New Indian Personal Data Protection Bill
In pursuance to the concern pertaining to data protection, considering the shift to a completely online mode which was especially aggravated by the Covid pandemic and the landmark judgement of Justice K.S. Puttaswamy v. Union of India, wherein the Hon’ble Supreme Court held the Right to Privacy to be an indispensable part of the Right to life enshrined under Article 21 of the Constitution of India, the Personal Data Protection Bill (hereinafter referred to as the PDP Bill), was introduced in the Lok Sabha in the year 2019, by the Ministry of Electronic and Information Technology. The objective of the said bill is to provide for the protection of the personal data of the individuals by the foreign companies, companies incorporated in India and the Government. For fulfilling the said objective, the Bill also provides for the establishment of an authority called the Data Protection Authority. For the purpose of this Bill the data of an individual has been classified as follows:
Sensitive Personal Data, which further includes the data like, health data, financial data, biometric data, etc.
It is important to understand that the processing of the personal as well as the sensitive personal data is done by the entity that is called as the Data Fiduciary and such processing would be subject to specific lawful and clear purposes only as specified under the Bill. The Bill provides in detail regarding the obligations of the data fiduciary which includes ensuring the required accountability as well as transparency measures for the protection of the data of the data principal (the individuals).
The Bill further incorporates the Rights of the Data Principal like obtaining confirmation regarding processing of the personal data by the data fiduciary, having their personal data transferred to some other data fiduciary, in case of any emergency, restricting the disclosure of their personal data by the data fiduciary if the requirement of the same is extinguished or the consent for the use of the data has been withdrawn by the data principal.
Similarly, one of the most important parts of the PDP Bill is that it sets up a Data protection authority, the function of which is to take steps to protect the interests of the data principal by preventing the misuse of his/her personal data and ensure the compliance of the Bill.
Recently a Joint Parliamentary Committee (JPC) on the PDP Bill was set up to prepare a report on the 2019 PDP Bill. The Report of the JPC provided for a draft Bill namely the Data Protection Bill, 2021 (the word ‘Personal Data was removed’ to bring both personal and non-personal data within the ambit of the Bill) after incorporating their recommendations in the 2019 Bill. This Report and the Bill, conceived through the various deliberations, seeks to address all the shortcomings pertaining to Public Policy that plagued the 2019 Bill, and this is one of the reasons the said draft Bill has also been criticized.