Context: A critical analysis of the Personal Data Protection Bill, 2019.
Need for a Data Protection Bill 2019: currently under the scrutiny of a Joint Parliamentary Committee.
Accommodating the changing trends: Increased participation of people in the digital economy.
Increasing risks: Increasing number of personal data breaches from major digital service providers. E.g. alleged data breach at MobiKwik co., risking data of 9.9 crore users.
Issues in existing data-protection framework under Information Technology Act, 2000:
Overriding user’s consent provisions: Compounded by broad conditions, users inability to understand implications, lack of emphasis on privacy etc.
Exemptions to government agencies: IT Act does not apply to government agencies resulting in a regulatory vacuum.
Incapacity: of framework to address risks emerging from new developments in data processing technology.
Judicial intervention:Justice K.S. Puttaswamy (Retd) v. Union of India judgment 2017 established the right to privacy as a fundamental right, called for a data protection law.
Administrative recommendation: Justice B.N. Srikrishna committee suggested a draft data protection law.
Provisions of the Bill
Establishes a level playing field: Applicable to both government and private entities across all sectors.
Emphasises data security and data privacy: Entities will have to maintain security safeguards to protect personal data, fulfil a set of data protection obligations and transparency and accountability measures.
Give users a set of rights over their personal data and means to exercise those rights: A user will be able to obtain information about different kinds of personal data that an entity has about them and how the entity is processing that data.
Creates an independent and powerful regulator: known as the Data Protection Authority (DPA).
Associated concerns
Exempt provisions/powers: Central government can exempt any government agency from complying with the Bill (Clause 35), and thus the government will be able to process any data.
Difficult to enforce safeguards: Bill threatens legal consequences for users who withdraw their consent for a data processing activity and thus effectively discourage users from withdrawing consent.
Question over the effectiveness of DPA as an independent regulator.