The latest version of the Bill included both personal and non-personal data in its ambit, which would be dealt with by a Data Protection Authority.
On August 3, the Centre withdrew the Personal Data Protection (PDP) Bill. This came after a joint parliamentary committee (JPC) spent two years deliberating the 2019 draft of the Bill before finally tabling its report in December 2021.
For months after the report was tabled, it was expected that the Bill would be enacted, which would give the country its first data protection law.
With the Bill now being withdrawn, it is unclear when the proposed new set of laws that the government is planning to replace the PDP Bill 2019, will come into being.
Let’s take a look at what constitutes personal data, the PDP Bill, and what it proposed to do — in chronological order starting from 2017.
In 2017, after the Right to Privacy was deemed a fundamental right, the Central government set up the Justice BN Srikrishna Committee to assess personal data and its protection. The committee prepared and presented its draft in 2018. Post that, based on the draft and after multiple inter-ministerial consultations, the Personal Data Protection Bill was cleared by the Union Cabinet, and it was tabled in Parliament on December 11, 2019.
The Bill, in its essence, aimed at protecting personal data of individuals and their Right to Privacy by bringing in regulations to oversee the manner in which personal data is processed, as well as for remedies or penalties for people who have been affected by data breaches, unlawful processing of data, and so on.
What is personal data and breach of personal data?
According to the draft Personal Data Protection Bill 2019, ‘personal data’ is any data about or relating to a person, who is directly or indirectly identifiable, whether online or offline, and shall include any inference drawn from such data for the purpose of profiling.
The Bill also categorises certain personal data, such as financial, biometric, caste, religious, etc, as sensitive personal data.
Personal data breach, according the ‘definition’ section of the draft, is “any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction of, or loss of access to, personal data that compromises the confidentiality, integrity, or availability of personal data to a data principal”.
What did the Bill propose?
The Bill proposed the creation of a Data Protection Authority, a government-established, singular data protection body. This proposed authority would look into breaches of personal data, ensure compliance of data fiduciary, and ensure compliance of such fiduciaries with the Bill.
According to the PDP Bill 2019, a data fiduciary is an entity or individual who decides the means and purposes of processing personal data. It also contained provisions of appointing data protection officers (DPO), who would be appointed by data fiduciaries, and would be responsible for adhering to provisions of the Bill.
Overall, the Bill proposed restrictions on the use of personal data without consent of citizens. In terms of processing of data, the Bill proposed a framework that would regulate cross-border transfer of data, and accountability of data fiduciaries handling such data, among others.
Who had to comply?
The now withdrawn Bill would have governed processing of data by the government, companies incorporated in India, and foreign companies dealing with personal data of individuals in India.
Why was it criticised?
The 2019 draft was criticised over concerns regarding Section 35 and Section 12 (a) of the Bill. Let’s see what these sections say:
According to Section 35 of the Bill, the Central government would be empowered to exempt any government agency from the provisions of the law in the interest of India’s sovereignty, integrity, public order, and so on. The exemption could be accorded if the government was satisfied that it was necessary to do so, but albeit, ‘subject to procedures, safeguards, and oversight mechanisms to be prescribed by the government’.