Recently, the Personal Data Protection Bill, 2019 was introduced in Parliament. The Bill has been referred to a Joint Parliamentary Committee for detailed examination, and the report is expected by the Budget Session, 2020. The Bill seeks to provide for protection of personal data of individuals, create a framework for processing such personal data, and establishes a Data Protection Authority for the purpose. In this blog, we provide a background to the 2019 Bill, and explain some of its key provisions.
What is personal data and data protection?
Data can be broadly classified into two types: personal and non-personal data. Personal data pertains to characteristics, traits or attributes of identity, which can be used to identify an individual. Non-personal data includes aggregated data through which individuals cannot be identified. For example, while an individual’s own location would constitute personal data; information derived from multiple drivers’ location, which is often used to analyse traffic flow, is non-personal data. Data protection refers to policies and procedures seeking to minimise intrusion into the privacy of an individual caused by collection and usage of their personal data.
Why was a Bill brought for personal data protection?
In August 2017, the Supreme Court held that privacy is a fundamental right, flowing from the right to life and personal liberty under Article 21 of the Constitution. The Court also observed that privacy of personal data and facts is an essential aspect of the right to privacy. In July 2017, a Committee of Experts, chaired by Justice B. N. Srikrishna, was set up to examine various issues related to data protection in India. The Committee submitted its report, along with a Draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology in July 2018. The Statement of Objects and Reasons of the Personal Data Protection Bill, 2019 states that the Bill is based on the recommendations of the report of the Expert Committee and the suggestions received from various stakeholders.
How is personal data regulated currently?
Currently, the usage and transfer of personal data of citizens is regulated by the Information Technology (IT) Rules, 2011, under the IT Act, 2000. The rules hold the companies using the data liable for compensating the individual, in case of any negligence in maintaining security standards while dealing with the data. The Expert Committee in its report, held that while the IT rules were a novel attempt at data protection at the time they were introduced, the pace of development of digital economy has shown its shortcomings.3 For instance, (i) the definition of sensitive personal data under the rules is narrow, and (ii) some of the provisions can be overridden by a contract. Further, the IT Act applies only to companies, not to the government.
What does the Personal Data Protection Bill provide?
The Bill regulates personal data related to individuals, and the processing, collection and storage of such data. Under the Bill, a data principal is an individual whose personal data is being processed. The entity or individual who decides the means and purposes of data processing is known as data fiduciary. The Bill governs the processing of personal data by both government and companies incorporated in India. It also governs foreign companies, if they deal with personal data of individuals in India.
Will individuals have rights over their data?
The Bill provides the data principal with certain rights with respect to their personal data. These include seeking confirmation on whether their personal data has been processed, seeking correction, completion or erasure of their data, seeking transfer of data to other fiduciaries, and restricting continuing disclosure of their personal data, if it is no longer necessary or if consent is withdrawn. Any processing of personal data can be done only on the basis of consent given by data principal.
Are there any restrictions on processing of an individual’s data?
The Bill also provides for certain obligations of data fiduciaries with respect to processing of personal data. Such processing should be subject to certain purpose, collection and storage limitations. For instance, personal data can be processed only for specific, clear and lawful purpose. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as implementing security safeguards and instituting grievance redressal mechanisms to address complaints of individuals. Certain fiduciaries would be notified as significant data fiduciaries (based on certain criteria such as volume of data processed and turnover of fiduciary). These fiduciaries must undertake additional accountability measures such as conducting a data protection impact assessment before conducting any processing of large scale sensitive personal data (includes financial data, biometric data, caste, religious or political beliefs).
What is the grievance redressal mechanism if the above restrictions are not followed?
To ensure compliance with the provisions of the Bill, and provide for further regulations with respect to processing of personal data of individuals, the Bill sets up a Data Protection Authority. The Authority will be comprised of members with expertise in fields such as data protection and information technology. Any individual, who is not satisfied with the grievance redressal by the data fiduciary can file a complaint to the Authority. Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.
Are there any exemptions to these safeguards for processing of personal data?
Processing of personal data is exempt from the provisions of the Bill in some cases. For example, the central government can exempt any of its agencies in the interest of security of state, public order, sovereignty and integrity of India, and friendly relations with foreign states. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as prevention, investigation, or prosecution of any offence, or research and journalistic purposes. Further, personal data of individuals can be processed without their consent in certain circumstances such as: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.
Is the Bill different from the draft Bill suggested by the Expert Committee?
The Bill has made several changes from the draft Bill. For instance, the Bill has added a new class of significant data fiduciaries, as social media intermediaries. These will include intermediaries (with users above a notified threshold) which enable online interaction between users. Further, the Bill has expanded the scope of exemptions for the government, and additionally provided that the government may direct data fiduciaries to provide it with any non-personal or anonymised data for better targeting of services.
In a follow-up blog, we will provide a detailed comparison of the key provisions of this Bill with the Draft Personal Data Protection Bill 2018, released by the Justice B. N. Srikrishna Committee.
The Uttarakhand Assembly concluded a two-day session on November 30, 2022. The session was scheduled to be held over five days. In this post we look at the legislative business that was carried out in the Assembly, and the state of state legislatures.
13 Bills were introduced and passed within two days
As per the Session Agenda, a total of 19 Bills were listed for introduction in the span of two days. 13 of these were listed to be discussed and passed on the second day. These included the Uttarakhand Protection of Freedom of Religion (Amendment) Bill, 2022, University of Petroleum and Energy Studies (Amendment), Bill, 2022, and the Uttarakhand Anti-Littering and Anti-Spitting (Amendment) Bill, 2022.
The Assembly had proposed to discuss and pass each Bill (barring two) within five minutes (see Figure 1). Two Bills were allocated 20 minutes each for discussion and passing - the Haridwar Universities Bill, 2022, and the Public Service (Horizontal Reservation for Women) Bill, 2022. As per news reports, the Assembly passed all 13 Bills within these two days (this excludes the Appropriation Bills). This raises the question on the amount of scrutiny that these Bills were subject to, and the quality of such laws when the legislature intends to pass them within mere minutes.
Figure 1: Excerpt of Uttarakhand Assembly's November 2022 Session Agenda
Law making requires deliberation, scrutiny
Our law-making institutions have several tools at their disposal to ensure that before a law is passed, it has been examined thoroughly on various aspects such as constitutionality, clarity, financial and technical capacity of the state to implement provisions, among others. The Ministry/Department piloting a Bill could share a draft of the Bill for public feedback (pre-legislative scrutiny). While Bills get introduced, members may raise issues on constitutionality of the proposed law. Once introduced, Bills could be sent to legislative committees for greater scrutiny. This allows legislators to deliberate upon individual provisions in depth, understand if there may be constitutional challenges or other issues with any provision. This also allows experts and affected stakeholders to weigh in on the provisions, highlight issues, and help strengthen the law.
However, when Bills are introduced and passed within mere minutes, it barely gives legislators the time to go through the provisions and mull over implications, issues, or ways to improve the law for affected parties. It also raises the question of what the intention of the legislature is when passing laws in a hurry without any discussion. Often, such poorly thought laws are also challenged in Courts.
For instance, the Uttarakhand Assembly passed the Uttarakhand Freedom of Religion (Amendment) Bill, 2022 in this session (five minutes had been allocated for the discussion and passing of the Bill). The 2022 Bill amends the 2018 Act which prohibits forceful religious conversions, and provides that conversion through allurement or marriage will be unlawful. The Bill has provisions such as requiring an additional notice to be sent to the District Magistrate (DM) for a conversion, and that reconversion to one’s immediate previous religion will not be considered a conversion. Some of these provisions seem similar to other laws that were passed by states and have been struck down by or have been challenged in Courts. For example, the Madhya Pradesh High Court while examining the Madhya Pradesh Freedom of Religion Act, 2021 noted that providing a notice to the DM for a conversion of religion violates the right to privacy as the right includes the right to remain silent. It extends that understanding to the right to decide on one’s faith. The Himachal Pradesh Freedom of Religion Act, 2006 exempted people who reconvert to their original religion from giving a public notice of such conversion. The Himachal Pradesh High Court had struck down this provision as discriminatory and violative of the right to equality. The Court also noted that the right to change one’s belief cannot be taken away for maintaining public order.
Uttarakhand MLAs may not have had an opportunity to think about how issues flagged by Courts may be addressed in a law that regulates religious conversions.
Most other state Assemblies also pass Bills without adequate scrutiny
In 2021 44% states passed Bills on the day it was introduced or on the next day. Between January 2018 and September 2022, the Gujarat Assembly introduced 92 Bills (excluding Appropriation Bills). 91 of these were passed in the same day as their introduction. In the 2022 Monsoon Session, the Goa Assembly passed 28 Bills in the span of two days. This is in addition to discussion and voting on budgetary allocation to various government departments.
Figure 2: Time taken by state legislatures to pass Bills in 2021
Note: The chart above does not include Arunachal Pradesh and Sikkim. A Bill is considered passed within a day if it was passed on the day of introduction or on the next day. For states with bicameral legislatures, bills have to be passed in both Houses. This has been taken into account in the above chart for five states having Legislative Councils, except Bihar (information was not available for Council).
Sources: Assembly websites, E-Gazette of various states and Right to Information requests; PRS.
Occasionally, the time actually spent deliberating upon a Bill is lesser than the allocated time. This may be due to disruptions in the House. The Himachal Pradesh Assembly provides data on the time actually spent discussing Bills. For example, in the August 2022 Session, it spent an average of 12 minutes to discuss and pass 10 Bills. However, the Uttarakhand Assembly allocated only five minutes to discuss each Bill in its November 2022 Session. This indicates the lack of intent of certain state legislatures to improve their functioning.
In the case of Parliament, a significant portion of scrutiny is also carried out by the Department Related Standing Committees, even when Parliament is not in session. In the 14th Lok Sabha (LS), 60% of the Bills introduced were sent to Committees for detailed examination, and in the 15th LS, 71% were sent. These figures have reduced recently – in the 16th LS 27% of the Bills were sent to Committees, and so far in the 17th LS, 13% have been sent. However, across states, sending Bills to Committees for detailed examination is often the exception than the norm. In 2021, less than 10% of the Bills were sent to Committees. None of the Bills passed by the Uttarakhand Assembly had been examined by a committee. States that are an exception here include Kerala which has 14 subject Committees, and Bills are regularly sent to these for examination. However, these Committees are headed by their respective Ministers, which reduces the scope of independent scrutiny that may be undertaken.