After two years of debate and five extensions, a joint parliamentary committee has completed the preliminary report on the Data Protection Bill. The findings and suggestions are now expected to be presented to Lok Sabha Speaker Om Birla.
In December 2019, the Data Protection Bill draught was referred to a legislative subcommittee. It has advocated for the storage of sensitive personal data in India, the duty of data fiduciaries to implement protections, and the establishment of a grievance redressal process.
Personal data protection (PDP) legislation
The legislative proposal comes after the Supreme Court proclaimed privacy a basic right in 2017 and urged the government to develop a data protection policy.
The Ministry of Electronics and IT established a data protection expert group in July 2017. (MeitY). Justice BN Srikrishna, a former Supreme Court judge, led the group that suggested a personal data privacy bill and published its findings in July 2018.
On December 11, 2019, the Personal Data Protection Bill 2019 was tabled in the Lok Sabha.
Soon after, it was sent to a joint parliamentary committee, which was tasked with submitting a report by the end of the 2020 budget session. The committee has received five extensions since then.
What is the purpose of the PDP Bill?
The bill’s goal is to preserve individuals’ privacy by controlling how their data may be used and processed. Its goal was to develop a framework for how governments, private enterprises, and people might process data.
It requires the storage of sensitive personal data in India. The bill also allows customers the option to revoke their approval at any moment. It asks for the establishment of a Data Protection Authority to defend individual rights while also ensuring compliance. Failure to comply with the legislation will result in a penalty of 4% of the company’s yearly turnover.
It also includes a clause that exempts the government from prosecution in issues of national security.
Laws under the drafted Bill
Government authorities stated that the report was accepted “unanimously,” although a few opposition members indicated they had written or were in the process of submitting their dissent notes before the committee head, PP Chaudhary, set a November 24 deadline.
The bill, which has 99 sections, earned 93 recommendations from the commission. The report is expected to be tabled before the conclusion of the first week of Parliament’s winter session, which begins on November 29.
Section 12(a)(i) exempts the government and its agencies from the requirement to provide permission. The opposition members were opposed to broad exclusions and sought some checks. They further emphasized that, while commercial enterprises would be allowed two years to transition to the new data security framework, government organizations would not be granted the same time frame.
The opposing members also alluded to the Supreme Court’s nine-judge privacy verdict in the Puttaswamy case in August 2017 and lamented that it was only applicable for a tiny segment of Indians in the Data Protection Bill.
Views of Leaders
Members of the BJP and the NDA believed that national security should take precedence above individual privacy, and hence that the exemptions granted to government agencies were justifiable. They also supported Section 12, claiming that personal data used to establish identification and other bona fides must be provided in order to get benefits from the Public Distribution System, during security checks at airports and public places, and banking services such as RTGS, among other things.
Manish Tewari, a Congress member, wrote a comprehensive dissent letter expressing his dissatisfaction with the exemption granted to government entities. He emphasized that this was a breach of the Fundamental Right to Privacy.
Other points raised by Tewari in his dissent note concern the definition of a child in section 3(8) and access to various types of information and data on the internet. He also proposed that, in the instance of a government agency surveilling a person under section 3 (23), authorization from a court of law be made mandatory.
Tewari also stated that social media intermediaries should be required to authenticate the identities of their subscribers. He also stated that any individual should have the right to submit a first information complaint against such an intermediary for failing to do so, and he made ideas for the makeup of the legal bench and other organizations dealing with data protection legislation violations.
Some panel members felt that some revisions included in the original draught, while the committee was led by Meenakshi Lekhi, were eliminated or weakened in the final document.
