Withdrawal of Personal Data Protection Bill : Daily Current Affairs

Relevance: GS-2: Government policies and interventions for development in various sectors and issues arising out of their design and implementation.

Key Phrases: Personal Data Protection Bill, Justice B N Srikrishna Committee, Right to Privacy, Puttaswamy judgment.

Context:

  • Recently the Ministry of Electronics and IT (MEITY) withdrew the Personal Data Protection Bill, 2019. It brought into discussion the issue of regulation of Personal Data.

Background

  • The Personal Data Protection bill proposes to specify the flow and usage of personal data, protect the rights of individuals whose personal data are processed, as it works out the framework for the cross-border transfer, accountability of entities processing data, and moots remedies for unauthorized and harmful processing.

What is Personal Data?

  • Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual. The Bill categorizes certain personal data as sensitive personal data. This includes financial data, biometric data, and caste, religious or political beliefs.

Necessity of the Bill

  • Justice Shah Committee recommended a detailed framework that serves as the conceptual foundation for the Privacy Act. This did not come to fruition due to objections from the intelligence establishment on surveillance reforms.
  • A nine-judge bench unanimously pronounced the Puttaswamy judgment that reaffirmed the fundamental right to privacy for the autonomy, dignity and liberty of every Indian.
  • The formation of Justice B N Srikrishna Committee by the government on Personal Data Protection.

All these led to the introduction of the bill in the Parliament in 2019.

Applicability

  • The Bill governs the processing of personal data by:
    1. Government
    2. Companies incorporated in India, and
    3. Foreign companies dealing with personal data of individuals in India.

Additional Information about the Bill

Rights of the individual

  • The Bill sets out certain rights of the individual that include the right to:
    1. Obtain confirmation from the fiduciary on whether their personal data has been processed
    2. Seek correction of inaccurate, incomplete, or out-of-date personal data,
    3. Have personal data transferred to any other data fiduciary in certain circumstances, and
    4. Restrict continuing disclosure of their personal data by a fiduciary if it is no longer necessary or consent is withdrawn.

Grounds for processing personal data

  • The Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent –
    1. If required by the State for providing benefits to the individual
    2. Legal proceedings
    3. To respond to a medical emergency.

Data Protection Authority

  • The Bill sets up a Data Protection Authority which consists of a chairperson and six members. It may:
    1. Take steps to protect interests of individuals
    2. Prevent misuse of personal data, and
    3. Ensure compliance with the Bill.

Transfer of data outside India

  • Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions.
  • However, such sensitive personal data should continue to be stored in India.
  • Certain personal data notified as critical personal data by the government can only be processed in India.

Recommendations of the Joint Committee of Parliament

  • Earlier, the Joint Committee on the bill headed by P.P. Chaudhary presented its final report. The recommendations include -
    • Removal of the word ‘personal’ from the title to reflect that the bill will also be dealing with non-personal data i.e. personal data that has been anonymized in order to better ensure privacy.
    • Amendment of the section restricting the transfer of personal data outside India to “sensitive personal data shall not be shared with any foreign government or agency unless approved by the central government.
    • Social media platforms will not be allowed to operate in India unless their parent company sets up an office in the country.
    • Setting up a separate regulatory body to regulate the media.
    • Jail term of up to 3 years, fine of Rs 2 lakh or both if de-identified data is re-identified by any person.
    • There was a clear tilt in favor of national security and corporate profit at the cost of a citizen-centric law.
    • Central government may exempt any government agency from the legislation only under exceptional circumstances.

Implications of Withdrawal

  • A growing international consensus is suggesting that next-generation innovation in technology needs data protection.
  • The goal of a one trillion dollar digital economy, fears of a compliance burden can impede innovation and growth.
  • Just like renewable energy or green emission norms, regulatory intervention will improve business practices requiring engineering decisions that focus on user trust.
  • The JPC has nowhere suggested a withdrawal in favor of a “comprehensive legal framework” which is being cited as reason for withdrawal. Rather, it pitched for the Bill to “be passed”.
  • To build stakeholder confidence and clear doubts on specific provisions, a public consultation could have been organized.

Way Forward

  • Today, there is a relentless pace of digitization that relies on gathering personal data in all spheres of our lives - agriculture, education, financial records, health, welfare and labour benefits.
  • This is through portals, policies and even laws that have been passed in haste e.g. collection of biometric samples for storage in electronic databases under the Criminal Procedure Identification Act, 2022 or the linking of Aadhaar with voter records under the Election Laws (Amendment) Act, 2021.
  • The decision to withdraw the Bill lays waste of years of labour and deliberation on a law essential for the protection of every Indian in a digitized society.
  • The government, therefore, must come up with a quick solution after considering the views of all the stakeholders involved. The opinion of the public, the discussion in the parliament and debates among intellectuals are necessary steps to avoid any loopholes in the implementation in future.

Sources: Indian Express  PRS India

Mains Question:

Q. The decision to withdraw the Personal Data Protection Bill lays waste of years of labour and deliberation on a law essential for the protection of every Indian in a digitized society. Discuss by highlighting implications of this decision. [150 Words].