Srikrishna and the Draft Personal Data Protection Bill, 2018 was first introduced and then subsequently on December 11, 2019, the Personal Data Protection Bill, 2019 (“PDPB”) was introduced in Lok Sabha by the Minister of Electronics and Information Technology.
Aim of the Bill
The aim of this Bill is to provide for the protection of privacy of individuals relating to their Personal Data, creation of framework, guidelines and accountability measures for processing personal data by data fiduciaries and lastly to establish a Data Protection Authority of India.
Study of the 2019 Bill in comparison to the 2018 Bill
The extent to which the 2018 Bill was applicable extended to the whole of India while the 2019 Bill does not contain any such provision and means that the Bill applies to the processing of any personal data by entities located outside India if such personal data is processed that involves offering goods or services to individuals located in India albeit provided outside India.
Section 43A and Section 87 of the Information Technology Act, 2000 shall be repealed.
The definition of ‘Aadhaar number’ has been removed from the 2019 Bill. Unlike the 2018 Bill, the 2019 Bill contains a definition of a ‘Data Auditor’. Under the 2019 Bill, Data Localization requirements for personal data have been relaxed. However, storage and transfer of sensitive personal data and critical personal data are still restricted.
The 2018 Bill required the data fiduciary to take reasonable steps to ensure that personal data processed is complete, accurate, not misleading and updated, having regard to the purposes for which it is processed. In the 2019 Bill, the word “reasonable” has been replaced with “necessary”.
Under the 2018 Bill, personal data could be retained for a longer period if explicitly mandated, or necessary to comply with any obligation, under a law. Under the 2019 Bill, personal data may be retained for a longer period if explicitly consented to by the data principal, or necessary to comply with any obligation under any law for the time being in force.
Further, the 2018 Bill states that: “The data fiduciary shall retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed”. On the other hand, Clause 9 the 2019 Bill states that “The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of the processing.”
The Definition of Personal Data as per the 2018 Bill has been widened in the 2019 Bill which now includes “such characteristics or traits will also include any inference drawn from such data for the purpose of profiling” apart from everything else in the 2018 Bill.
Under the 2018 Bill, the Data Protection Authority consisted of a chairperson and six whole-time members, while under the 2019 Bill the DPA may consist lesser than six members. The Selection Committee under the 2019 Bill does not include a judicial member and will be comprised of (i) Cabinet Secretary as the chairperson, (ii) Secretary, Department of Legal Affairs, and (iii) Secretary, Ministry of Electronics and Information Technology. as different to the 2018 Bill where it consisted of the Chief Justice of India (“CJI”) or a Supreme Court judge nominated by him and an expert in the field of data protection, information technology and related subjects.
The term Social Media Intermediaries was not defined under the 2018 Bill. Under the 2019 Bill, a definition of Social media intermediaries is provided which is “an intermediary which enables online interaction between users and allows for sharing of information”.
Additionally, the 2019 Bill removes the provision for mandatory storage of all personal data in the country. The Bill provides that all sensitive personal data must continue to be stored in India. Such data can be transferred outside India if explicitly consented by the individual, and subject to certain additional conditions.
Further, the 2018 Bill allowed personal data, including sensitive personal data, to be processed without the data principal’s consent, for purposes related to employment. On the other hand in Clause 12 of the 2019 Bill, only personal data which is not sensitive personal data can be processed without the data principal’s consent, for purposes related to employment. The word “password” has been deleted under the 2019 Bill under the definition of “Sensitive Personal Data”.
The data principal whose data is being processed derives a right under Clause 18 of the 2019 Bill to seek the removal of the user’s personal data which is no longer necessary for the purpose for which it was processed. Such right of deletion was lacking in the 2018 Bill.
The concept of “Consent Manager” is introduced vide Clause 23 of the 2019 Bill. The 2019 Bill allows Data Principals to make requests through consent managers and also allows them to withdraw their consent through such Consent Managers. Clause 26 of the 2019 Bill uses the phrase ‘Significant Data Fiduciary’ while its parallel Clause 34 in the 2018 Bill used the phrase ‘Data Fiduciary’.
Every significant data fiduciary shall appoint a Data Protection Officer possessing such qualifications and experience, for carrying out certain functions under Clause 40 of the 2019 Bill. In the 2018 Bill, a DPO was required to be appointed by all data fiduciaries. The same is required in the Draft Bill to be appointed only by a significant data fiduciary.
The 2019 Bill requires Social Media Intermediaries which have been notified as significant DFs to allow users to voluntarily verify their accounts. There was no such requirement under the 2018 Bill. The 2019 Bill allows for wider exemptions from its application for government agencies, as compared to the 2018 Bill. The 2018 Bill allowed the government such exemptions only in the interests of the security of the State based on the principles of necessity and proportionality.
The 2019 Bill gives the Central Government the power to exempt any government agency from the purview of the 2019 Bill, subject to such procedure, safeguards and oversight mechanism as may be prescribed by the central government. The 2019 Bill also allows for exemptions in the interest of the sovereignty, integrity, friendly relations with foreign states and public order, which were not present in the 2018 Bill.
Under the 2019 Bill, the Investigating Officer can exercise powers of search and seizure only after getting a Court Order. In contrast under the 2018 Bill, the DPA could authorize an officer to exercise powers of search and seizure directly. The 2019 Bill allows the Investigating Officer to retain the material seized until the inquiry is concluded. Conversely, under the 2018 Bill, the Investigating Officer could not retain the material seized for a period of more than six months subject to certain exception.
Further, the 2019 Bill after taking into consideration the emerging technologies such as Artificial Intelligence and Machine Learning has incorporated and a new provision under Clause 40 for creating a Sandbox for encouraging innovation.
Conclusion
The Government of India through the invention of the Personal Data Protection Bill aims to protect the privacy of individuals with respect to their personal data and governs the relationship between individuals and entities processing their personal data.
References
1. The Draft Personal Data Protection Bill, 2018; The Personal Data Protection Bill, 2019.
2. https://www.ikigailaw.com/wp-content/uploads/2019/12/IL_PDP-Clause-by- Clause_Comparison_27122019.pdf.
Libertatem.in is now on Telegram. Follow us for regular legal updates and judgments from the court. Follow us on Google News, Instagram, LinkedIn, Facebook & Twitter. You can also subscribe to our Weekly Email Updates. You can also contribute stories like this and help us spread awareness for a better society. Submit Your Post Now.
