THE PERSONAL DATA PROTECTION BILL, 2019: INTRODUCED AND WITHDRAWN

Background:

• The Personal Data Protection Bill (hereinafter Bill) was introduced in Lok Sabha on December 11, 2019 by Mr. Ravi Shankar Prasad, Minister of Electronics and Information Technology.
• The Bill was withdrawn by on August 3, 2022 after it went through intense scrutiny by a Joint Parliamentary Committee (JPC). JPC proposed 81 amendments and 12 recommendations to the Bill.

 The Preamble of the Bill read as follows:

to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the rights of individuals whose personal data are processed, to create a framework for organizational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorized and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected therewith or incidental thereto.

WHEREAS the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy;

AND WHEREAS the growth of the digital economy has expanded the use of data as a critical means of communication between persons;

AND WHEREAS it is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion and for matters connected therewith or incidental thereto.

Chapter II and Chapter III deals with “Obligation Of Data Fiduciary” and “Grounds For Processing Of Personal Data Without Consent” respectively.

Chapter VIII deals with “Exemptions”. Section 35 titled, “Where the Central Government is satisfied that it is necessary or expedient” deals “with Power of Central Government to exempt any agency of Government from application of Act”: (i)iin the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order; or (ii) for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, it may, by order, for reasons to be recorded in writing, direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data, as may be specified in the order subject to such procedure, safeguards and oversight mechanism to be followed by the agency, as may be prescribed.

Chapter IX provided for establishment of “Data Protection Authority of India”.

41. (1) The Central Government shall, by notification, establish, for the purposes of this Act, an Authority to be called the Data Protection Authority of India.

.Chapter XIII deals with “Offences”

82. (1) Any person who, knowingly or intentionally— (a) re-identifies personal data which has been de-identified by a data fiduciary or a data processor, as the case may be; or (b) re-identifies and processes such personal data as mentioned in clause (a), without the consent of such data fiduciary or data processor, then, such person shall be punishable with imprisonment for a term not exceeding three years or with a fine which may extend to two lakh rupees or both.

83. (1) Notwithstanding anything contained in the Code of Criminal Procedure, 1973,

an offence punishable under this Act shall be cognizable and non-bailable.

(2) No court shall take cognizance of any offence under this Act, save on a complaint made by the Authority.

The Bill based its foundation on many important judgments, and Committee Reports. For example the Case of Justice K.S. Puttaswami (retd.) and another Vs. Union of India [WP 494 of 2012] is prime example in which nine judge bench declared “privacy” as fundamental right within the meaning of Article21 of the Constitution of India.

A “Committee of Experts on Data Protection” under the chairmanship of Justice B.N. Srikrishna was constituted on July 31, 2017 to look into the issue of data protection. The Committee submitted its reports on July 18, 2018.

The above Bill is primarily based on the report submitted by the committee, considering the judgments of Supreme Courts.

Recently in an interview Justice B N Srikrishna said, “It is a basic tenet of the Constitutional law that there can be no abridgement of a fundamental right except by a valid Act of legislature. The 2019 Bill allowed that to happen by a mere self-serving declaration of the executive”. Obviously he seems not satisfied the way Bill came out finally. He further said, “There has been strong criticism over exempting government agencies from the Act on the grounds of ‘public order.’”

Mr. Ashwini Vaishnaw, Minister of Railways and Communications said that it better to come out with new Bill rather than making all changes proposed by JPC. The new Bill may include the recommendations of JPC.

PDF Copy of The Personal Data Protection Bill, 2019