India’s proposed Personal Data Protection Bill — which would regulate how data of the country’s 1.3 billion people is stored, processed and transferred — could be on track for approval early next year.
Following the legislation’s introduction in Parliament last week, a Joint Parliamentary Committee of 20 members of Lok Sabha and 10 members from Rajya Sabha was formed. The committee will review the bill and submit a report with its findings to Parliament in January before the end of the 2020 budget session.
Key pieces of the legislation include the creation of a data protection authority, requirements for technology companies to obtain explicit permission for most uses of personal data and allowing citizens more ownership over their personal data. It also enables the central government to exempt government agencies from the bill’s requirements “in the interest of sovereignty and integrity of India.” Under the bill, social media intermediaries would be required to provide users an option to verify their identity.
Additionally, it provides both the right to data erasure and the right to be forgotten, regulates research on data, and heavily regulates biometrics.
While the bill is slightly better structured than previous iterations, it does include more stringent regulations. There are concerns among Indian citizens it provides the government too much power, given its exemptions for government agencies.
Rahul Sharma, IAPP Country Leader for India
The definition of ‘sensitive personal data’, as laid out in section 2(36) of the Draft Bill, does not include the term ‘passwords’ any more. Sensitive personal data is now defined as such personal data which may, reveal, be related to, or constitute:
• financial data
• health data
• official identifier
• sex life
• sexual orientation
• biometric data
• genetic data
• transgender status
• intersex status
• caste or tribe
• religious or political belief or affiliation,
or
• any other data categorized as sensitive personal data by the authority and the sectoral regulator concerned.
Key takeaways from the bill
- Prohibition of processing of personal data
- Restriction on retention of personal data
- Grounds for processing of personal data without consent in certain cases
- Processing of personal data for other reasonable purposes
- Right to correction and erasure
- Privacy by design policy
- Transparency in processing of personal data
- Classification of data fiduciaries as significant data fiduciaries
- Data protection officer (DPO)
- Prohibition on processing of sensitive personal data and critical personal data outside India
- Conditions for transfer of sensitive personal data and critical personal data
- Penalties
- Sandbox for encouraging innovation
- Re-identification and processing of de-identified personal data
The Draft Bill incorporates important aspects such as consent, reasonable purpose, processing of personal data only with consent. We may look forward to the Draft Bill being recognised as a law in the forthcoming budget session.
The bill has faced ample criticism as well –
The revised 2019 Bill was criticized by Justice B.N Srikrishna, the drafter of the original Bill, as having the ability to turn India into an “Orwellian State“. In an interview with Economic Times, Srikrishna said that, “The government can at any time access private data or government agency data on grounds of sovereignty or public order. This has dangerous implications.”
Apar Gupta of Internet Freedom Foundation notes that “Privacy is mentioned just once in this voluminous document — 49 mentions of ‘security’ and 56 mentions of ‘technology’ ” implying that the Bill doesn’t do enough to protect an individual’s privacy.
Rishabh Malhotra
M.Sc Cyber Security
Behavioural Science 