Draft Personal Data Protection Bill, 2019 | 22 Sep 2021
Why in News
Recently, the Joint Parliamentary Committee (JPC) discussed the Personal Data Protection Bill, 2019 and reopened it for consultations.
- It is expected to submit its report in the Winter Session of Parliament 2021.
Key Points
- About:
- It is commonly referred to as the “Privacy Bill” and intends to protect individual rights by regulating the collection, movement, and processing of data that is personal, or which can identify the individual.
- In December 2019, Parliament approved sending it to the joint committee.
- The Bill gives the government powers to authorise the transfer of certain types of personal data overseas and has given exceptions allowing government agencies to collect personal data of citizens.
- The Bill divides the data into three categories and mandates their storage depending upon the type.
- Personal Data: Data from which an individual can be identified like name, address, etc.
- Sensitive Personal Data: Some types of personal data like financial, health-related, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more.
- Critical Personal Data: Anything that the government at any time can deem critical, such as military or national security data.
- It removes the requirement of data mirroring (in case of personal data). Only individual consent for data transfer abroad is required.
- Data mirroring is the act of copying data from one location to a storage device in real-time.
- It mandates data fiduciaries to provide the government with any non-personal data when demanded.
- Data Fiduciary: It may be a service provider who collects, stores and uses data in the course of providing such goods and services.
- Non-Personal Data refers to anonymised data, such as traffic patterns or demographic data. In September 2019, the government set up a new committee to recommend a framework to regulate non-personal data.
- The Bill requires companies and social media intermediaries, which are “significant data fiduciaries”, to enable users in India to voluntarily verify their accounts.
- It would be visible in a “demonstrable and visible mark of verification, which shall be visible to all users of the service”.
- This intends to decrease the anonymity of users and prevent trolling.
- A Data Protection Authority has been envisaged for ensuring the compliance of the law.
- It also mentions ‘Right to be Forgotten.’ It states that the “data principal (the person to whom the data is related) shall have the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary”.
- It is commonly referred to as the “Privacy Bill” and intends to protect individual rights by regulating the collection, movement, and processing of data that is personal, or which can identify the individual.
- Advantages:
- Data localisation can help law-enforcement agencies access data for investigations and enforcement and also increase the ability of the government to tax internet giants.
- Instances of cyber-attacks (for example, Spyware Pegasus) and surveillance can be checked.
- Social media, which is sometimes used to spread fake news, can be monitored and checked, preventing emerging national threats in time.
- A strong data protection legislation will also help to enforce data sovereignty.
- Disadvantages:
- Many contend that the physical location of the data is not relevant in the cyber world as the encryption keys may still be out of reach of national agencies.
- National security or reasonable purposes are open-ended and subjective terms, which may lead to intrusion of the state into the private lives of citizens.
- Technology giants like Facebook and Google are against it and have criticised the protectionist policy of data localisation as they are afraid it would have a domino effect in other countries as well.
- It had been opposed by social media firms, experts and even ministers, who said that it had too many loopholes to be effective and beneficial for both users and companies.
- Also, it may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India.