Draft Personal Data Protection Bill, 2019

Introduction

The Personal Data Protection Bill, 2019 [PDP Bill, 2019 or PDPDB 2019] was introduced in 2019 with the aim of providing a clearer and robust framework for the protection and processing of data and data-related rights for the Indian citizens. Since, the usage and attendance for internet and internet-related services were showing unprecedented rise, the need for protecting the privacy rights of individuals in addition to the use of data by the entities was said to be the focal point of address.

Although, the Bill never saw the light of the day, notable developments accompanied the Bill before heading for further scrutiny at the hands of the Joint Parliamentary Committee who, after great deliberation and considerations, published a report based on the comments and recommendations made by the stakeholders.

In this write-up, the PDP Bill, 2019 shall be discussed in detail, focusing on its history, key provisions which came along with it as well as the strengths and weaknesses before concluding.

2. The Genesis of the PDP Bill, 2019

In July 2017, a committee led by Justice B.N. Srikrishna was established to examine India’s data protection framework and propose a new data protection law. In July 2018, the committee released a draft Personal Data Protection Bill 2019, which drew from the principles of the European Union’s General Data Protection Regulation (GDPR) and aimed to provide individuals with extensive data protection rights while promoting India’s digital economy. The draft bill was open for public comments until September 2018, after which the committee submitted its report on the bill to the Ministry of Electronics and Information Technology (MeitY).

In December 2019, the MeitY introduced the Personal Data Protection Bill, 2019, in the Lok Sabha, the lower house of the Indian Parliament. The bill incorporated several of the Srikrishna committee’s recommendations but also made significant changes. These changes included weakening the provisions on individual rights and consent, as well as giving the government more powers to exempt specific data processors from the bill’s requirements. The bill is still under review and has yet to be passed into law.

3. Key Provisions of the PDP Bill, 2019

I. The Consent Factor:

The PDPB incorporates the consent rules included in the 2018 Bill, but it specifies that agreement must be expressly sought after the data principal has been given the option to individually consent to the use of several kinds of sensitive personal data [Clause 11(3)]. However, the PDPB also states that the provision on consent shall not be applicable for the State to perform any function for which the State is legally authorized, for the State to provide any service or benefit to the Data Principal, or for the State to issue any certification, license, or permit for the Data Principal to take any action [Clause 12].

II. The Right to Confirmation and Access:

The PDPB incorporates the provisions of the 2018 Bill while additionally granting the data principal the ability to obtain in one location the identities of the data fiduciaries and the kinds of personal data shared with them [Clause 17(3)].

III. Right to Correction and Erasure

According to the 2018 Bill, the data principal has the right to request from the data fiduciary that erroneous or misleading personal data be corrected, incomplete personal data be filled up, and outdated personal data be updated. The data fiduciary may disagree with the necessity for such adjustments, but the data principal may then demand that the data fiduciary make it clear that they dispute the personal data in question (Clause 25). The PDPB offers a similar perspective.

IV. Right to Data Portability

The Srikrishna Report believed that the right to data portability was essential for the smooth operation of the digital economy and that it also gave data owners more influence over their own personal information (Page 75). Consequently, the 2018 Bill permits data principals to have their personal data transferred if such processing has been carried out by automated means [Clause 26(1)]. If data portability is not technically possible, would compromise any data fiduciary’s trade secrets, or is required for state activities, the 2018 Bill does not authorize it [Clause 26(2)]. The 2018 Bill’s [Clause 19] provisions were accepted by the PDPB.

V. Right to be Forgotten

The PDPB adopted the clause in the 2018 Bill but required the data principal to prove to the adjudicating officer that their right to restrict the dissemination of personal data outweighs any other citizen’s right to free expression or the right to receive information [Clause 20(2) proviso]. The Adjudicating Officer’s judgment may also be challenged under PDPB [Clause 20(5)].

4. The GDPR Connection

Similarities

Both the PDP Bill of 2019 and the GDPR work to safeguard people’s privacy and personal data.
Both regulations mandate that data controllers get individuals’ informed consent before collecting and using their personal information.
Both laws provide people the ability to view, update, delete, and transfer their personal data.
These regulations carry severe penalties and fines for infringement of data protection.

2. Differences

Jurisdiction: The PDP Bill, 2019, only applies to Indian data controllers and processors, but the GDPR extends to all data controllers and processors operating inside the European Union.
Data localization: The PDP Bill, 2019, mandates that all personal data be handled and kept solely in India, but the GDPR permits the export of data from the EU under certain circumstances.
Sensitive personal data: While the GDPR protects all personal data equally, the PDP Bill, 2019, offers extra protections for sensitive personal data, such as financial and health information.
Data Protection Authority: While the GDPR already has a supervisory authority in place across the EU, the PDP Bill, 2019, proposes the creation of a Data Protection Authority to supervise and enforce data privacy laws in India.

5. Conclusion

The 2019 Personal Data Protection Bill sought to address the urgent need for privacy and personal data protection for Indian residents in the digital era. The bill included a number of crucial elements, such as the creation of a Data Protection Authority, stringent data protection requirements, personal freedoms, and harsh penalties for data protection infractions. Although the bill has undergone several updates and modifications, it continues to be an essential piece of legislation for safeguarding personal information in India. The PDP Bill, 2019, is a significant step in the right direction toward reaching this aim of establishing an effective data security framework and fostering confidence in digital technologies.

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional	1 year	The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time.
OptanonConsent	1 year	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.

Cookie	Duration	Description
_calendly_session	21 days	Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar.
SRM_B	1 year 24 days	Used by Microsoft Advertising as a unique ID for visitors.

Cookie	Duration	Description
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
CLID	1 year	Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
MR	7 days	This cookie, set by Bing, is used to collect user information for analytics purposes.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well.
MUID	1 year 24 days	Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.

Draft Personal Data Protection Bill, 2019

Checkout Other Whitepapers

PRIVACY COMPLIANCE CHALLENGES FOR GENERATIVE AI PLATFORMS

DIGITAL PERSONAL DATA PROTECTION ACT 2023

GENERATIVE AI AND DATA PRIVACY:NAVIGATING THE INTERSECTION

The EU Artificial Intelligence Act

Privacy Terms & Conditions

About Tsaaro

Resources

Other Links

Tsaaro Netherlands Office

Tsaaro India Office

Tsaaro Noida Office

Tsaaro Bangalore Office

Tsaaro Mumbai Office

We’d love to help your organization achieve your Data Protection goals!