The Personal Data Protection Bill, 2019, was presented in Lok Sabha on 11th December 2019 by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad. The PDP Bill, 2019 aims to ensure the privacy and security of personal information of individual citizens, to generate a structure for handling of such personal information, and builds up a data protection authority for that intention.
This bill of 2019 is largely guided by the principles of the General Data Protection Regulation, 2016 and the Supreme Court of India’s landmark decision in the well-known case of Justice K.S. Puttaswamy (Retd.) & Anr. Vs. Union of India, in which the Constitution of India affirmed the right to privacy as a fundamental right. PDP Bill of 2019 seeks to protect and ensure individuals’ right to privacy with regard to their personal data, and controls and monitors the entities storing said personal information.
This PDP bill of 2019 was drafted primarily in compliance with the provisions of the Draft Personal Data Protection Bill of 2018. Though, Bill of 2019 has made some critical changes and improvements to the Bill of 2018, but there are still some issues that have been hotly observed and explored under the Bill of 2018, that are still in a need to get resolved.
The 2019 bill calls for the creation of a Data Protection Authority similar to those found in EU members, and specifies the types of sensitive personal data to be covered. Along with many other items, the bill requires corporations to get consent from the user in a “data fiduciary” position before accessing their sensitive personal data, and it would authorize Indian people to withdraw approval to disclose such data or information.
This new bill gives government the power to order any organization to provide it on request with anonymous data and non-personal data. But if the government needs access to confidential personal data, it actually has to raise a concern regarding national security, the state’s “sovereignty or integrity”, ties with overseas countries or the extremely ambiguous “public order” to force private businesses to gain access.
The 2019 Bill regulates the handling of personal information by: (i) government, (ii) corporations formed in India, and (iii) international companies in India concerned with personal data of individuals. Personal data is data that relates to personality traits, characteristics or qualities that can be used to recognize any person. The Bill classifies some personal data as sensitive personal data. This includes financial information, biometric information, caste, religious or political beliefs or some other type of data defined by the Government. However, the Government has still not identified “Critical Personal Data.”
A comparison with the Bill of 2018-
Although the overall basic structure of the PDP bill of 2019 matches with the 2018 bill. Still, there are few fresh concepts that have been introduced such as, social media intermediary, consent manager, sandbox for promoting artificial intelligence innovation, machine learning as well as other evolving public interest technology.
The rules about Data Protection Officer eligibility standards, details to be reported by the Data Fiduciary in order to ensure clarity, and the concept of Recovery Officer have also been eliminated and the data localization and transfer requirements have also been eased.
The “right to erasure” is a major addition from the Data Principal viewpoint. One such new right enables the Data Principal to ask the Data Fiduciary to remove any personal data that is no longer needed for the reason by which it is collected. This new right i.e., right to erasure is in addition to the “right to be forgotten”, which was already included in the Bill of 2018.
The PDP bill 2019, added social media intermediaries under its ambit. However, certain intermediaries which primarily enable commercial or business-oriented transactions, provide access to the Internet, in the nature of search-engines, on-line encyclopedias, e-mail services or online storage services have already been excluded.
In the PDP Bill 2018, data fiduciaries had to preserve a copy of all personal information in India, with the exception of certain categories of personal data that were excluded from the local storage prerequisite. But, the 2019 Bill, somehow doesn’t, have any localization or data transmission restrictions for personal data not deemed sensitive and critical. Along with this, the requirement for data localization and data transfer constraint was considerably loosened in the PDP Bill 2019 as compared to that of 2018.
Flaws in the Personal Data Protection Bill, 2019-
There is no doubt that the Personal Data Protection Bill, 2019, represents a massive step forward in order to ensure that Indians achieve more control over their data. There are, even then, some provisions which can be amended to better suit the said objective. Section 25 of the Bill, which enables the Data Protection Authority, the assigned governing agency, the discretion to notify the person of the violation of his / her data, is a provision. This very such provision should be eliminated, and leaks, be they major or minor, should be intimated directly to the individual involved.
In addition, immense responsibilities have been bestowed on the Centre, allowing it to exclude any government agency from data processing as allowed by this legislation. Certain reasons for which the government can do so is for public order, and also for India’s sovereignty and integrity. The government has also been given the authority to issue binding directives as it sees fit for the Authority. That directly hinders the body’s autonomy and renders it vulnerable to political needs.
A perception from various sectors, for example insurance and banking, represents that the concerned authorities, in particular RBI and IRDA, have defined rules and guidelines on data protection in that division. It is vitally important that all such powers exist entirely with the Data Protection Authority for a smooth and thorough data protection legislation. Presently, there is no clear mention of all such provisions in the Bill.
Though the PDP Bill, 2019 contains some ambiguities, still this Bill is a landmark legislation. It may come on its correct course with the installation of certain new things along with a few modifications. Concise form of provisions and privacy-centric approach of people can help it become a phenomenal form of legislation. Seeking to understand difficulties the 2019 Bill still faces, it still captures the purpose of securing and protecting personal data and enriches the Data Principals.
It will definitely involve energy / cost to put proper measures in place. Strict punishments, respectively fine and confinement, have also been supplied in order to prevent the Data Fiduciary from non-compliance. Along with its deficiencies the PDP Bill 2019, is a hotly anticipated move in the correct way.
 By BW Online Bureau, Personal Data Protection Bill Introduced in Lok Sabha, Prasad Proposes Sending it to Joint Select Committee, BW Business World, (May 30, 2020, 5:00pm), available at: http://www.businessworld.in/article/Personal-Data-Protection-Bill-Introduced-In-Lok-Sabha-Prasad-Proposes-Sending-It-To-Joint-Select-Committee-/11-12-2019-180194/.
 Justice K.S. Puttaswamy (Retd.) & Anr v Union of India, W.P. (CIVIL) NO 494 OF 2012.
 India – The Personal Data Protection Bill, 2019: Key Changes and Analysis, Conventus Law, (May 30, 2020, 5:00pm), available at: http://www.conventuslaw.com/report/india-the-personal-data-protection-bill-2019-key/.
 Explanation to Section 26 (4) of the Personal Data Protection Bill, 2019.
 Explanation to Section 23 of the Personal Data Protection Bill, 2019.
 Section 40 of the Personal Data Protection Bill, 2019.
 Section 18 of the Personal Data Protection Bill, 2019.
 Section 27 of the Personal Data Protection Bill, 2018.
 Section 25 of the Personal Data Protection Bill, 2019.