A Critical Appraisal of The Personal Data Protection Bill, 2019
Written by Ramandeep Kaur
Class 11, Vivek High School, Chandigarh
Source: The Economic Times
Disclaimer: Please note that the views expressed below represent the opinions of the article's author. The following does not necessarily represent the views of Law & Order.
For the digital world, India- the second leading country in the field of online marketing, introduced the Personal Data Protection Bill. This bill, if passed, will be the second law regarding the protection of an individual’s personal data after the Information Technology Act, 2000. The draft of the Personal Data Protection Bill also has some aspects and provisions from the European Union’s General Data Protection Regulation (GDPR). Through this article, the author highlights the features of the Bill as well as the changes from the version of 2018 and the advantages and complications in regards with the Bill. The author will also be discussing some possible amendments in the draft of this bill.
Keywords- Data Security, Personal Data, Cybercrime, Data Authority
The Personal Data Protection Bill was introduced in the Lok Sabha on December 11th, 2019 by the Minister of Information Electronics and Technology, Mr. Ravi Shankar Prasad but it was not the very first draft of this bill.  The idea of Personal Data Protection emerged in August 2017, during the case Justice K.S. Puttaswamy vs the Union of India, the Government of India created a committee of experts which was headed by B.N Srikrishna, a former judge of the Apex court. The purpose of creation of this Committee was to collect information regarding the issue of personal data protection and to solve this emerging problem. Within a span of a year, the committee gave a solution. The solution included two things- the draft of the Personal Data Protection Bill (PBPD) (2018’s version) and an accompanying report, “A Free and Fair Digital Economy”. The draft made by the committee in the year 2018 had some defects and thus, was amended. The Personal Data Protection Bill, 2019 was a result of all these circumstances.
As the name of the Bill suggests, the purpose of this bill is to provide protection to an individual’s personal data and to establish a system of data authority for the same.
The stakeholders of this bill involve the Government of India, Private companies, and the Indian Law enforcement.
Major loopholes in the PDPB, 2018
As mentioned in the introduction, the version of 2018 of the Personal Data Protection Bill had some complications and due to which it was not enacted as a law by the Indian Government.
● The major defect in the Bill was that the state or the government officials were able to investigate the personal data of the citizens without their consent. The crime for which the state could look into the data of the citizens can include breaking a public order which was not an appropriate reason to investigate the personal lives of the citizens.
● The bill does not allow the transfer of critical data or sensitive data across the borders of India and vica versa. This was leading to a situation where many companies within India and outside India were not able to provide their services to its customers. It was also affecting the import and export business of the country.
● There was also not a clear mention of the functioning of different sectors of the government, their roles and which part of the government can access what kind of personal data.
● Adding up to the previous point, there were many issues regarding the surveillance of data. The bill also didn’t mention the non-state accesses of the data.
● As some provisions of the Personal Data Protection Bill are based on the EU’s General Data Protection Regulation (GDPR), one defect regarding this was that there is no right to be forgotten mentioned in the draft of 2018 as written in the GDPR act of European Union.
It generally means that the person who will collect the data, it is not necessary for them to erase it as well from their system. 
Key changes from the draft of 2018 to 2019 Bill
Because of the above-mentioned defects, the draft of the Personal Data Protection Bill, 2018 was not enacted as a law in India. Keeping this in mind, some amendments were done in the draft of 2018. And a new draft of the Personal Data Protection Bill was made in 2019.
The following are the key changes made in the draft of 2019:
● Consent of the user for the processing of the personal data:
As mentioned above, the draft of 2018 did not mention a lot about the process of the consent of the user. In the version of 2019, there is a term called ‘consent managers’ which is defined as a data fiduciary which can be examined by the data principle with the consent of the user through a proper and accessible platform. 
● Privacy by Design Policy:
The draft of 2019 mentions the concept of privacy by design policy under which every data fiduciary which has been registered will have a design policy created and certificated by the DPA. 
● Erase/ Right to be forgotten:
The draft created by the committee headed by Former Justice B.N. Srikrishna didn’t have any provision such as right to be forgotten which led to the data processor not erasing the personal data from his system after the purpose of the data is complete. However, the draft of 2019 has provisions regarding the erasing of data under the Section 18 of the bill. it seeks for the removal of irrelevant data. 
● Definition of Personal Data:
Under the draft of 2019, what is defined as personal data has been broadened and many new aspects regarding the definition of the term have been added. Personal data is now defined as a data which consists of any trait or characteristic with the help of which a person is identifiable whether online or offline. The personal data also includes the inference which are used for the purpose of profiling. 
● Definition of Sensitive Data:
Largely the definition of what is termed as sensitive data has remained the same as it was in the draft of 2018. But the term ‘passwords’ has been removed and financial data is now a part of sensitive data. Now, the central government can maybe term personal data as sensitive personal data, but they cannot expand the grounds of processing these data. It can only be processed with the consent of the individual.
● Critical Personal Data:
The processing of any data which is termed as ‘critical personal data’ can only be processed by the server which is located within the borders of India.
● Anonymized data:
Anonymization is a process in which personal data is transformed into a data which cannot be associated with any one individual or we can say that personal data is transformed into a kind of data which doesn’t come under the provisions laid out by the Data Processor Authority. 
● Conditions on the transfer of Personal data and Sensitive Personal Data:
The Sensitive Data can be stored in India but for its transfer outside India, we need the consent of the individual. It can only be transferred for data processing only and can’t be stored outside India. The transfer shall take place according to the contract laid out by the DPA and the central government’s approval for the transfer is too needed. 
● Social Media Intermediaries:
Under the draft of 2019, the social media which can harm the data sovereignty or can hurt the security of the state can be classified by the data fiduciary and the DPA can ask these sites to show their data. 
● Creation of a sandbox:
The 2019 draft of the bill requires the authorities to make a sandbox for the purpose of encouraging future machine learning and artificial intelligence. A data authority can use a sandbox for 12 months and it cannot be reviewed more than twice.  sandboxes may be defined as security models for the testing and building a software.
● Selection Committee:
As per the changes made in the 2019 version of the bill, the selection committee comprises Cabinet Secretary, the secretary of the government of India in the legal department and the secretary of the government of India in the electronics and information technology sector. 
● Penalties and compensation:
This part of the bill is generally controlled by the state. The maximum penalty is rupees 5 crores or 2% of the tenure. 
Complications involved in passing of the Bill:
The author believes that the Personal Data Protection Bill, if passed, will benefit India in numerous ways. But it still is a bit flawed and has some complications. According to the understanding of the author, there are majorly two complications that are coming in the way of this bill to be enacted as a law.
The first complication is Data Localization Issue. Data localization is a process under which the data is stored within the borders of a country. Many large companies like Facebook and Google have argued against the process of Data localization. Others say that data localization doesn’t have any relevance in the cyber world.  The process of Data Localization can also have a negative effect on the huge businesses in India and this will surely have an impact on the GDP of the country.
The second major complication according to the author is that of unclarity of the Excessive Liability. Under the draft of 2018 made by the committee headed by former Justice B.N. Srikrishna, the excessive liability was given to the head of the company or the officials who headed the conduct of the company at the time when the case was active. The draft didn’t mention whether or not the same quantity of the fine is to be imposed on both the head and the official and the nature of liability (data fiduciary, data processor) in case of data violation. This issue is also not covered in the draft of 2019. 
Other than these two complications, the invasion of the privacy of the citizens is also a major concern. There have been arguments in the past regarding the Personal Data Protection Bill leading the state to have the power to look into the private lives of the citizens. 
There has been a drastic amount of increase in the no. of cybercrime incidents in India in the past few years. In the 2019, a total of 3.94 lakh cases related to cybercrime were reported and compared to this data, there has been a total of 90% increase this year.  To make the data of the Indian citizens’ safe, a law must be made. Personal Data Protection is a step for the right cause, but it is not yet perfect. It still lacks a few aspects and some of its provisions lack clarity like the excessive liability mentioned under the complications.
As a committee was made in 2017, one should be created again for the revision of this bill. So that the parts which are uncleared can be reviewed and solutions can come to the surface. Right to privacy declared as a fundamental right after the Justice K.S. Puttaswamy vs Union of India, the right to privacy case. It should not be violated. A proper system of working of the government and the police should be written in the draft. Which parts of the Government has the right to look into what kind of data should be made clear. As we have seen in the changes from 2018, many of these steps have already been taken. The post of DPA (Data Processing Authority) has made it clear that the data which needs to be processed will be processed by someone who is an expert in both the legal and the information technology department of the Indian Government. More of these steps will surely result into a proper system of working on this bill.
 Abi Tyas Tunggal, What is the Personal Data Protection Bill, 2019?, Upguard, (July 20, 2020), https://www.upguard.com/blog/personal-data-protection-bill.  Ritansha Lakshmi, Case Summary: Justice K.S. Puttaswamy (Retd.) vs Union of India, 2017, Lawlexorg, (April 10, 2020), https://lawlex.org/lex-bulletin/case-summary-k-s-puttaswamy-retd-v-s-union-of-india-2017/18929.  Santhosh Kumar, The Data Protection Bill 2018- Critical Analysis, IAS express, (August 4, 2018), https://www.iasexpress.net/data-protection-bill/  Key changes in the personal data protection bill,2019 from the Srikrishna Committee Draft, sflc.in, ( November 12, 2019 10:58), https://sflc.in/key-changes-personal-data-protection-bill-2019-srikrishna-committee-draft#:~:text=The%20PDP%20Bill%2C%202019%20has%20brought%20the%20right%20to%20erasure,for%20the%20purpose%20of%20processing.  Private and confidential, Draft Personal Data Protection Bill, 2019, Deloitte, (January 2020), https://www2.deloitte.com/content/dam/Deloitte/in/Documents/risk/in-ra-draft-personal-data-protection-bill-noexp.pdf  Arun Prabhu, The Personal Data Protection Bill, 2019: An Analysis, Cyril Marchand blogs, (December 12, 2019), https://corporate.cyrilamarchandblogs.com/2019/12/personal-data-protection-bill-2019-analysis-india/#:~:text=At%20its%20core%2C%20the%20Bill,or%20connected%20thereto%5B6%5D.  Suneeth Katarki, Namita Viswanath, Ivana Chatterjee and Rithika Reddy Varanasi, India: The Personal Data Protection Bill,2019: Key Changes And Analysis, mondaq, (January 6,2020), https://www.mondaq.com/india/privacy-protection/880200/the-personal-data-protection-bill-2019-key-changes-and-analysis  Suneeth Katarki, Namita Viswanath, Ivana Chatterjee and Rithika Reddy Varanasi, India: The Personal Data Protection Bill,2019: Key Changes And Analysis, mondaq, (January 6,2020), https://www.mondaq.com/india/privacy-protection/880200/the-personal-data-protection-bill-2019-key-changes-and-analysis  The Personal Data Protection Bill,2019, Trilegal, (December 12, 2019) , https://www.trilegal.com/index.php/publications/analysis/the-personal-data-protection-bill-2019  Private and confidential, Draft Personal Data Protection Bill, 2019, Deloitte, (January 2020), https://www2.deloitte.com/content/dam/Deloitte/in/Documents/risk/in-ra-draft-personal-data-protection-bill-noexp.pdf  The Personal Data Protection Bill,2019, Trilegal, (December 12, 2019) , https://www.trilegal.com/index.php/publications/analysis/the-personal-data-protection-bill-2019  Suneeth Katarki, Namita Viswanath, Ivana Chatterjee and Rithika Reddy Varanasi, India: The Personal Data Protection Bill,2019: Key Changes And Analysis, mondaq, (January 6,2020), https://www.mondaq.com/india/privacy-protection/880200/the-personal-data-protection-bill-2019-key-changes-and-analysis  Margaret Rouse, Sandbox (software testing and security), searchsecurity, (December 28, 2018), https://www.searchsecurity.techtarget.com  Suneeth Katarki, Namita Viswanath, Ivana Chatterjee and Rithika Reddy Varanasi, India: The Personal Data Protection Bill,2019: Key Changes And Analysis, mondaq, (January 6,2020), https://www.mondaq.com/india/privacy-protection/880200/the-personal-data-protection-bill-2019-key-changes-and-analysis  Private and confidential, Draft Personal Data Protection Bill, 2019, Deloitte, (January 2020), https://www2.deloitte.com/content/dam/Deloitte/in/Documents/risk/in-ra-draft-personal-data-protection-bill-noexp.pdf  Personal Data Protection Bill 2019, drishti, (December 7,2019) https://www.drishtiias.com/daily-updatedaily-news-editorials/personal-data-protection-bill-2019  Suneeth Katarki, Namita Viswanath, Ivana Chatterjee and Rithika Reddy Varanasi, India: The Personal Data Protection Bill,2019: Key Changes And Analysis, mondaq, (January 6,2020), https://www.mondaq.com/india/privacy-protection/880200/the-personal-data-protection-bill-2019-key-changes-and-analysis  Karishma Mehrotra, Explained: The issues, debate around Data Protection Bill, The Indian Express, (December 7,2019) 8;17;31 am https://indianexpress.com/article/explained/personal-data-protection-bill-cyber-security-hacking-6153015/  Aaraz Khan, Cybersecurity Incidents in India Increased by 90% in 2019! , Dazoinfo briefs, (February 5,2020), https://dazeinfo.com/2020/02/05/cybersecurity-incidents-in-india-increased-by-90-in-2019/#:~:text=The%20total%20number%20of%20cybersecurity%20incidents%20in%20India,by%2090%25%20as%20compared%20to%20the%20previous%20year  D Y Chandrachud, Justice K.S. Puttaswamy (Retd) vs Union of India And Ors. On 24 August,2017, Indian Kanoon,(August 24,2017)
Justice K.S. Puttaswamy vs Union of India
Abi Tyas Tunggal, What is the Personal Data Protection Bill, 2019?, UpGuard, July 20, 2020.
Ritansha Laskshmi, Case Summary: Justice K.S. Puttaswamy (Retd.) vs Union of India, 2017, Lawlexorg, April 10, 2020.
Santhosh Kumar, The Data Protection Bill 2018- Critical Analysis, iasexpress, August 4, 2020.
Key Changes in the Personal Data Protection Bill, 2019 from the Srikrishna Committee Draft, sflc.in, November 12, 2019 (10:58).
Private and confidential, Draft Personal Data Protection Bill, 2019, Deloitte, January 2020.
Arun Prabhu, The Personal Data Protection Bill: An Analysis, Cyril and Marchand blogs, December 12, 2019 .
Suneeth Katarki, Namita Viswanath, Ivana Chatterjee and Rithika Reddy Varanasi, India: The Personal Data Protection Bill, 2019: Key changes and Analysis, Mondaq, January 6, 2020.
The Personal Data Protection Bill, 2019, Trilegal, December 12, 2019.
Margaret Rouse, Sandbox (software testing and security), searchsecurity, December 28, 2018.
Personal Data Protection Bill, 2019, drishti, December 7, 2019.
Karishma Mehrotra, Explained: The issues, debate around Data Protection Bill, The India Express, December 7, 2019.
Aaraz Khan, Cybersecurity Incidents in India Increased by 90% in 2019!, Dazoinfo briefs, February 5, 2020.
D Y Chandrachud, Justice K.S. Puttaswamy (Retd.) vs Union of India and Ors. On 24 August 2017, Indian Kanoon, August 24, 2017.
Information Technology Act, 2000
General Data Protection Regulation (GDPR)