The Personal Data Protection Bill was introduced in Lok Sabha in December 2019 and thereafter was referred by Joint Parliamentary committee. However the decision of the committee was prolonged till monsoon session of July 2021 and was finally asked to submit the report by winter session which was approximately to be held in third week of November. The Personal Data protection law is a piece of legislation trying to give an individual’s more control on how their personal data can be collected, stored and used. Through this bill, a Data Protection Authority was also established for the same.
Proposals and Key Provisions of Bill
The B.N.Srikrishna Committee instructed that all the fiduciaries are required to store a copy of all the personal data of individuals in India. However, it was strongly condemned by foreign technology companies who stores most of Indian’s Data abroad. The Bill divides Dara into three categories and mandate storage of data depending upon which category they fall under.
The types of Data are
1) Personal Data – All the information which reveals identity of the individual such as name, address etc.
2) Sensitive Personal Data – This is a personal data which people would not want to be disclosed such as financial data, health, genetic, sexual orientation etc.
3) Critical Personal Data – Such data which government can anytime declare as critical such as military or nation security data.
The Bill prohibits data mirroring of personal data and consent of the individual is required while transferring such data abroad. Such personal Data is required to be stored in India itself. It can be transferred to aboard only in extreme circumstances and that to with the permission of the Data Protection Agency. Also critical personal data must be stored in India. The Bill also introduced the concept of non-personal data which is an anonymized Data such as traffic patterns etc which must be provided to the government. Social Media Companies which are significant data fiduciaries based on their volume and sensitivity of data are deemed to develop their own verification mechanism to avoid trolling and hate speech.
Key Provisions of Bill
1) The Bill allows that for ‘reasonable purposes’ the processing of data cannot take place without individual’s consent, including security of state or detection of any fraud, medical emergencies, credit scoring and processing of publically available data.
2) An independent regulator data protection authority will be created for monitoring oversees agreements and audits.
3) Every company shall appoint a Data Processing Officer who shall communicate with DPA regarding auditing, grievance redressal, maintenance of company etc.
4) Purpose limitation and collection limitation clauses wrere to be introduced to limit data collection for specific and lawful purpose.
5) Individual shall be given with the right of data portability and access and transfer own data.
6) It shall also make rules on right to be forgotten.
1) Section 35 – Under section 35, the bill invokes ‘sovereignty and integrity of India’ , ‘public order’ ‘friendly relations with foreign states’ and ‘security of states’ and gives the central government the power to suspend all or any of the provisions of the Act for government agencies.
2) Section 12 – Under section 12, some privileges as given to UIDAI from the provisions of the bill as it enables for processing data for provision of service or benefit to data principal.
What is UIDAI?
UIDAI was created to give a unique identification number which is termed as Adhar number to all citizen of India. This system was introduced to eliminate double and false identities. And also to establish a very easy and cheap verification and authentication process.
Duties of UIDAI authority are
1) To enroll Adhar number of every resident and proper authentication
2) Enforcing a smooth system to provide Adhar number without any chaos
3) To authenticate and check the Adhar number of all citizens 4) To protect the sensitive identity information of an individual Why is UIDAI seeking such indemnity from Data Bill?
The Unique Identification Authority of India has claimed to exempt itself from Personal Data Protection Law. The reason behind such exemption is that the authority is already governed by the Adhar Act and there cannot be duplication of legislation.
The discussions of Data privacy suddenly got attention from many due to excessive need of adhar in critical business such as bank activities. The report of B.N.Srikrishna committee acts as a main force behind this bill. During the case of K.S. Puttuswamy v/s Union of India, which dealt with the issue of privacy, the Supreme Court had established the above committee.
The main controversial section which is creating issues is section 35 of Personal Data
Protection Bill 2019. UIDAI is demanding during its meeting with Joint Parliamentary
Committee that it should get a blanket exemption from this Act under this clause. As Adhar Act is already controlling it, the governance of the above bill will be nothing but counterproductive. It should also be noted that such demand of exemption is not made by UIDAI for the first time, but it has also repeatedly claimed it at the early stages of discussions.
There are certain section of the bill which can be interpreted in many different ways. For example, section 12 provides certain leeway to UIDAI from some rigorous provisions of the Bill.
Also it is speculated that apart from UIDAI, there are also some other organizations which are claiming such exemptions. If the bill is enacted, it will result in two separate ecosystems. One with government entities enjoying total freedom from regulations and with unlimited latitude while working with personal information. These entities will fall completely outside the ambit of law. And the other will be private data fiduciaries who will be under obligation to follow every word of law.
This article is written by Neha Bodas of ADV.BALASAHEB APTE COLLEGE OF LAW.