Why The Personal Data Protection Bill Matters

Context: A critical analysis of the Personal Data Protection Bill, 2019.

Need for a Data Protection Bill 2019: currently under the scrutiny of a Joint Parliamentary Committee.

  • Accommodating the changing trends: Increased participation of people in the digital economy.
  • Increasing risks: Increasing number of personal data breaches from major digital service providers. E.g. alleged data breach at MobiKwik co., risking data of 9.9 crore users.
  • Issues in existing data-protection framework under Information Technology Act, 2000:
    • Overriding user’s consent provisions: Compounded by broad conditions, users inability to understand implications, lack of emphasis on privacy etc.
    • Exemptions to government agencies: IT Act does not apply to government agencies resulting in a regulatory vacuum.
    • Incapacity: of framework to address risks emerging from new developments in data processing technology.
  • Judicial intervention: Justice K.S. Puttaswamy (Retd) v. Union of India judgment 2017 established the right to privacy as a fundamental right, called for a data protection law.
  • Administrative recommendation: Justice B.N. Srikrishna committee suggested a draft data protection law.

Provisions of the Bill

  • Establishes a level playing field: Applicable to both government and private entities across all sectors.
  • Emphasises data security and data privacy: Entities will have to maintain security safeguards to protect personal data, fulfil a set of data protection obligations and transparency and accountability measures.
  • Give users a set of rights over their personal data and means to exercise those rights: A user will be able to obtain information about different kinds of personal data that an entity has about them and how the entity is processing that data.
  • Creates an independent and powerful regulator: known as the Data Protection Authority (DPA).

Associated concerns

  • Exempt provisions/powers: Central government can exempt any government agency from complying with the Bill (Clause 35), and thus the government will be able to process any data.
  • Difficult to enforce safeguards: Bill threatens legal consequences for users who withdraw their consent for a data processing activity and thus effectively discourage users from withdrawing consent.
  • Question over the effectiveness of DPA as an independent regulator.