Loopholes of the Personal Data Protection Bill, 2019
Narrow definition and prohibition on processing of anonymous data but exception
provided to the central government by Clause 91 where it can collect and use
such data without any mechanism in place to regulate such use.
As per Clause 11, taking consent before processing data is mandatory but too
many exceptions have been provided to it which ends up diluting the provision's
Detailed regulation needed for enforcing Clause 18:
Although in the subclauses to Clause 18 it lays down the procedure on how the
data principal will be able to perform the necessary tasks, it will still
require a detailed regulation.
Notifying principal regarding data erasure:
Clause 9 of the 2019 Data Protection Bill provides for the deletion of data by
the data fiduciary, but it does not provide any system for notifying the data
principal regarding the same.
Right of erasure:
The 2018 Draft Bill camouflaged the full exercise of the right by stating that
the data principal shall have the right to restrict or prevent continuing
disclosure of personal data¯, which was clearly ambiguous in nature. Clause 20
of the proposed Bill does not shift much from the abovementioned words, thereby
retaining the earlier criticised provision. The proviso to the clause states
that no order shall be made under this sub-clause unless it is shown by the data
principal that his right or interest in preventing or restricting the continued
disclosure of his personal data overrides the right to freedom of speech and
expression and the right to information of any other citizen.¯
Discretion of the adjudicating officer in data principal's rights:
the enforcement of the data principal's right to restrict or prevent continuing
disclosure of personal data¯ vests upon the discretion of the adjudicating
officer. In this context, not only does the GDPR provide clarity regarding
erasure of personal data, it provides for a wider set of provisions to obligate
the data controller in the erasure of the data. Therefore, this proves to be
another provision which lacks clarity as to the rights of the data principal.
Reporting of Personal Data Breach:
The Draft Bill, presented a bizarre provision wherein it provided that in case
of breach of personal data, neither the data fiduciary nor the data protection
authority shall have any obligation or any requirement to inform the data
principal about the breach and this has not been changed by the 2019 Data
Data more prone to leaks:
The data protection authority has the right to publish a breach on their website
but retains the right to inform the data principal on its own accords, thereby
exposing the data principal to a large number of leaks of his personal data and
thereby its misuse
Mechanism for prevention of data breach:
The 2019 Data Protection Bill also fails to provide for a system capable of
countering such breach of data in a well-equipped manner. The mechanism is
merely a notification of such breach to the necessary websites and other
The GDPR, under Article 34 provides for a stricter regime where the authority,
upon considering the likelihood of such breach shall notify to the data subject
and it is surprising that the PDPB does not follow the GDPR regime despite being
based on it.
Data Localisation and Cross-Border Transfer of Data:
For data transfer, the 2019 Bill states that only sensitive personal data¯ and
critical personal data¯ may be transferred outside India for processing and a
requirement to store the sensitive personal data in India has been inserted. The
proposed 2019 Bill neither provides for a robust enforcement mechanism for such
cross-border data transfer nor does it come up with the incorporation of higher
standards of data storage in the country. On the other hand, the GDPR has
presented itself with a much better holistic approach in this regard.
Ambiguous definition of adequate¯ under Clause 34:
India's data protection regime has merely mentioned under Clause 34(1)(b) that
the Central Government, after consultation with the authority, has allowed the
transfer to a country or, such entity or class of entity in a country or, an
international organisation on the basis of its finding that: (i) such sensitive
personal data shall be subject to an adequate level of protection, having regard
to the applicable laws and international agreements;¯, wherein the meaning of
adequate level of protection¯ demands clarification.
Inadequate protection against government:
The bill does not protect individuals against the Indian government as
effectively. It stipulates that critical¯ or sensitive¯ personal data, related
to information such as religion, or to matters of national security, must be
accessible to the government if needed to protect national interest. Such
open-ended access could lead to misuse, as also noted by B N Srikrishna, one of
the persons who chaired the committee that drafted the original bill.
Data Protection Authority:
Chapter IX of the bill that outlines the establishment of a Data Protection
Authority (DPA), is problematic too. It will be led by a chairperson and six
committee members, appointed by the central government on the recommendation of
a selection committee. But this committee will be composed of senior civil
servants, including the Cabinet Secretary, raising questions about the board's
independence. The government's power to appoint and remove members at its
discretion also stokes fears about its ability to influence this ostensibly
independent agency. Unlike similar institutions, such as the RBI or SEBI, the
DPA will not have an independent expert or member of the judiciary on its
Limited powers of DPA in comparison with the Central Government:
The powers and functions that were originally intended to be performed by the
Authority have now been allocated to the Central Government. For example: (i) In
the 2018 Bill, the Authority had the power to notify further categories of
sensitive personal data. Under the present Bill, the Central Government in
consultation with the sectoral regulators has been conferred the power to do so.
(ii) Under the 2018 Bill, the Authority had the sole power to determine and
notify significant data fiduciaries, however, under the present Bill, the
Central Government has in consultation with the Authority been given the power
to notify social media intermediaries as significant data fiduciaries.
Power to expropriate intellectual property by CG:
The PDP Bill provides for the government-mandated sharing of privately collected
and developed non-personal data. Section 91(2) of the Bill states that the
Government may direct any data fiduciary or data processor to provide any
personal data anonymised or other non-personal data to enable better targeting
of delivery of services or formulation of evidence-based policies by the Central
Government. This provision does not indicate the manner in which the Government
will use such data and does not specify whether businesses mandated to share
such data will be compensated.
Exemptions for small businesses:
The PDP Bill allow exemptions for small businesses that look after customers'
personal information manually. Under the Bill proposed by the Expert Committee,
such businesses needed to meet three conditions, based on annual turnover;
whether they shared personal data; and how much personal data they processed.
But under the PDP Bill, the new Data Protection Authority decides which small
businesses qualify for exemption and the Bill does not prescribe any
qualification to be eligible for the exemption.
Possible harassment of whistleblowers- As per Section 14 of the PDP Bill, the
Government can process personal data without consent for some reasonable
purposes¯ which include whistleblowing. The section further empowers the
Government to determine by way of regulation as to whether the requirement of
notice to data principal is required or not. This could result in systematic
harassment of whistleblowers who may expose scams or irregularities.
Law Article in India
You May Like
Legal Question & Answers