We live in a world where our data, personal interests, and financial data are the most valuable things. Ever wondered why you see certain ads on your social media sites? Maybe something you were shopping for earlier, or something that seems oddly targeted to you?
Amid a fast-paced internet world, consumers have been generating a lot of data, which has allowed companies to show them personalised advertisements based on their browsing patterns and other online behaviour. But while that happens, companies store a lot of these datasets without taking your consent, and don’t even take responsibility when the data leaks.
To hold such companies accountable, the government in 2019 tabled the Personal Data Protection Bill for the first time.
The Bill was necessitated by the Supreme Court judgment on the right to privacy, following which a committee was formed. India had banned several Chinese mobile apps in 2020. This was one of the reasons why the need to protect data of Indian citizens had acquired greater urgency due to a tense border standoff with China as well. A Joint Parliamentary Committee was set up in 2019 to study the provisions of the bill and give its recommendations—and it submitted its report on November 22.
The Bill was necessitated by the Supreme Court judgment on the right to privacy, following which a committee was formed.
India had banned several Chinese mobile apps in 2020. This was one of the reasons why the need to protect data of Indian citizens had acquired greater urgency due to a tense border standoff with China as well. A Joint Parliamentary Committee was set up in 2019 to study the provisions of the bill and give its recommendations—and it submitted its report on November 22.
Personal Data Protection Bill
The bill sets up three different categories of data — personal data, sensitive personal data, and critical personal data. Each category of data carries with it separate obligations and regulatory requirements. Indian companies as well as foreign companies dealing with data of Indian citizens will have to comply with the Act.
Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual. Sensitive personal data includes financial data, biometric data, caste, religious or political beliefs, genetic data,or any other category of data specified by the government. Critical Personal Data ‘means such personal data as may be notified by the Central Government to be the critical personal data.
Simply put, The bill requires companies to:
- Tell you about their data collection practices and seek your consent—and store evidence of such consent.
- Create a system that allows you to withdraw your consent.
- Give you the right to access, correct, and erase your data.
- Make changes to protect your data better—and in a manner where privacy is a key consideration in how the business is organized.
Ensure all “sensitive personal data” is stored in India and that “critical personal data” is not transferred out of India.
Transfer Of Data Outside India
As per the bill, sensitive personal data may be transferred outside India for processing if consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Certain personal data notified as critical personal data by the government can only be processed in India.
The JPC headed by BJP’s P P Chaudhary has said that the Centre “must ensure data localisation clauses under this legislation are followed in letter and spirit by all local and foreign entities, and India must move towards data localisation gradually.
What does the bill mean for us
As users, we all want control over our data. This includes knowing who’s collecting data, where it’s being stored, how it’s being used and what can be done if it’s misused instead.
It provides people what is known as the “Right to be Forgotten” — where we can restrict the disclosure of our personal data. You and I can erase our personal data. However, this is subject to certain conditions, such as when the data is no longer necessary for the purpose for which it was processed.
One of the primary criticisms of this Bill is the amount of power it gives the government.
The bill allows the government to process personal data without consent in cases where the government wants to provide a benefit or service, issues a certification, license or permit, to comply with a court order, to provide medical treatment and health services, to ensure safety “during any disaster or any breakdown of public order”, among others.
The bill comes at a time when similar legislation is being introduced in other countries that seek to maintain the right to privacy of citizens in a digital age where companies seek to track every piece of information of citizens for their own gain.
With JPC’s report out and the bill being all set to be tabled in the winter session of the parliament, it is to be seen,however, if the PDP Bill of 2019 can produce similar levels of success.