Decoding India’s Personal Data Protection Bill, 2019

Data Protection

The Personal Data Protection Bill 2019, which represents a positive step towards realizing data protection and privacy law for Indians was tabled in the Parliament on December 11th, 2019. It encompasses various principles like the right to erasure, protocols regarding the collection limitation and retention of data, although with broader exemptions to government data. 

The following is an overview of some of the key powers and obligations of the Central Government under the new bill:

1.    Grounds for processing personal data without consent: This bill stays away from the principle of necessary consent and lays down the grounds where personal data can be processed without the consent of the ‘data principal’  if such processing is necessary for the performance of any function of the State authorized by law. This includes the provision of any service or benefit, issuance of permits and licenses to the data principal. 

2.    Right to Data Portability:  The state has been exempted from the requirement to convert automated data into structured, commonly used, machine-readable format where the processing is necessary for functions of the State or in compliance to the law.

3.    Conditions for transfer of sensitive personal data and critical personal data:  Cross-border transfer of sensitive personal data is possible when the central government has allowed the transfer to a country or an international organization if they deem fit under the conditions laid down in Sec.34(b)(i)- 34(b)(ii)

4.    Power of central government to exempt any agency of government from the application of the Act:  The central government has the power to exempt “any” government agency from all or any provisions of the Act regarding the processing of specified personal data. The government can also take such steps if it is in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states and public order. In addition to this, the exemption can also be granted on the grounds of preventing incitement to commit any cognizable offence relating to the sovereignty and integrity of India, friendly relations with foreign states and public order.

5.    Exemption of certain provisions for certain processing of personal data:  This bill exempts the central government from the application of certain provisions of the bill for processing of personal data in the interest of prevention, detection, investigation and prosecution of any offence or any other contravention of any law for the time being in force.

6.    Power of central government to exempt certain data processors:  The central government also has the powers to exempt data processors from applying this act to process the personal data of data principals, not within the territory of India.

7.    Power of central government to issue directions:  The central government may issue directions to the authority in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order and the decision of the central government whether a question of policy or not shall be final.

8.    Act to promote framing of policies for digital economy: Under the bill, the central government can frame a policy for the digital economy, insofar as such policy does not govern personal data and can also direct any data fiduciary and data processor to provide any personal, anonymised data or other non-personal data for evidence-based policy formulation. 

Several other provisions relating to notifying categories which shall be termed as sensitive personal data, social media intermediaries, localization, the formation of the Data Protection Authority and rights and powers of the DPA have also been introduced as part of the bill, granting wide-ranging powers to the central government under the Act.