Personal Data Protection Bill (2018): Critical Analysis
Written by Akanksha Singh
Fifth Year, BA. LLB. Symbiosis Law School, Pune
Disclaimer: Please note that the views expressed below represent the opinions of the article's author. The following does not necessarily represent the views of Law & Order.
In August 2017, the Apex Court recognized the right to privacy as a fundamental right under Article 21.  Thereafter, a committee headed by retired judge Justice B.N. Srikrishna was appointed to draft a law to address the issues covered under the right to privacy in India. Before the drafting of this Bill, there was only one Act that claimed to protect sensitive content/information stored on electronic devices - the IT Act, 2000. However, its scope was felt to be inadequate. This is especially true, considering the fact that India’s immense population has the second-largest internet user base in the world. Therefore, a more adequate bill that considered India’s vast population was submitted on 27th July 2018, called the Personal Data Protection Bill. This Bill is similar to the European Union’s legal framework relating to data processing called the General Data Protection Regulation.
Indian Privacy Laws
Before this bill was drafted, privacy law in India was not given much attention. Section 43A in the Information Technology Act 2000 was the only provision that explicitly dealt with data protection. According to this provision, if any sensitive personal information is handled by a corporate body that is negligent in maintaining reasonable security practices, such a body shall be liable if it causes any kind of wrongful loss to the person whom the data belonged to.  It is pertinent to note that this section made only corporate bodies liable. No liability is caste upon individuals or the State.
In addition to this Bill, the Indian Contract Act also, to a limited extent, provides for data protection. Confidentiality clauses related to the disclosure of data in a contract not only protect individuals but also give them a right to sue in case of a breach.
Another legislation that dealt with privacy law generally was the Copyright Act. The definition of ‘literary work’ in the Act includes computer databases, among other things.  Therefore copying of computer data would also be considered an infringement of copyright.
The right to privacy has also been recognized as a type of ‘freedom’ under Part Three of the Indian Constitution after the judgment from Justice K. Puttaswamy v. Union of India. 
Judiciary’s Approach to Right to Privacy
The Supreme Court, in the past in various judgments has held the Right to Privacy as a Fundamental Right. In Kharak Singh v. The State of U.P.  it was held that the right to privacy is a part of the right to personal liberty and movement as well.
In Govind v. State of M.P , the Court also decided the same, stating that the right to privacy applies to personal intimacies at home, marriage, etc. In R. Rajagopal v. Union of India  the Apex Court went as far as to say that this right can be claimed as both a fundamental right and an actionable claim. In Selvi and others v. the State of Karnataka and Ors  the courts went as far as to distinguish between mental privacy and physical privacy.
However in M. P. Sharma v. Satish Chandra (1954) the Supreme Court’s eight-judge bench, while deliberating upon the power of search and seizure by the police, held that privacy is not a fundamental right.  On the basis of this, the Attorney General argued that this privacy is not a fundamental right.
After the Judgment of Justice K. Puttaswamy v. Union of India, the debate has been settled, and the ‘right to privacy’ has been recognized as an intrinsic part of Article 2.  This judgment paved the way for drafting the Personal Data Protection Bill (2018).
The certain important terms have been described in the Bill are as under:
(i) ‘personal data’ is information that can be identifiable to a natural person, whether directly or indirectly. It includes features such as attributes, characteristics, etc. 
(ii) ‘processing’ as a set of operations. It includes organization, use, alteration, combination, retrieval indexing, destruction, etc. 
(iii) ‘data principal’ as a natural person including individuals, HUF, an association of persons, company, etc. whose personal data is to be processed. 
(iv) ‘data fiduciary’ as an individual, State, etc. who determines the reasons for processing data. 
(v) ‘data processor’ as the individual, State etc.who processes data instead of the data fiduciary. This does not include employees of the fiduciary. 
(vi) “anonymization” according to the Bill, means the process of converting personal data to a form in which the principal cannot be identified. 
The bill elucidates certain rights made available to data ‘principles’, i.e. persons to whom the data belongs.
(i) Consent: The bill states that there is no provision for obtaining consent from the individual before processing of the data of an individual. Several grounds are laid down for the consent to be considered valid. It should be free as per section 14 of the Indian Contract Act, 1872. It should be informed as per section 8 of the bill which talks about the information to be given to the individual before processing. It should be specific and clear and lastly, it should be capable of being withdrawn defined on the terms of ease of withdrawal. 
(ii) Correction: Where it is necessary, the individual has the right to correction, completion, and updating of the personal data which is inaccurate or misleading. 
(iii) Data Portability: the data principal has the right to get the personal data that has been provided to the fiduciary in a structured format. However certain restrictions have been provided 
(iv) Right to be forgotten: The individual has the right to reject the usage of personal data by the data fiduciary when the said information has served its purpose, consent has been withdrawn or it is contrary to the provisions of the law. This decision needs to be taken by the Adjudicating Officer. 
The Bill applies to the processing of data:
(i) When the data has been collected or processed within India;
(ii) By the State, company or citizen of India or any or BOP created under any law of India
(iii) By individuals not present in India if it is related to any activity in India. 
4. Grounds for Processing Data
Data can be processed only on the basis of the consent of the principal. However, this is not an absolute right. It can be used without consent if
(i) necessary for the functions of the Parliament or any state legislature, or for providing benefits or permit or license to the principal, 
(ii) mandated under any legislation or for compliance with any order of a Tribunal or Court,[ 23]
(iii) to take prompt action in case of an epidemic, medical emergency, disease, maintenance of public order, etc, 
(iv) required for verification, recruitment or termination of employment, 
(v) for any reasonable purpose defined under the Act. 
5. Processing of Sensitive Personal Data
Sensitive personal data, as defined in the Bill include biometrics, passwords, finances, caste, sex life, sexual orientation, etc. The grounds for processing sensitive data other than consent include the functions of the Parliament and state legislature,  for providing benefits, compliance with any order, for any requirements of the law , or for prompt action. In addition, the data protection authority may specify further categories and grounds for processing the same. 
6. Cross Border Data Transfers
The Bill states that one copy of personal data shall be stored in a data center located within the territory of India. The Central Government has been given the power to identify personal data as critical, which shall only be allowed to be processed in India. Certain categories of data can be exempt from this requirement by the Central Government.  Conditions for transfer of data outside the country have been made extremely elaborate. 
7. Data Protection Authority
The Bill seeks to establish a Data Protection Authority (‘DPA’) to oversee the transfer of data. It shall consist of seven people including a Chairman, such persons shall have expertise in IT and data protection.
It has been entrusted with the duty to prevent misuse, protect the interests of individuals, and ensure compliance with the Act. The duty also includes monitoring, maintaining databases on-site, taking prompt action in case of a breach, examination of audit reports, certification of auditors, etc.
The said Act would have an overriding effect on all existing laws and provides for amendment of the Information Technology Act 2000 and Right to Information Act 2005.
Even though there was a necessity for a consolidated law dealing with data processing so as to protect the privacy of individuals, the present bill has certain issues with it which can be elucidated as follows:
The bill requires the data fiduciary to store a copy of the personal data being processed by it on a data center. This could have financial implications on various industries, as this action would require companies to build servers locally that would result in increased costs. This can also act as a deterrent against companies offering services in India, thereby affecting trade.
The bill provides for certain rights available to the data principal. It also provides for various conditions and restrictions for data processing. However, the individual may raise a complaint only if any harm has been caused or is likely to be caused. There has to be a ‘violation’ in terms of the bill because a mere violation of the ‘rights of the individual’ is not sufficient to raise a complaint. It can also be said that unnecessary burden is being placed on the data principal under this Bill, as he is required to provide proof of the harm caused.
The bill, recognizing the importance of protecting the rights of children who are the biggest users of the Internet, provides for a section that specifically talks about the interests of children.
Additional safeguards have been provided for Internet users who are under the age of 18. It talks about age verification and parental consent.
The provision also discusses the guardian data fiduciary wherein certain entities contain vast information regarding the children and further lays down the duties of this fiduciary relationship, such as the prohibition to profile children or advertise them, etc. Even though the intention behind this provision is good, such rigid requirements might hinder schools, social media organizations, NGOs, healthcare institutions, etc. from working to the benefit of children and other vulnerable sections of the society.
The categorization of financial data under sensitive personal data can be problematic as the government will be able to access the same from private companies, which according to the author, clearly violates the company's privacy.
In addition to local storage of data, the bill also puts various restrictions on cross border transfer. Vast powers have been given to the Central Government to control the transfer of personal data.
The bill gives vast powers to the DPA. For example, it is the DPA that decides whether to inform the data principal or not when there has been a breach. In addition, the bill does not explicitly talk about surveillance. It also has the power to categorize data fiduciaries as significant, issue warnings and directions, conduct inquiries, etc.
Vast exemptions have been provided to the government. Both the state and central governments have been given the power to process data under certain circumstances such as security of the state, maintenance of public order, legal purposes, etc. The government can do this without the consent of individuals. There is no accountability and is likely to be misused by the Government.
The bill also has stringent provisions. The offenses under this Act would be non-bailable, which according to the author, is unnecessary and may create needless fear.
The Bill does not talk about the right to erase. It does talk about the right to be forgotten however this is not an absolute right, there are several exceptions to it.
Lastly, the Bill provides for huge penalties of up to fifteen crore rupees or 4 percent of the data fiduciary’s worldwide annual turnover, which have to be credited to the Data Protection Awareness Fund.  It is not clear why penalties are not to be deposited to the Consolidated Fund of India especially in light of other Acts such as Section 15JA of SEBI which states that penalties need to be deposited into Consolidated Fund of India.  This seems like an unnecessary provision because the money from the penalties could be used in a more fruitful way than only to generate awareness about the Act.  This might lead to conflict and misuse of funds.
Even though the bill is a step in the right direction, it is still not free from certain issues. It has several grey areas and necessarily requires debate and deliberation on a public platform. According to the author, experts in the different fields, especially industrialists need to be consulted with.
Issues like surveillance by non-state actors and intelligence-gathering should be explicitly mentioned in the bill, or rather, a separate law should be made to address these issues.
As mentioned before, the Data Protection Authority and the Central Government have been given vast powers under the bill. According to the author, the decisions about data processing should be made by a court or tribunal especially made for this purpose.
Proper mechanisms should be put into place in companies to assess the readiness of the companies to deal with data breaches.
The major problem according to the author is the adjudicatory process. The Central Government has the power to appoint Adjudicating Officers. The decisions made by the Adjudicating officers go to the Appellate Tribunal whose members are also appointed by the Central Government. Only at the third stage does the case go to the Supreme Court. According to the author, the matters should either go to the District Courts, the High Court, or the Adjudicating Officers. Appellate Tribunal members should be chosen by a collegium of judges consisting of High Court and Supreme Court judges to avoid any kind of bias. As held in L. Chandra Kumar v. Union of India, superintendence by the High court is the basic structure of the constitution and such a principle should be considered on a mandatory basis by the legislature before the finalization of the Bill. 
Stringent provisions regarding imprisonments, i.e. the offenses under this Bill being non-bailable, should be restricted to severe crimes like the sale of sensitive or personal data.
The Bill is far from perfect, but once the necessary changes have been made it has the potential to be an effective law. What is required, is the provisions relating to consent and independence from the government.
 See Justice K.S. Puttaswamy and Ors. vs. Union of India (UOI) and Ors. AIR 2017 SC 4161.
 § 43A in The Information Technology Act, 2000.
 § 2(o) of Copyright Act, 1957.  Supra Note 1.  Kharak Singh v. The State of U.P., AIR 1963 SC 1295.  Govind v. State Of Madhya Pradesh & Anr, 1975 AIR 1378.  R. Rajagopal v. Union of India,1995 AIR 264.  Selvi and others v. State of Karnataka, AIR 2010 SC 197.  M. P. Sharma v. Satish Chandra, 1954 AIR 300.  Supra Note 1.  § 3(29) of Personal Data Protection Bill, 2018.  § 3(32) of Personal Data Protection Bill, 2018.  § 3(14) of Personal Data Protection Bill, 2018.  § 3(13) of Personal Data Protection Bill, 2018.  § 3(15) of Personal Data Protection Bill, 2018.  § 3(2) of Personal Data Protection Bill, 2018.  § 12 of Personal Data Protection Bill, 2018.  § 25 of Personal Data Protection Bill, 2018.  § 26 of Personal Data Protection Bill, 2018.  § 27 of Personal Data Protection Bill, 2018.  § 2 of Personal Data Protection Bill, 2018.  § 13 of Personal Data Protection Bill, 2018.  § 14 of Personal Data Protection Bill, 2018.  § 15 of Personal Data Protection Bill, 2018.  § 16 of Personal Data Protection Bill, 2018.  § 17 of Personal Data Protection Bill, 2018.  § 19 of Personal Data Protection Bill, 2018.  § 20 of Personal Data Protection Bill, 2018.  § 21 of Personal Data Protection Bill, 2018.  § 22 of Personal Data Protection Bill, 2018.  § 40 of Personal Data Protection Bill, 2018.  See section 41 of Personal Data Protection Bill, 2018.  § 69 of Personal Data Protection Bill, 2018.  § 15JA, The Securities and Exchange Board of India Act, 1992.  § 77 of Personal Data Protection Bill, 2018.  L. Chandra Kumar Vs. Union of India (UOI) and Ors. (1997)3 SCC 261. BIBLIOGRAPHY
“A Free and Fair Digital Economy”, Report of the Committee of Experts under the Chairmanship of Justice B. N. Srikrishna.
Jaideep Reddy, Right to privacy: SC's verdict on KS Puttaswamy case is landmark, but raises five interesting law and policy issues, Apr 23, 2019.
Siddharth Vishwanath, Decoding the Personal Data Protection Bill, 2018, for individuals and businesses, July 15, 2019.
Cyril Shroff and Arun Prabhu, The Personal Data Protection Bill, 2018: A Summary, July 30, 2018.
Information Technology Act, 2000.
Copyright Act, 1957.
Constitution of India, 1949.