Legal News and Insight around the Globe!

Personal Data Protection & its Perspectives in India

By Abhinav

Published On: March 31, 2022 at 10:00 IST

Introduction and Background

The Supreme Court of India recognised Privacy as a Fundamental Right guaranteed by the Indian Constitution in 2017[1].

It also advised the Central Government to establish a data protection policy that balances the needs of people with the legitimate concerns of the state, all while encouraging entrepreneurship and innovation.

In the same year, the Government formed an expert group led by former Supreme Court Justice B.N. Srikrishna to prepare a Personal Data Protection Bill to Ensure growth of the Digital Economy while keeping Citizen’s Personal Data Secure and Protected.

Also read: Are there any exceptions to the Fundamental Rights under the Indian Constitution?

In July 2018, the expert committee delivered its findings and a proposed data protection law.

After that, the government formed a Joint Panel to Review the Bill.

In July 2018, the government established a Committee of Experts (chaired by Justice B.N. Srikrishna) to explore concerns connected to data privacy and the digital economy in India.

According to the Committee, the IT Rules (2011), the laws have not kept up with the evolution of the digital economy.

For example, the Rule’s definition of sensitive personal data is restrictive, and a contract can overrule certain of the Rule’s prohibitions.

In addition to its findings, the Committee proposed a Personal Data Protection Bill to establish data processing standards for companies that use personal data. It also suggested that a regulatory agency be established to follow the Act.

The Personal Data Protection Bill, 2019, is based on the Expert Committee’s recommendations as well as proposals from other stakeholders. The 2019 Bill Aims to

  • Safeguard individual’s privacy concerning their personal data,
  • Develop a framework for processing such data, and
  • Establish a Data Protection Authority to carry out these tasks.

The Personal Data Protection Bill, 2019 (PDP Bill) was introduced in the Indian Parliament’s lower house on December 11, 2019. The Bill was then was referred to a joint select committee.

The modifications to the Bill will be in consonance with Committee’s recommendations; modifications to the PDP Bill may be made.

The Bill, once enacted, will supersede Section 43 of the Information Technology Act of 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and any other laws lacking consistency concerning the same.

9After two years of debates on the Personal Data Protection Bill, 2019, the Joint Parliamentary Committee delivered its long-awaited report to the Indian Parliament on December 16, 2021.

This is, ideally, the climax of a series of JPC expansions, paving the way for solid data protection legislation in the world’s greatest democracy.

Also read: Right to Privacy in the light of New IT Rules 2021

Key Features 

Definitions

Personal data is information about an individual’s qualities, features, or attributes of identification that may be used to identify them.

Certain types of personal data are classified as sensitive personal data under the Bill.

This can contain financial information, biometric information, caste, religion or political opinions, or any other type of information that is indicated.

The Bill defines a data fiduciary as a company or human who chooses how and why personal data is processed and a data principal as the person to whom the data pertains.

The Bill regulates the personal data processed by the:

  • Government,
  • Indian companies
  • Foreign companies

dealing with personal data of Indian citizens process personal data.

Grounds for processing personal data

The Bill stipulates that an organisation may only treat an individual’s personal data with the subject’s agreement. Personal data can, however, be handled without consent in some instances.

These include:

  • When the State is required to provide a service or benefit to the individual
  •  Legal proceedings, or
  • In the event of a medical emergency.

Obligations of data fiduciary

A data fiduciary can only process information for a defined purpose.

Furthermore, the data fiduciary would be restricted in terms of data collecting and storage.

This means that just as much data required for the defined purpose may be gathered, and it cannot be held longer than is required.

Furthermore, fiduciaries must implement certain transparency and accountability measures, such as

  • Encrypting data and preventing unauthorised access, and
  • Establishing a grievance redressal mechanism to address user complaints.

Social Media Intermediaries

According to the Bill, intermediaries are those that allow users to connect online and share information.

All intermediaries with users over a certain level whose activities have the potential to affect electoral democracy or public order in India will be required to provide an optional user verification tool for Indian users.

Individual Rights

The Bill grants some rights to the individual. These rights include

  •  Ability to obtain confirmation from the fiduciary that their data has been processed
  •  Request correction of inaccurate, incomplete, or out-of-date personal data
  •  Request erasure of personal data that is no longer necessary for the purpose for which it was processed, and (iv) request a restriction on the continued disclosure of their data by a fiduciary if it is no longer necessary for the purpose or consent has been withdrawn.

Data Protection Authority (DPA) 

The Bill establishes a Data Protection Authority that has the authority to:

  • Safeguard people’s interests
  • Prohibit the abuse of personal data, and
  • Ensure compliance with the Act.

It will be chaired by a chairperson and six members, all of whom have at least 10 years of experience in data security, information technology, or public administration.

Grievance Redressal Mechanism

A data principal may file a complaint under the Bill alleging a violation of the Act’s provisions that has caused or is likely to cause them harm.

The data fiduciary must respond to such a complaint as soon as possible (within 30 days).

The data principal may file a complaint with the DPA if they are dissatisfied with how the complaint was handled.

The DPA can investigate the complaint and impose a penalty or compensation; if the data principal or data fiduciary is unhappy with the result, they can appeal to the Appellate Tribunal.

Any order of the Tribunal can be appealed to the Supreme Court.

Also read: Tribunals of India

Transfer of Data outside of India

Individuals’ sensitive personal data may be transferred outside India for processing if they give their explicit consent and meet certain other requirements. However, a duplicate of such sensitive personal data should be kept in India. Certain personal data designated by the government as important personal data can only be processed in India.

Exemptions

The Central Government may exempt any of its agencies from the Act’s provisions:

  • In the interests of State security, public order, India’s sovereignty and integrity, and friendly relations with foreign states;
  • To prevent incitement to commit any cognisable offence (for which arrest can be made without a warrant) relating to the above matters.

Personal data processing is also exempt from Bill’s prohibitions for a variety of additional reasons, including

  • The prevention, investigation, or prosecution of any crime
  • Personal or Domestic purposes or
  • Journalistic and Research purposes

Such processing, however, must be done for a precise, explicit, and legitimate reason.

Penalties and offences

Violating the provisions of the Bill by processing or transferring personal data is punishable by a fine of 4% of the fiduciary’s worldwide annual turnover, with a minimum of Rs 15 crore.

In case of a failure to conduct a data audit, the fiduciary shall be fined 2% of global annual turnover, with a minimum of Rs. 5 crore rupees.

Re-identification and processing of de-identified personal data (data without identifiers) without authorisation is a crime punishable by up to three years in jail, a fine, or both.

A Court will only take cognisance of an offence if the DPA files a complaint.

Non-Personal Data and Anonymised Personal Data 

 For improved service targeting, the central government may require data fiduciaries to give it with any of the following

  • Non-personal data
  • Anonymised personal data (where the data principal cannot be identified).

Conclusion

The PDP Bill is a positive step forward in meeting the demands of India’s expanding data security framework.

However, several aspects of data protection (such as the classification of personal data as sensitive personal data or critical personal data, details on anonymised data, conditions for exemption from certain provisions of the PDP Bill, and processing of personal data and sensitive personal data of children) have been delegated.

As a result, once the appropriate rules and regulations are in place, the true impact of the PDP Bill will be apparent.

There are no transitional provisions or implementation dates in the PDP Bill. The PDP Bill currently states that the provisions shall take effect the day they are published in India’s official gazette (which will occur after the approval of the Indian Parliament and the President of India).

One can expect PDP Bill, in its final form, would provide businesses enough time to adjust their business processes to guarantee compliance with the legislation.

However, Indian businesses that would be classified as data fiduciaries under the PDP Bill should assess their current data protection policy.

Also read: Process of passing a Bill in Parliament and State Legislature under Article 196 of the Indian Constitution?

When Fundamental Rights can be suspended?

About the Author

The Article is written by Abhinav Gour, a student pursuing BBA LLB(Hons.) from Symbiosis Law School, Pune. The Author is in his first year and has a keen interest for legal writing and researching.

Edited by: Advocate Komal Sharma, Publishing Editor at Law Insider.

References

THE PERSONAL DATA PROTECTION BILL, 2019 (Bill No. 373 of 2019)

The Personal Data Protection Bill, 2019