The Personal Data Protection Bill, 2019 is an important current affairs topic for the UPSC exam. It is a part of the Governance section of the General Studies Paper-II and also can be a part of the Security segment of the General Studies Paper III. In this article, you can read all about the Personal Data Protection Bill, 2019 and related privacy issues for the UPSC exam.
Aspirants can find information on the structure and other important details related to the IAS Exam, in the linked article.
Personal Data Protection Bill, 2019:- Download PDF Here
|Aspirants should begin their preparation by solving UPSC Previous Year Question Papers now!!
To complement your preparation for the upcoming exam, check the following links:
Personal Data Protection Bill – Introduction
The Personal Data Protection (PDP) Bill, 2019, was introduced in the Lok Sabha and is now referred to a joint select committee.
Why is the law important?
- Collection of information about individuals and their online habits has become an important source of profits, but also a potential avenue for invasion of privacy because it can reveal extremely personal aspects.
- Companies, governments, and political parties find it valuable because they can use it to find the most convincing ways to advertise online.
- To prevent the breach of privacy and unwarranted advertising, this bill was a necessity.
Personal Data Protection Bill Features
The Bill seeks to provide for the protection of personal data of individuals.
- The Bill governs the processing of personal data by:
- Companies incorporated in India
- Foreign companies dealing with personal data of individuals in India
- Obligations of data fiduciary: Personal data can be processed only for a specific, clear and lawful purpose. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as:
- Implementing security safeguards (such as data encryption and preventing misuse of data), and
- Instituting Grievance Redressal Mechanisms to address complaints of individuals. They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.
- Rights of the individual
- Seek correction of inaccurate, incomplete, or out-of-date personal data.
- Have personal data transferred to any other data fiduciary in certain circumstances.
- Restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
- Grounds for processing personal data: The Bill allows the processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent. These include:
- If required by the State for providing benefits to the individual,
- Legal proceedings,
- To respond to a medical emergency.
The central government can exempt any of its agencies from the provisions of the Act:
- In the interest of the security of the state, public order, sovereignty and integrity of India and friendly relations with foreign states, and
- For preventing incitement to the commission of any cognisable offence (i.e. arrest without warrant).
- Processing or transferring personal data in violation of the Bill is punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and
- Failure to conduct a data audit is punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher.
Personal Data Protection Bill – Impact on Organisations
- Private organisations will have a lot to do, from making technical changes in engineering architecture to modifying business processes. At the core, they need to place limits on data collection, processing and storage, but there’s a lot more.
- Technical security safeguards, including de-identification—preventing an individual’s identity to be inadvertently revealed—and encryption needs to be built-in. Any instance of data breach needs to be reported to the regulator.
- Larger organizations—depending on the volume of data, annual turnover and other factors—and social media companies with users above a defined threshold will have additional responsibilities. This includes conducting data protection impact assessments for specific tasks defined by the regulator, periodic security audits and appointing a data protection officer. Additionally, social media platforms would be required to enable users to voluntarily verify their accounts, similar to the “blue tick” on Twitter.
How is it different from the draft?
In the Bill, there are significant changes from the version drafted by a committee headed by Justice BN Srikrishna.
- Data Protection Authority’s composition is dominated by the government, as contrasted with the diverse and independent composition as suggested in the committee’s draft.
- In the current bill, the authority’s chairperson and six whole-time members will be appointed on the recommendation of a committee comprising the cabinet secretary, IT secretary and law secretary.
- The draft had said all fiduciaries must store a copy of all personal data in India — a provision that was criticized by foreign technology companies that store most of Indians’ data abroad and even some domestic startups that were worried about a foreign backlash.
- The Bill removes this stipulation, only requiring individual consent for data transfer abroad.
- Similar to the draft, however, the Bill still requires sensitive personal data to be stored only in India.
- It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA). The final category of critical personal data must be stored and processed in India.
- The Bill mandates fiduciaries to give the government any non-personal data when demanded. Non-personal data refers to anonymised data, such as traffic patterns or demographic data.
- The previous draft did not apply to this type of data, which many companies use to fund their business model.
Personal Data Protection Bill Merits
The merits of the Personal Data Protection Bill are described below.
Personal Data Protection Bill Concerns
The concerns of the Personal Data Protection Bill are described below.
Comparison of Personal Data Protection (PDP) Bill and General Data Protection Regulation (GDPR)
Where are they alike?
- The exceptions are given to the Indian Bill and the EU Regulation look similar. Both allow data processing for prevention, investigation, detection, or prosecution of criminal offences. Both also discuss “public security”, “defence”, and “judicial” proceedings.
- The GDPR states: “This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.”
- Consent: The PDP Bill and the GDPR are founded upon the concept of consent. In other words, data processing should be allowed when the individual allows it. Consent carries similar meanings, with words like “free”, “specific”, and “informed”.
- Individual’s rights: Both have similar rights given to the individual, including the right to correction, the right to data portability (transferring your data to another entity), and the right to be forgotten (the right to erase the disclosure of your data).
- But the right to object to profiling is in the GDPR and not the PDP Bill.
- Other similarities: Both place responsibility on the fiduciaries, such as building products that include privacy by their design and transparency about their data-related matters.
- The European Data Protection Board in the GDPR and the Data Protection Authority in the PDP Bill have some similar duties, such as dispute resolution and codes of conduct.
Where do they differ?
- Data Transfer Abroad: One significant difference between the GDPR and the PDP Bill is the framework built around deciding whether or not data can leave the country. Both give a government authority the power to decide if data transfers can occur, but the GDPR more clearly lays out the parameters of this decision.
- Their “Adequacy Decision” is made based on the country’s rule of law, authorities, and other international commitments. The transfer can be made without this decision if there are legally binding rules or other codes of conduct that allow for it.
- The PDP simply states that the Authority has to have the approval of the transfer of any sensitive personal data abroad, without specifying as many details about the other country’s “adequacy” in receiving the data.
- Automated Decisions: The GDPR much more directly addresses personal harm from automated decision-making.
- The PDP Bill requires an assessment in cases of large-scale profiling but does not give the citizen the right to object to profiling, except in the cases of children.
- The sweeping powers the Bill gives to the Government renders meaningless the gains from the landmark K.S. Puttaswamy vs. Union of India case, which culminated in the recognition that privacy is intrinsic to life and liberty, and therefore a basic right. Read more about the right to life.
- The idea of privacy is certainly not reflected in the Bill in its current form and hopefully, the parliamentary committee looks into it and due changes are initiated.
Personal Data Protection Bill, 2019:- Download PDF Here
Candidates can find the general pattern of the UPSC Exams by visiting the UPSC Syllabus page.
Frequently Asked Questions on Personal Data Protection Bill, 2019
Q 1. When was the Personal Data Protection Bill passed?
Q 2. What is the Personal Data Protection Bill 2019?
Q 3. How has ‘data’ been classified as per the Personal Data Protection Act, 2019?
Ans. Data can be classified into three:
- Personal data – Name, address, the identity details of a person
- Sensitive personal data (SPD) – Finances, Health, Caste, Religion, Belief, sexual orientation, etc.
- Critical personal data – National or Military security information