Exemption from Personal Data Protection (PDP) Law | 01 Nov 2021
Why in News
The Unique Identification Authority of India (UIDAI) has asked for exemption from the Personal Data Protection (PDP) Law (Data Protection Bill 2019).
Key Points
- Privacy Law: It is commonly referred to as the “Privacy Bill” and intends to protect individual rights by regulating the collection, movement, and processing of data that is personal, or which can identify the individual.
- It derives its inspiration from a previous draft version prepared by a committee headed by retired Justice B N Srikrishna.
- The Supreme Court in the Puttaswamy judgement (2017) held that the right to privacy is a fundamental right.
- Provisions:
- The Bill gives the government powers to authorise the transfer of certain types of personal data overseas and has given exceptions allowing government agencies to collect personal data of citizens.
- The Bill divides the data into three categories and mandates their storage depending upon the type.
- Personal Data: Data from which an individual can be identified like name, address, etc.
- Sensitive Personal Data: Some types of personal data like financial, health-related, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more.
- Critical Personal Data: Anything that the government at any time can deem critical, such as military or national security data.
- It mandates data fiduciaries to provide the government with any non-personal data when demanded.
- Data Fiduciary may be a service provider who collects, stores and uses data in the course of providing such goods and services.
- Non-Personal Data refers to anonymised data, such as traffic patterns or demographic data.
- A Data Protection Authority has been envisaged for ensuring the compliance of the law.
- It also mentions ‘Right to be Forgotten.’ It states that the “data principal (the person to whom the data is related) shall have the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary”.
- Issues Involved:
- If Personal Data Protection (PDP) Law is implemented in the present form, it may create two distinct ecosystems.
- One with the government agencies who will be completely out of the ambit of the law, giving them complete freedom to deal with the personal data.
- The second will be private data fiduciaries who will have to deal with every letter in the law.
- Section 35: It invokes “sovereignty and integrity of India,” “public order”, “friendly relations with foreign states” and “security of the state” to give powers to the Central government to suspend all or any of the provisions of this Act for government agencies.
- Duplicity: Section 12 of the Act gives UIDAI some leeway from the rigours of the Bill as it enables for processing data for provision of a service or benefit to the data principal. However, even then prior notice has to be given.
- The UIDAI authority is already being governed by the Aadhaar Act and there cannot be duplicity of laws.
- The Supreme Court (SC) in 2018 struck down the national security exception under the Aadhaar Act. It indirectly ensures greater privacy of an individual's Aadhaar data while restricting the government accessibility to it.
- Data Localization
- If Personal Data Protection (PDP) Law is implemented in the present form, it may create two distinct ecosystems.
Unique Identification Authority of India (UIDAI)
- It is a statutory authority established on 12th July 2016 by the Government of India under the jurisdiction of the Ministry of Electronics and Information Technology, following the provisions of the Aadhaar Act 2016.
- The UIDAI is mandated to assign a 12-digit unique identification (UID) number (Aadhaar) to all the residents of India.
- The UIDAI was initially set up by the Government of India in January 2009, as an attached office under the aegis of the Planning Commission.