India is the second most populous nation and the largest democracy in the world. The manner in which India has adopted the electronic ecosystem and Internet, has suddenly made the country a very fertile destination for companies to do business. As such, data protection is one issue that becomes extremely relevant for all users, generators, transmitters and recipients of data.
The 21st century not only led to the extensive use of information but also allowed an easy access to everyone through the continuous connection to the internet which in conclusion not only led to the violation of the privacy of an individual but also Article 21 of the Indian Constitution. While there are justifiable uses that are vastly beneficial, such centralization of data profiling of individuals and increased surveillance has led to concerns relating to erosion of privacy of individuals, ability to impact public decision-making process and national security.
Various countries have, over the years, been trying to formulate strategies to counter or control the negative effects of this digital aggregation. Personal privacy of an individual is the central pillar of the protection regime on which the European Union (EU) has adopted a right–based approach to privacy. China adopted a centrally dominant model where personal information is being permitted within the country through legislation on grounds of national security. The USA being a laissez-faire culture, mainly focuses on an individual’s right to be left alone by the State, hence the legislations are giving regard to the personal information which is being processed by their government, where processing of personal information by the private sector has been left open through a notice and choice model.
Both the public and the private sector are engaged in amassing personal data which seems to be generated ceaselessly. Recently, the companies are becoming progressively aware of their duties of confidentiality and data protection, through awareness across the business sectors.
Over the last 25 years, technology has transformed our lives in ways nobody could have imagined so a review of the rules was needed. The emergence of the General Data Protection Regulation (GDPR) was a big step in this direction. The EU in 2016 adopted the General Data Protection Regulation (GDPR) which was regarded as one of its greatest achievements in the recent years. It replaced the Data Protection Directive, 1995 which was adopted at a time when the internet was in its infancy. The GDPR is a regulation in EU law on data protection and privacy of all individual citizens of the EU and the European Economic Area (EEA). However, the GDPR does not apply to the processing of personal data which is done by an individual in the course of a purely personal or household activity or by competent authorities for preventing, investigating, detecting or prosecuting criminal offences or executing criminal penalties. The step contributed to the data protection awareness drive in India too, as Indian companies that are part of multi-national groups or are driven toward EU businesses have been evaluating their data protection frameworks to make them GDPR compliant. The EU’s data protection laws have long been regarded as a gold standard all over the world.
India has been ranked sixth in GDPR preparedness by a Cisco Data Privacy Benchmark study. In 2018, India released its Personal Data Protection Bill, 2018 for public consultation, which replaced the existing privacy landscape under the Information Technology Act, 2000. The extended consultation period encouraged many businesses to identify process gaps in their compliance. Businesses were aware that once the PDP Bill is notiﬁed, they will need to devote time and resources to manage their exposure.
The Personal Data Protection Bill is an omnibus, cross-sector privacy law, with similarities to the E.U. General Data Protection Regulation (GDPR) and the California Consumer Privacy Act. It is a revised version of the draft Personal Data Protection Bill, 2018, that was proposed in July 2018 by a Committee of Experts set up by the government, chaired by retired Supreme Court judge, Justice Srikrishna. Along with the Bill, the Committee had released their report with views and deliberations giving context to the Bill.
On December 12, 2019, the Personal Data Protection (PDP) Bill was referred to a Joint Parliamentary Committee for further debate and examination. The Parliamentary Committee has been instructed to give its report to the Lok Sabha on the first day of the last week of the Budget Session, February 2020; further changes may be made in the PDP Bill on the basis of the comments of the Parliamentary Committee.
The BN Srikrishna Committee’s recommendation and draft on privacy protection played a significant role in the development of the Personal Data Protection Bill. The highlights of the recommendations were: that the law will have the jurisdictions over the processing of the personal data, if it has been used, shared, disclosed or proceeded in India; Data by the companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India; Data Protection Law may empower the Central Government to exempt such companies which only process the personal data of foreign nationals who are not present in India. Cross border data transfer of personal data other than the critical personal data will be through model contract clauses containing key obligations with the transferor being liable for the harms caused to the principal due to any violations committed by the transferee.
Further, the key essential points included in the Report submitted by Justice Srikrishna Committee on the data protection were: that the personal data shall be processed only for the purposes that are specific and lawful; and that all the firms and agencies will have to appoint data protection officers.
The Bill will act as point of contract for the individuals for raising grievances; individuals will have to withdraw consent. Exemptions have been provided for processing of personal data for journalistic purpose, or for a purely personal or domestic purpose.
Submission of the Parliamentary Committee Report needs to be passed by both the Houses of Parliament along with the President’s assent followed by the notification in the Official Gazette in order for the Personal Data Protection Bill to become a binding law.
The PDP Bill is applicable on the processing of the personal data, i.e. the data about or relating to a data principal who is directly or indirectly identifiable, regarding any characteristic, traits, attribute or any other features of the identity of such data principal. It would be applicable on any ongoing processing, but is silent of the retrospective ability to collect data before law comes into force.
The principles underlining the Personal Data Protection Bill are global regulations, purpose limitation, storage limitation, data minimization and includes consent.
The objective of the Bill is to protect the privacy of personal data, regulate the processing of “conscious” and “juridical” personal data and establish a Data Protection Authority of India (DPAI) for regulations.
The PDP Bill is based on the 2018 Supreme Court verdict declaring “privacy” as a fundamental right under Article 21 of the Constitution in Justice KS Puttaswami v. Union of India. Article 21 of the Constitution is a fundamental right that guarantees protection of life and personal liberty. On August 24, 2018, the Supreme Court held that privacy is a constitutionally protected right which arises out of Article 21 of the Indian Constitution. The protection under Article 21 is not absolute and is subject to certain restrictions. For instance, the right could be restricted if there is a law created by the legislature to restrict the same; such law should promote a legitimate state interest and should not be arbitrary but should be proportionate to the object of the law.
The draft Personal Data Protection Bill is presently under consideration. As on date, the current framework for data protection is set out in the Information Technology Act, 2000 and the rules issued thereunder; most importantly the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
The Personal Data Protection Bill is a significant legislation as India has become the back-office of the world and as such, the subject of Data Protection has increasingly gained strength.