Author: Aparna Mukherjee, Student at Symbiosis Law School, Noida.
The term data can have a variety of meanings and can be of different types. The most common ones being computer data, numerical data, biometric data, genetic data as well as personal details of an individual stored in the form of data. All these different types of data fall under the broad definition of ‘data’ in the Personal Data Protection Bill,2019.
The Personal Data Protection Bill, 2019 is a detailed data protection policy which strives to safeguard records, personal data, data transaction, usage and dissemination of the same through its rules and regulations. It also curbs the data from being transferred into the wrong hands who then engage in illegal activities like phishing, impersonation and other types of fraud. 
The Personal Data Protection Bill,2019 was introduced by the Indian Parliament on the 11th December,2019 after long-lasting debate characterize by clash of opinions. The origin of this bill was brought about by a draft legislation submitted by a nine -member committee chaired by Justice B.N. Srikrishna to the Ministry of Electronics and Information Technology (MeitY). The purpose behind the same was to modify the pre-existing legislation on data protection. In other words, the bill focuses on the provisions which circle around how private data can be handled and safely stored, lists the rights available to the citizens with regard to their personal data. In addition to this the bill further prescribes the appointment of Data Protection Authority (DPA) for the correct implementation of this law.
CHARACTERISTICS OF THE PERSONAL DATA PROTECTION BILL,2019
1.Comprehensive definition of the term Sensitized Private/Personal Data– The bill elaborates on sensitized personal data as including passwords, sexuality, genetic data, personal records like income, education, caste, biometric data, data for identification, intersex and transgender status etc. The advantage that India has over other international countries is its broad meaning of data under the Personal Data and Protection Bill,2019. It means international data compliance laws do not include passwords, individual details, sexuality etc. They have a much more restricted interpretation of what they describe as sensitive personal data. As much as this gives the governmental authorities a holistic access to its citizens’ data and personal records, it has its negative effects too.
It would negatively affect trade as many foreign corporations and multinational companies would be hesitant in complying with the provisions of the said bill as it would give a third party an all-round approach to their documentation, data and information; sometimes in fact more than required for business. This in turn, would encourage them to back off from engaging in business with Indian companies.
2.Localization of Data- The term data localization means the process through which a country collects and stores all the personal data of its citizens and sometimes even processes the same for locating criminals, cyber criminals or for transferring of the same internationally.
Under this bill, every service provider has been directed to collect and store a copy of personal data of all the citizens living in a particular area in a data centre within the territory of India. It is obvious for data centres to find this requirement tiresome and expensive as it would expand their running costs.
3.Applicability scope of the bill- The Personal Data Protection Bill,2019 shall apply to all the processed/processing data by states, state related bodies, Indian citizens, Indian corporations irrespective of it being disclosed, undisclosed or shared. In addition to this the same is also applicable to the processing of personal data beyond the Indian territory provided the same is in relation to any activity or business which is characterised by providing goods or services to Indian citizens. The bill also mentions that such activities should fall under the purview of offering its services to Indian consumers and should not be merely circumstantial.
The PDP (Personal Data Protection) shall not be applicable on anonymised or unnamed data. Lastly, it endows the power of exemption from applicability to the Centre if and when any entity engages in data processing of foreign natives not living in India.
4.Focus on excessive liability- The bill increases the liability on the board of directors of any business and administrators in-charge of any activity during the tenure of commission of an offence. Critics have regarded this to be an extreme measure of slapping accountability which even the General Data Protection Regulation (GDPR) of EU; which in case of a crime or infringement of data holds responsible the employee of the business directly related to it and not their entire team of higher authorities.
Along with this because of the lack of clarity in the law, it may so also happen that the board of directors or the supervisors be charged with a hefty penalty sometimes the same as imposed on the company.
5.Regular Review of Stored Personal Data- The data centres/fiduciaries have been assigned the task of reviewing the stored personal data in recurrent intervals. Through this process the centres discard the data which has been already processed and is no longer needed so the same is not preserved beyond its required time. However, this provision has been criticised as being ambiguous as exact period of interval has not been specified as being monthly, annually, bi-annually etc. It also adds to the burden of increased expenses for the companies.
6.The concept of notice- The data administrators is required to lay before the data principal- (i.e.: means a natural citizen whose data is being processed or stored) a notice consisting of all the following details which are i) reason why the data is being processed ii) contact and identification details of the data administrator iii) type and classification of data which is being processed iv) rights available to the data principal v) process of how the data is being developed and retained vi) method prescribes for grievance redressal along with any extra information asked of by the provisions.
It is also mandatory for the notice to be in multiple languages so it can be read by all especially in a diverse country like India.
7.The extent of authority of the DPA- One of the provisions of the bill is to set up a Data Protection Authority that will regulate the enforcement of the said legislation. This body has been given directory, elective, quasi-legislative and judicial powers. The bill further states that powers to granted to the DPA in a systematic manner to avoid multiple conflicts regarding the exercise of power as well as uncontrolled legislation making the purpose of the bill redundant. 
DATA PROTECTION OBLIGATIONS
The PDP bill also lays down the obligations with which the data must comply for it to fall under the purview of processed/processing data under the said bill. In other words, it means that the personal data of any data principal must complete these obligations in relation to processing. The obligations are listed below-
- Quality of Data– The personal data which has been processed should be thorough. The same should not be ambiguous and must be updated from time to time.
- Fair and Reasonable– The listing of data should be in a ‘fair and reasonable’ manner and it should not infringe upon anyone’s right to privacy.
- Purpose, Storage and Collection– The purposes of processing data should be definite, lawful and specified. When it comes to collection the bill states that personal data cannot be collected for marketing, advertising or improving user experience purposes. The data principals must be provided with a notice entailing all the objective for collection and that there shall be a justifiable connection between the both. It shall be stored only during the required period and not beyond that.
- Notice- The concept of issuing a notice to the data principal goes hand in hand with obtaining consent prior to the processing of data. The bill strictly mentions the provisions wherein every data centre must issue an adequate notice to the data principal before collecting the data provided it has not been collected from the data principal itself.
- Principle of accountability- The data fiduciary shall be accountable for protecting the personal data obtained from the principals. It must do so by complying with all the provisions of the bill. 
UNANSWERED QUESTIONS PERTAINING TO THE NEW DRAFT OF THE BILL
- Does the bill provide any restrictions when it comes to processing of an individual’s personal data?
The data fiduciaries have been pressed under various obligations by this bill. As has been mentioned earlier, all data principals must be issued a draft beforehand clearly stating the purpose, way of storage and method of collection of data. The same must be bound by a non-vague, legal purpose. The data fiduciaries must compulsorily make sure the entire processing is adopted along transparent lines, putting across regular updates to their data sources and also taking accountability for breach of any regulations. The fiduciaries have also been instructed to implement security measures and keep the grievance redressal forums active at all times to cater to the complaints of the people. It is also advised for the fiduciaries to conduct a thorough data protection impact evaluation before going through with processing of large scale personal sensitive data.
- What are the grievance redressal mechanisms in case any of the restrictions have been violated?
The bill talks about the setting up of a Data Protection Authority whose job shall be to supervise the entire data processing unit and keep a close eye that all the guidelines are being adhered to. Any individual whose complaint has not been resolved satisfactorily or who is not content with the services of the grievance team can file a complaint regarding the same to the authorities. An appeal shall then be filed to the Appellate Tribunal which shall be followed up from time to time. The matter can be taken to Supreme Court also if it deems necessary.
- Will individuals have absolute rights over their personal data?
This is one question which has constantly dominated the minds of many citizens with the inception of the PDP,2019 bill. No, the individuals will not have absolute rights over their personal data but they retain some basic rights. Which include they shall have the right to know if their data has been processed or not, ask for correction in case flaw is detected, erasure of data, removal of data beyond the required time as well asking for transfer of their data to different data fiduciaries. The individuals shall also have the right to grant consent prior to any action being taken on their data.
- How does the Personal Data Protection Act,2019 vary from the original bill submitted by the Srikrishna Committee?
The bill has been modified before release and a few changes have been incorporated when compared with the original draft. The modified bill also talks about social media intermediaries who shall be maintaining surveillance on internet usage, content upload as well as transfer the government orders of content takedown if any piece of content is deemed to be inappropriate, favours to incite violence against the government, derogatory, hurts sentiments of the common people etc. It makes the scope of data access to the government vaster as the same will now also have access to non-personal or unnamed data for service purposes.
- What are the immunities to the safety measures in case of data processing?
The bill lays down three prominent immunities wherein the data processing can take place even without consent from the particular individual which are: i) In case of legal matters/proceedings ii) Required by the state for issuing benefits to the individual iii) In circumstances involving medical emergency. 
The Personal Data Protection Bill,2019 was approved by the Joint Select Committee in the month of February, 2020. It does provide increased protective course of action to prevent personal data from being put to use for unlawful purposes, followed by stringent penalizing procedures along with being business friendly. However, the provisions pertaining to Government ingression towards acquiring anonymised data as well as introduction of all- inclusive monitoring by the social media intermediaries free from scrutiny and verification borders along the lines of a crack in the people’s freedom of expression and the right to privacy becomes a matter of concern. However, the aftermath of this bill can only be completely measured a few months in the wake of the bill coming into effect.
 ‘Data Protection: Why It Matters And How To Protect It – Access Now’ (Access Now, 2021) <https://www.accessnow.org/data-protection-matters-protect/> accessed 27 February 2021
 ‘Privacy And Data Protection – India Wrap 2020’ (The National Law Review, 2021) <https://www.natlawreview.com/article/privacy-and-data-protection-india-wrap-2020> accessed 27 February 2021
 ‘Why India’S Proposed Data Protection Authority Needs Constitutional Entrenchment’ (The Wire, 2021) <https://thewire.in/tech/india-data-protection-authority-needs-constitutional-entrenchment> accessed 27 February 2021
 ‘Key Features Of The Personal Data Protection Bill, 2019 – Privacy – India’ (Mondaq.com, 2021) <https://www.mondaq.com/india/data-protection/904330/key-features-of-the-personal-data-protection-bill-2019> accessed 3 March 2021
‘India Proposes Updated Personal Data Protection Bill’ (Inside Privacy, 2021) <https://www.insideprivacy.com/india/india-proposes-updated-personal-data-protection-bill/> accessed 3 March 2021
 (2021) <https://www.pwc.in/consulting/cyber-security/data-privacy/personal-data-protection-bill-2019-what-you-need-to-know.html> accessed 3 March 2021