‘Privacy’ has become a hot topic of discussion in recent times. This is particularly so in light of rapid digitisation and gross breach of privacy of individuals by organisations collecting and processing personal data to benefit themselves. India as such hasn’t had any data privacy legislation. In the year 2017, there was a need for privacy legislation expressed in the Puttaswamy judgment. For privacy laws, we have so far relied on the IT Act, 2000 which doesn’t meet the present-day needs. Initially, the Central Government introduced the Personal Data Protection Bill in 2018, which was then passed on to the “Justice BN Srikrishna committee” for examining. But owing to a few shortcomings in the Bill, it was shelved. In the year 2019, the legislature introduced a fresh bill with quite a few changes. The purpose of this Bill is to provide for protection of privacy of individuals relating to their Personal Data and to establish a Data Protection Authority of India for the said purposes and the matters concerning the personal data of an individual. The 2019 Bill, inter alia, prescribes the manner in which personal data is to be collected, processed, used, disclosed, stored and transferred.
The Personal Data Protection Bill, 2019, was introduced in the Indian Parliament in December 2019. The bill seeks to regulate the collection, storage, and use of personal data by both the government and private entities. It also aims to create a framework for data protection and establish a Data Protection Authority to oversee and enforce the provisions of the bill. The bill is expected to impact the Indian digital economy significantly, affecting how businesses collect, store, and use personal data.
Personal data is any information that can be used to identify an individual, such as name, address, phone number, email address, etc. In the digital age, personal data is being generated at an unprecedented rate. This has given rise to new business models, such as targeted advertising and data analytics. However, the use of personal data has also raised concerns about privacy and data protection. There have been several instances where personal data has been misused, leading to identity theft, financial fraud, and other crimes. In this context, the need for data protection has become more critical than ever.
The Personal Data Protection Bill seeks to address this need by providing a framework for data protection in India. The bill aims to regulate the collection, storage, and use of personal data by both the government and private entities. It also seeks to create a mechanism for redressal in case of any violation of data protection norms.
The Personal Data Protection Bill has several key provisions that seek to balance privacy and innovation. Here are some of the most significant provisions of the bill:
• Consent: The bill requires that personal data be collected only with the consent of the individual. The consent should be explicit, informed, and specific to the purpose for which the data is being collected. This provision seeks to ensure that individuals have control over their personal data.
• Sensitive Personal Data: The bill defines certain categories of personal data as sensitive, such as financial information, health information, sexual orientation, biometric data, etc. The bill requires that sensitive personal data be collected and processed only with the explicit consent of the individual. This provision seeks to provide extra protection to sensitive personal data.
• Data Localization: The bill requires that a copy of personal data be stored in India. This provision seeks to ensure that personal data is subject to Indian law and can be accessed by Indian authorities when required.
• Data Protection Authority: The bill seeks to establish a Data Protection Authority, which will be responsible for overseeing and enforcing the provisions of the bill. The authority will have the power to investigate violations, issue orders, and impose penalties.
• Cross-Border Data Transfer: The bill allows for the transfer of personal data outside India, but only if the Data Protection Authority approves the transfer. This provision seeks to ensure that personal data is not transferred to countries with inadequate data protection laws.
In recent years, several high-profile data breaches and leaks have contributed to the rising concern about data privacy in India. In 2016, the Aadhaar data breach exposed the biometric and personal information of over one billion People online. In 2018, millions of Facebook users in India had their information exposed as a result of the Cambridge Analytica incident. However, the bill’s implementation has been delayed, and concerns have been raised regarding its provisions. Some stakeholders have criticised the requirement for data localization, arguing that it could increase the cost of doing business in India and impede innovation. There are also concerns that the bill does not adequately protect the privacy of individuals, particularly in terms of government surveillance. The Bill establishes a number of conditions for top companies to follow, and for large international tech firms that wish to operate in Indian territory. For one, it would require digital firms to obtain permission from users before collecting their data. It also declares that users who provide data are, in effect, the owners of their own data. This has major implications, suggesting that users are able to control the data their online selves produce, and may request firms to delete it, just as European internet-users are able to exercise a right to be forgotten and have evidence of their online presence removed.
The Personal Data Protection Bill seeks to balance privacy and innovation by providing a framework for data protection that allows for using personal data for legitimate purposes. It aims to create an environment that fosters innovation while protecting personal data.
Dr.S.Krishnan is an associate professor at Seedling School of Law and Governance, Jaipur National University, Jaipur. Jyotirmoy Banerjee a lecturer at Indian Institute of Management, Rohtak.