Personal Data Protection Bill, 2019

Last updated

Personal Data Protection Bill, 2019
Emblem of India.svg
Parliament of India
  • Personal Data Protection Bill 2019
Territorial extent India
Enacted by Parliament of India
Legislative history
Introduced by Ravi Shankar Prasad Minister of Electronics and Information
Introduced11 December 2019
Committee reportJoint Parliamentary Committee (JPC) on Personal Data Protection
Status: Withdrawn

The Personal Data Protection Bill, 2019 (PDP Bill 2019) was a proposed legislation by the Parliament of India which was withdrawn. The bill covers mechanisms for protection of personal data and proposes the setting up of a Data Protection Authority of India for the same. [1] Some key provisions the 2019 Bill provides for which the 2018 draft Bill did not, such as that the central government can exempt any government agency from the Bill and the Right to Be Forgotten, have been included. [2] [3]

Contents

Background and timeline

Provisions

The Bill aims to: [15]

to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the fundamental rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected there with or incidental thereto.

It provided for extensive provisions around collection of consent, assessment of datasets, data flows and transfers of personal data, including to third countries and other aspects around anonymized and non-personal data. [16]

Criticism

The revised 2019 Bill was criticized by Justice B. N. Srikrishna, the drafter of the original Bill, as having the ability to turn India into an “Orwellian State". [lower-alpha 1] [17] In an interview with Economic Times, Srikrishna said that, "The government can at any time access private data or government agency data on grounds of sovereignty or public order. This has dangerous implications.” [17] This view is shared by a think tank in their comment number 3. [18]

Fresh criticism on the international level comes from an advisor to a group proposing an alternative text. [19] A moderately critical summary is available from an India scholar working with an American co-author. [20]

The role of social media intermediaries is being regulated more tightly on several fronts. The Wikimedia Foundation is hoping that the PDP bill will prove the lesser evil compared with the Draft Information Technology [Intermediary Guidelines (Amendment) Rules] 2018. [21] [22]

Forbes India reports that "there are concerns that the Bill [...] gives the government blanket powers to access citizens' data." [23]

Jaiveer Shergill, a prominent Supreme Court Lawyer has shared the pitfalls and gaps of the current version of the draft bill. There are serious loopholes of how the bill is unable to identify the scope of governmental bodies in distinguishing who has access to the personal data of the citizens and missing state bodies to monitor the personal data. [24]

Withdrawal

The Data Protection Bill was withdrawn from the Lok Sabha and the Parliament as reported in the Bulletin - Part 1 No. 189 dated August 3, 2022. [14] The withdrawal of the Data Protection Bill come with reports that a more comprehensive version of the Bill may be introduced. [25] [26]

The Digital Personal Data Protection Act, 2023 was passed by the Parliament of India and received the assent of the President of India making it the country's data protection legislation after the withdrawal of Personal Data Protection Bill, 2019.

See also

Further reading

Notes

  1. Orwellian State is a term to denote draconian control of its people by a state as described in the novel ‘Nineteen Eighty Four’ by George Orwell.

Related Research Articles

<span class="mw-page-title-main">Data Protection Directive</span> EU directive on the processing of personal data

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

The right to privacy is an element of various legal traditions that intends to restrain governmental and private actions that threaten the privacy of individuals. Over 150 national constitutions mention the right to privacy. On 10 December 1948, the United Nations General Assembly adopted the Universal Declaration of Human Rights (UDHR), originally written to guarantee individual rights of everyone everywhere; while right to privacy does not appear in the document, many interpret this through Article 12, which states: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

<span class="mw-page-title-main">Mass surveillance</span> Intricate surveillance of an entire or a substantial fraction of a population

Mass surveillance is the intricate surveillance of an entire or a substantial fraction of a population in order to monitor that group of citizens. The surveillance is often carried out by local and federal governments or governmental organizations, but it may also be carried out by corporations. Depending on each nation's laws and judicial systems, the legality of and the permission required to engage in mass surveillance varies. It is the single most indicative distinguishing trait of totalitarian regimes. It is often distinguished from targeted surveillance.

<span class="mw-page-title-main">Information Commissioner's Office</span> Non-departmental public body

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology. It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland. When they audit an organisation they use Symbiant's audit software.

Center for Democracy & Technology (CDT) is a Washington, D.C.–based 501(c)(3) nonprofit organisation that advocates for digital rights and freedom of expression. CDT seeks to promote legislation that enables individuals to use the internet for purposes of well-intent, while at the same time reducing its potential for harm. It advocates for transparency, accountability, and limiting the collection of personal information.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Bellur Narayanaswamy Srikrishna is an Indian jurist and a retired judge of the Supreme Court of India. From 1993 to 1998, he headed the "Srikrishna Commission" that investigated causes and apportioned blame for the Bombay riots of 1992–93. He is the chairman of the Financial Sector Legislative Reforms Commission (FSLRC) and also works as an independent arbitrator.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handling sensitive information.

<span class="mw-page-title-main">Information Technology Act, 2000</span> Act of the Parliament of India

The Information Technology Act, 2000 is an Act of the Indian Parliament notified on 17 October 2000. It is the primary law in India dealing with cybercrime and electronic commerce.

<span class="mw-page-title-main">Dhananjaya Y. Chandrachud</span> Chief Justice of India

Dhananjaya Yeshwant Chandrachud is an Indian jurist, who is the 50th and Current Chief Justice of India serving since November 2022. He was appointed a judge of the Supreme Court of India in May 2016. He has also previously served as the chief justice of the Allahabad High Court from 2013 to 2016 and as a judge of the Bombay High Court from 2000 to 2013. He is also a former executive chairperson (ex officio) of the National Legal Services Authority.

<span class="mw-page-title-main">Aadhaar</span> Indian national identification number

Aadhaar is a 12-digit unique identity number that can be obtained voluntarily by all residents of India, based on their biometrics and demographic data. The data is collected by the Unique Identification Authority of India (UIDAI), a statutory authority established in January 2009 by the Government of India, under the jurisdiction of the Ministry of Electronics and Information Technology, following the provisions of the Aadhaar Act, 2016.

Joint Parliamentary Committee (JPC) is one type of ad hoc Parliamentary committee constituted by the Indian parliament.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

<span class="mw-page-title-main">Giovanni Buttarelli</span>

Giovanni Buttarelli was an Italian civil servant, who served as the European Data Protection Supervisor (EDPS). On 4 December 2014, he was appointed by a joint decision of the European Parliament and the Council. He was due to serve a five-year term in this position. Previously, he served as Assistant EDPS, from January 2009 until December 2014. He was also a member of the Italian judiciary with the rank of judge of the Court of Cassation.

The Insolvency and Bankruptcy Code, 2016 (IBC) is an Indian law which creates a consolidated framework that governs insolvency and bankruptcy proceedings for companies, partnership firms, and individuals.

The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of the state of California in the United States. The bill was passed by the California State Legislature and signed into law by the Governor of California, Jerry Brown, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code. Officially called AB-375, the act was introduced by Ed Chau, member of the California State Assembly, and State Senator Robert Hertzberg.

Consumer Protection Act, 2019 is an Act of the Parliament of India. It repeals and replaces the Consumer Protection Act, 1986.

<span class="mw-page-title-main">Information Technology Rules, 2021</span> 2021 rules stemming from section 87 of the Information Technology Act, 2000

The Information Technology Rules, 2021 is secondary or subordinate legislation that suppresses India's Intermediary Guidelines Rules 2011. The 2021 rules have stemmed from section 87 of the Information Technology Act, 2000 and are a combination of the draft Intermediaries Rules, 2018 and the OTT Regulation and Code of Ethics for Digital Media.

<span class="mw-page-title-main">American Data Privacy and Protection Act</span> United States proposed federal online privacy bill

The American Data Privacy and Protection Act (ADPPA) was a United States proposed federal online privacy bill that, if enacted into law, would have regulated how organizations keep and use consumer data. The bipartisan, bicameral bill was the first American consumer privacy bill to pass committee markup, which it did with near unanimity.

The Digital Personal Data Protection Act, 2023 is an act of the Parliament of India to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto. This is the first Act of the Parliament of India where "she/her" pronouns were used unlike the usual "he/him" pronouns.

References

  1. 1 2 "The Personal Data Protection Bill, 2019". PRSIndia. 11 December 2019. Archived from the original on 21 December 2019. Retrieved 21 December 2019.
  2. "Key Changes in the Personal Data Protection Bill, 2019 from the Srikrishna Committee Draft". SFLC.in. 11 December 2019. Archived from the original on 21 December 2019. Retrieved 21 December 2019.
  3. Mandavia, Megha (10 December 2019). "Data Protection Bill: Centre has the power to exempt any government agency from application of Act". The Economic Times. Archived from the original on 1 April 2020. Retrieved 10 December 2019.
  4. "Personal Data Protection Bill 2018 draft submitted by Justice Srikrishna Committee: Here is what it says". The Indian Express. 28 July 2018. Archived from the original on 4 December 2019. Retrieved 4 December 2019.
  5. "Personal Data Protection Bill 2018" (PDF). MEITY. Archived (PDF) from the original on 27 November 2019. Retrieved 11 December 2019.
  6. PricewaterhouseCoopers. "Data Privacy Bill 2019: All you need to know". PwC. Archived from the original on 21 December 2019. Retrieved 21 December 2019.
  7. "Draft Personal Data Protection Bill, 2018". PRSIndia. 30 July 2018. Archived from the original on 21 December 2019. Retrieved 21 December 2019.
  8. PricewaterhouseCoopers. "Decoding the Personal Data Protection Bill, 2018, for individuals and businesses". PwC. Archived from the original on 21 December 2019. Retrieved 21 December 2019.
  9. "Union Cabinet clears Personal Data Protection Bill. Major takeaways from Cabinet meet". The Economic Times. 4 December 2019. Archived from the original on 28 February 2020. Retrieved 4 December 2019.
  10. "Cabinet approves Personal Data Protection Bill". The Hindu. PTI. 4 December 2019. ISSN   0971-751X. Archived from the original on 4 December 2019. Retrieved 4 December 2019.
  11. Agarwal, Surabhi. "Joint parliamentary committee wants more time to submit data bill note". The Economic Times. Archived from the original on 19 October 2020. Retrieved 26 June 2020.
  12. "Joint Committee on the Personal Data Protection Bill, 2019 seeks views and suggestions". Archived from the original on 14 June 2020. Retrieved 26 June 2020.
  13. Das, Goutam (17 December 2019). "Personal Data Protection Bill: More drama ahead". Business Today. Archived from the original on 18 December 2019. Retrieved 21 December 2019.
  14. 1 2 "Bulletin Part-I Lok Sabha" (PDF). Lok Sabha, Parliament of India. Archived (PDF) from the original on 10 October 2022. Retrieved 25 August 2022.
  15. "The Personal Data Protection Bill, 2019" (PDF). Archived (PDF) from the original on 21 December 2019. Retrieved 21 December 2019.
  16. "An Emergent Data Regime on the cards: Relooking at data practices, Sameer Avasarala, Anirban Mohapatra and Arun Prabhu". Archived from the original on 28 September 2022. Retrieved 22 August 2022.
  17. 1 2 Mandavia, Megha (12 December 2019). "Personal Data Protection Bill can turn India into 'Orwellian State': Justice BN Srikrishna". The Economic Times. Archived from the original on 31 January 2020. Retrieved 21 December 2019.
  18. "Our initial comments on the Personal Data Protection Bill 2019". Dvara Research. 17 January 2020. Archived from the original on 11 April 2020. Retrieved 20 January 2020.
  19. Bhatia, Gautam (19 February 2020). "India's Growing Surveillance State: New Technologies Threaten Freedoms in the World's Largest Democracy". Foreign Affairs. Retrieved 21 February 2020.
  20. Basu, Arindrajit; Sherman, Justin (23 January 2020). "Key Global Takeaways From India's Revised Personal Data Protection Bill". Lawfare blog. Archived from the original on 18 November 2023. Retrieved 23 February 2020.
  21. Agarwal, Surabhi (27 December 2019). "Wikimedia flags worries on data law". The Economic Times. Archived from the original on 30 March 2020. Retrieved 28 December 2019.
  22. "Draft Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018". PRSIndia. 30 January 2019. Archived from the original on 2 January 2020. Retrieved 2 January 2020.
  23. "The Personal Data Protection Bill could be a serious threat to Indians' privacy". Forbes India. Archived from the original on 17 December 2019. Retrieved 21 December 2019.
  24. "Control rather than privacy". The Hindu. Archived from the original on 10 January 2022. Retrieved 10 January 2021.
  25. Avasarala, Sameer. "Data Protection Bill withdrawn: Roadblocks towards a comprehensive data protection framework". Lakshmikumaran & Sridharan Attorneys. Archived from the original on 25 August 2022. Retrieved 25 August 2022.
  26. Avasarala, Sameer. "Advent of a new-era Digital India Act – Key aspects to look out". Lakshmikumaran & Sridharan Attorneys. Archived from the original on 25 August 2022. Retrieved 25 August 2022.