The Personal Data Protection Bill, 2019, which seeks to regulate the use of
individual data by the government and private companies has been referred to a
joint Parliament committee. The proposed law, as cleared by the Union cabinet,
allows the government to access personal data. The provision has attracted much
controversy, for being in sharp contrast to what was proposed by an expert group
headed by former Supreme Court Judge B.N. Srikrishna in its first draft in July
2018. Currently, there are no laws on the use of personal data and preventing
its misuse. The Bill is that the first legislation that focuses on privacy of
citizens, and will potentially end in significant overhaul of digital businesses
The Puttaswamy judgment and therefore the colloquy round the data protection in
India ascended with the context of Aadhar, where the State was seen because the
chief privacy violator. The Personal Data Protection Bill has been taken as an
opportunity to correct that. This bill tries to protect the privacy of
individual's data, regulate the processing of sensitive
personal data and establish a Data Protection Authority of India (DPAI) for
The bill has faced a lot of criticism from the experts over the country. Few of
which have been discussed below.
Section 35 Of Bill
Section 35 empowers the central government to exempt any government agency from
the provisions of the Act for purposes of public order, national security, etc.
It is argued by the critics of the bill that it grants government agencies too
much power with respect to processing citizens' personal data.
However, any misuse of Section 35 would still be subjected to the legal
protections given in the Justice Puttaswamy case verdict delivered by a nine
judge bench of the Supreme Court, which includes tests for what is "necessary
Some definitions too broad under the bill: Another concern raised is that a
number of terms in Section 35, such as security of the State and public order, are very vague and has not been defined elaborately.
The term Public order
has been used several times in several bills
which finally became law. It has also been used in Section 144 of CrPC where the
state has been given the authority to do the needful to maintain public order.
The State must be a model actor given the asymmetry of power between State and
citizen. The data that is collected by private companies such as Facebook, it
shall be of more concern than when the State does it, this is because the State
has the power of law behind it and any misuse of such collected data shall be
within judicial scrutiny.
The exemption clause in Section36 of the bill allows exempted agencies to take
any measure to ensure safety of or provide assistance or services to any
individual during any disaster or any breakdown of public order, aside from the
State, it also gives power to an individual to work out what's a public order
situation then without consent process your data or seek your data.
Do you think it's violation of Right to Privacy?
Exercise of right to privacy guaranteed by the Constitution of India is not
absolute, and the government can impose reasonable restrictions as and when the
situation arises in the interest of the community.
It is essential for the Government to impose reasonable restrictions on the
exercise of Right to Privacy of its people, in view of larger public interest of
strengthening the security of the state for various reasons such as to bring
down the level of corruption, to ensure free and fair elections and to ensure
welfare entitlements provided by the government properly reach the deprived
sections of the Society. Article 19(2) of the Constitution of India provides
that restrictions can be imposed on rights guaranteed under Article 19(1)(a), if
there exists a threat to the security of the state.
Several International Conventions as well as legal provisions in other countries
recognize that fundamental rights of the people can be restricted in the
interest of the security of the state.
Lord Denning expressed that the English law must recognize Right to Privacy, and
that the exercise of the same cannot be free from limitations. Thus right to
privacy is an inalienable right and its curtailment is necessary for stability
of the society.
European Convention on Human Rights also recognizes that right to privacy is not
absolute and lays down certain circumstances which include national security,
public safety and the economic well-being of the country, protection of health,
rights and freedoms of others, inter alia under which the right can be
interfered with, by the state.
Even in India it is not the first time that any public data collection law is
being made by state.
The Information Technology Act, 2001 is the legislation which recognizes and
regulates electronic communication, electronic data-interchange and in general,
electronic commerce. Section 69 of the act states that if the controller is
satisfied that it is necessary for the interest of the sovereignty or integrity
of India, the security of the State, friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable
offence; the state authority can direct any concerned branch of the government
to seize any information transmitted through any computer resource.
It is obvious from above that the Indian Parliament's approach to privacy
safeguards has been rather relaxed. The bill draft was to be presented to the
joint parliamentary committee in this first week of April. However, this could
not happen amid global pandemic. The draft of the bill is open for suggestions
for everyone and a number of recommendations to bill have been received by
various experts of the field.
For processing of personal data consent of the individual would be required. The
Organizations have to review and update data protection policies, codes to
ensure these are consistent with the revised principles such as update their
internal breach notification procedures, implement appropriate technical and
organisational measures to prevent misuse of data, based on the type of personal
data being processed.
The Significant Data Fiduciary should appoint a Data Protection Officer and he
should be instituting grievance redressal mechanisms to address complaints by
Authentication No: AG30735640816-9-820