About Us  :  Online Enquiry


Personal Data Protection Bill 2019

Personal Data Protection Bill 2019

Why in news?

  • The pandemic has forced more people to participate in the digital economy that has brought focus into the Personal Data Protection Bill drafted by Union Government.
  • Unfortunately, the existing data protection regime in India does not meet this standard. Current data protection regime falls short of providing effective protection to users and their personal data.

What is Data?

  • Data is any collection of information that is stored in a way so computers can easily read them (think 011010101010 i.e. binary formats).
  • Data usually refers to information about your messages, social media posts, online transactions, and browser searches.

Storage of data

  • The physical attributes of data — where data is stored, where it is sent, where it is turned into something useful — are called data flows.
  • Data localisation arguments are premised on the idea that data flows determine who has access to the data, who profits off it, who taxes and who “owns” it.
  • However, many contend that the physical location of the data is not relevant in the cyber world.

About the Personal Data Protection Bill, 2019

  • It is commonly referred to as the Privacy Bill.
  • It intends to protect individual rights by regulating the collection, movement, and processing of data that is personal, or which can identify the individual.
  • In December 2019, Parliament approved sending it to the joint committee.
  • The Bill gives the government powers to authorise the transfer of certain types of personal data overseas.
  • It has also given exceptions allowing government agencies to collect personal data of citizens.
  • The Bill divides the data into three categories:
  • (1) Personal Data: Data from which an individual can be identified like name, address, etc.
  • (2) Sensitive Personal Data: Personal data like financial, health-related, sexual orientation, biometric, caste, religious belief, etc.;
  • (3) Critical Personal Data: Anything that the government at any time can deem critical, such as military or national security data.
  • It removes the requirement of data mirroring in case of personal data.
  • Only individual consent for data transfer abroad is required.
  • The Bill requires companies and social media intermediaries to enable users in India to voluntarily verify their accounts.

Current Regulation Of Personal Data

  • Currently, the usage and transfer of personal data of citizens is regulated by the  Information Technology (IT) Rules, 2011, under the IT Act, 2000.
  •  The rules hold the companies using the data liable for compensating the individual, in case of any negligence in maintaining security standards while dealing with the data.
  •  The Expert Committee in its report, held that while the IT rules were a novel attempt at data protection at the time they were introduced, the pace of development of digital economy has shown its shortcomings.3
  • For instance, (i) the definition of sensitive personal data under the rules is narrow, and (ii) some of the provisions can be overridden by a contract.  Further, the IT Act applies only to companies, not to the government.

Challenges In Data Protection

  • Increasing Breaches: The number of personal data breaches from major digital service providers has increased. Robust data protection regimes are necessary to prevent such events and protect users’ interests.  
  • Misuse of Terms & Conditions: Entities could override the protections in the regime by taking users’ consent to processing personal data under broad terms and conditions. This is problematic given that users might not understand the terms and conditions or the implications of giving consent.
  • Data Privacy: Frameworks emphasise data security but do not place enough emphasis on data privacy.
  • Data Processing: While entities must employ technical measures to protect personal data, they have weaker obligations to respect users’ preferences in how personal data can be processed. Entities could use the data for purposes different to those that the user consented to.
  • Checks on Government Collection of Data: The data protection provisions under the existing IT Act also do not apply to government agencies. This creates a large vacuum for data protection when governments are collecting and processing large amounts of personal data.

Advantages of the bill

  • Covers Data Privacy: The Bill seeks to emphasise data security and data privacy. While entities will have to maintain security safeguards to protect personal data, they will also have to fulfill a set of data protection obligations and transparency and accountability measures that govern how entities can process personal data to uphold users’ privacy and interests.
  • Applicable to all: The Bill seeks to apply the data protection regime to both government and private entities across all sectors.
  • Independent Regulator: The Bill seeks to create an independent and powerful regulator known as the Data Protection Authority (DPA). The DPA will monitor and regulate data processing activities to ensure their compliance with the regime.
  • More importantly, the DPA will give users a channel to seek redress when entities do not comply with their obligations under the regime.
  • Autonomy to Users: The Bill seeks to give users a set of rights over their personal data and means to exercise those rights.

Some important terms

  • Data localisation: It is the act of storing data on any device physically present within the borders of a country.
  • Data Fiduciary: The ‘data fiduciary’ may be a service provider who collects, stores and uses data in the course of providing such goods and services.
  • Data Transfer: Data is transported across country borders in underwater cables.
  • Data Principal: The individual whose data is being stored and processed is called the data principal in the PDP Bill.


Mussoorie Times

Send this to a friend