“The idea of the Personal Data Protection Bill 2019 is to create a relationship of trust between person and entities processing the data” [1] 
In the 21st Century, data is the new oil of the digital economy. Ravi Shankar Prasad, Minister of Information Technology once said that by 2025, India can create $ 1 trillion of the digital economy. 
To safeguard and regulate the most valuable asset of this era, the Government formed the Justice, BN Sri Krishna Committee. The committee submitted its report in 2018. Further, on 11th December 2019, the Minister of Electronics and Information Technology tabled the most awaited the Personal Data Protection Bill 2019 in the Lok Sabha. 
Strangely, this was done without prior presentation of the bill to the IT Standing Committee. The present bill is a changed version of the Sri Krishna Committee draft. Further, in an interview Justice, BN Sri Krishna stated that the 2019 bill has given too much autonomy to the Government and there are implications that data might get misused. [2] It raised many eyebrows and made people doubt the intentions of the Government. The Bill is currently being analyzed by a Joint Parliamentary Committee before it would be taken up for passing.

PDP Bill 2019 is Indeed Violating Our “Right To Privacy”
In the landmark Judgement of K.S Puttaswamy v. U.O.I[3] the Right to Privacy was recognized as a Fundamental Right under Article 21 [4] and part III of the Indian Constitution. It laid down the tests for various restrictions on the Right to Privacy but unfortunately, these are not mentioned in the 2019 Personal Data Protection bill although the Sri Krishna Committee had encompassed them in the draft bill. 
The most controversial aspect of the bill is section 35 [5] which allows complete exclusion of Government agency from the act if it is in the interest of the state. It doesn’t have to qualify the tests of necessity or proportionality as laid down in the judgment [6]
There is a threat that instead of protecting the data, the Government might misuse the citizen’s personal data for fulfilling its own agenda. According to the bill if the consent is regulated it can prove to be the best way in which personal data can be protected and therefore it lays down in section 11 of the bill that consent should be “free, informed, specific, clear and capable of being withdrawn” The question now arises is that can the mere regulation of consent protect the privacy of the data principals? Various studies and researches show that the user hardly spends any time while reading any licensing agreement, they just click on the agree to button and give the “consent” to access their private data. If they deny the terms and do not give the consent, they lose the opportunity to avail of the benefits borne out of doing so. Therefore it can be said without a shadow of a doubt that the data principal is compelled in an indirect way to give access to its personal data hence endangering its privacy. “Right to withdraw” also comes along with consequences, if the reason given for doing so is not valid then the individual himself has to bear the legal consequences borne out of it.[7] All this deters a person from withdrawing his consent.
 Another thing introduced in the bill is the concept of “voluntary verification”. [8] The social media intermediaries will offer an option of voluntary verification to the users and those who do so would be distinct with a verification mark. The people who don’t have this verification mark would be under constant observation of the Government as to why they did not do it and hence would be under pressure to do so. 
The bill by its name claims to “protect the personal data” of the individuals but in reality, gives too much power in the hands of the Government that is susceptible to misuse.

India has always been an advocate of data localization in order to protect the privacy of individuals, national security interest, access to data for law enforcement. Justice Sri Krishna committee draft recommended that all personal data must be stored in India. The Data Protection bill 2019 has diluted the data localization provision by dividing the personal data into two categories i.e sensitive personal data and critical personal data. Now only the copy of sensitive personal data has to be stored in India. This provision has defeated the reason for data localization as now a copy of only a limited amount of data would be stored in India.[9] With this limited data, it would be difficult for the government to achieve the benefits of data localization.
Sensitive personal data is a subset of personal data which includes data related to “financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation under its ambit” as per defined under Section 3(36) [10] of the Act. On the other hand under section 32(2) [11] of the Personal Data Protection Bill 2019 states that the critical personal data can be processed outside the country. Strangely, the constituent’s critical personal data has not been defined in the Act. 
The major flaw in this provision is that it is not possible for all private companies to segregate critical and sensitive personal data. For example on a social media platform, an individual might be talking about their dinner plans, but at another moment, he will be talking about his health-related issue. Thus data localization provision has lost its true meaning and is of no use. 

The Act has made the provision under Section 41[12] to establish authority called the Data Protection Authority (DPA). DPA has adjudicatory power, advisory power (giving recommendation to the government), legislative power (drafting the regulations), and executive power (enforcing the regulation).[13]  There is no authority in the state hence no separation of power. The amount of power that has been attributed to DPA is dangerous and can be easily misused. 
Justice Sri Krishna Committee recommended that in the selection process of DPA there should be the inclusion of Chief Justice of India and civil society expert but the Personal Data Protection Bill 2019 under section 42(2)[14]  states that the DPA would consist of six members and they would be appointed at the discretion of the Central government. The criteria for the appointment of these members are also vague. Further, it is also expected that cases of government departments and agencies would be taken up in DPA. The proposed nomination process might affect the independence of authority as it is completely dependent on the Central government.
It is also interesting to note that the Central government also has discretion over the salaries and terms of service of the members. This might be used as a threat to intimidate the DPA. All these provisions create a complete discretion of the government over the members that would run the tribunal. A major revamp in the provisions is required in order to maintain the autonomy of the authority.  

The Personal Data Protection Bill 2019 has too many flaws to be passed as law. In order to strengthen the bill, principles of  K.S Puttaswamy Judgement should be inculcated. Further, all personal data must be stored in India as recommended by the Justice Sri Krishna Committee so as to have the benefit of data localization in its true sense. The autonomy of the Government in DPA can be reduced by involving a judicial person in the selection committee. At last local DPA can be established in every state in order to decentralize the power. 
The bill is in Joint parliamentary session and we are expecting these changes to be adapted accordingly before it becomes law otherwise the whole purpose of it would be defeated and it will be reduced to a mere weapon in the hands of the Government to exploit data.

[1]  The Personal Data Protection Bill, 2019, Preamble.
[2]  Nasscom, Nasscom-Dsci Feedback on The Personal Data Protection Bill, 2019, (Feb. 25, 2020), Available here 
[3]  K.S Puttaswamy v. Union of India, (2017) 10 SCC 1 [hereinafter Puttaswamy]. 
[4]  INDIA CONST. art. 21.
[5]  The Personal Data Protection Bill, 2019.
[6]  Puttaswamy, supra note 5.
[7]  The Personal Data Protection Bill, 2019, §11.
[8]  Id. at §93.
[9] Arun Prabhu & Molshree Shrivastav, The Personal Data Protection Bill 2019, A CYRIL AMARCHAND MANGALDAS BLOG (Dec. 12, 2019), Available here 
[10]  The Personal Data Protection Bill, 2019, §3(36).
[11]  Id. at §32(2).
[12]  Id. at §41.
[13]  Trisha Jalan, #NAMA: Data Protection Authority’s independence and powers under the Personal Data Protection Bill 2019, MEDIANAMA, (Jan. 29, 2020), Available here 
[14]  The Personal Data Protection Bill, 2019, §42(2).

Leave a Comment

Your email address will not be published. Required fields are marked *