Personal Data Protection Bill: Issues and the Debate around it

Please Share with maximum friends to support the Initiative.

Context: Cleared by the Cabinet, the Personal Data Protection Bill is due to be placed in Parliament. How does it propose to protect personal data, how is it different from the previous draft, and why is it a subject of debate?

Prelims: Current events of national and international importance.
Mains: GS III- 

  • Science and technology- developments and their applications and effects in everyday life.
  • Awareness in the fields of IT, Space, Computers, robotics, nanotechnology, biotechnology and issues relating to intellectual property rights.
  • Challenges to internal security through communication networks, the role of media and social networking sites in internal security challenges, basics of cybersecurity; money-laundering and its prevention.


Global negotiations today revolve around debates about the transfer of data. India’s first attempt to domestically legislate on the topic, the Personal Data Protection (PDP) Bill, 2019, has been approved by the Cabinet and is slated to be placed in Parliament this winter session.


Why does the user data matter?

  • Data is any collection of information that is stored in a way so computers can easily read them.
  • Data usually refers to information about messages, social media posts, online transactions, and browser searches.
  • The individual whose data is being stored and processed is called the data principal in the PDP Bill.
  • This large collection of information about individuals and their online habits has become an important source of profits.
  • It is also a potential avenue for the invasion of privacy because it can reveal extremely personal aspects.
  • Companies, governments, and political parties find it valuable because they can use it to find the most convincing ways to advertise to individuals online.
  • It helps them to understand the audience better, and thus the companies get the desired profits. 
  • It is now clear that much of the future’s economy and law enforcement will be predicated on the regulation of data, introducing issues of national sovereignty.

Who handles our data, and how?

  • Data is stored in a physical space similar to a file cabinet of documents.
  • This transported across country borders in underwater cables that run as deep as Mount Everest and as long as four times the Indian Ocean.
  • To be considered useful, data has to be processed, which means analyzed by computers.
  • Data is collected and handled by entities called data fiduciaries.
  • While the fiduciary controls how and why data is processed, the processing itself maybe by a third party, the data processor.
  • This distinction is important to delineate responsibility as data moves from entity to entity.
    • For example, in the US, Facebook (the data controller) fell into controversy for the actions of the data processor- Cambridge Analytica.
  • The physical attributes of data- where data is stored, where it is sent, where it is turned into something useful- are called data flows.
  • Data localization arguments are premised on the idea that data flows determine who has access to the data, who profit off it, who taxes and who “owns” it.
  • However, many contend that the physical location of the data is not relevant in the cyber world.

How does the PDP Bill propose to regulate data transfer?

To legislate on the topic, the Bill trifurcates personal data.

  • The umbrella group is all personal data- data from which an individual can be identified.
  • Some types of personal data are considered sensitive personal data (SPD).
    • The Bill defines SPD as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more.
  • Another subset is critical personal data.
    • The government at any time can deem something critical and has given examples as military or national security data.

In the Bill approved by the Cabinet, there are three significant changes from the version drafted by a committee headed by the Justice BN Srikrishna Committee.

  1. The draft had said all fiduciaries must store a copy of all personal data in India.
    • The provision was criticized by foreign technology companies that store most of Indians’ data abroad and even some domestic startups that were worried about a foreign backlash.
    • The approved bill removes this stipulation, only requiring individual consent for data transfer abroad.
    • Similar to the draft, however, the Bill still requires sensitive personal data to be stored only in India.
    • It can be processed abroad only under certain conditions including the approval of a Data Protection Agency (DPA).
    • The final category of critical personal data must be stored and processed in India.
  2. The Bill mandates fiduciaries to give the government any non-personal data when demanded.
    • Non-personal data refers to anonymized data, such as traffic patterns or demographic data.
    • The previous draft did not apply to this type of data, which many companies use to fund their business model.
  3. The Bill requires social media companies, which are deemed significant data fiduciaries based on factors like volume and sensitivity of data as well as their turnover, to develop their own user verification mechanism.
    1. While the process can be voluntary for users and can be completely designed by the company, it will decrease the anonymity of users and “prevent trolling”.

What are its other key features?

  1. The Bill includes exemptions for processing data without an individual’s consent for “reasonable purposes”, including:
    1. the security of the state,
    2. detection of any unlawful activity or fraud,
    3. whistleblowing,
    4. medical emergencies,
    5. credit scoring,
    6. operation of search engines and
    7. processing of publicly available data.
  2. The Bill calls for the creation of an independent regulator DPA, which will oversee assessments and audits and definition making.
    • Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
  3. It also grants individuals the right to data portability, and the ability to access and transfer one’s own data.
  4. Finally, it legislates the right to be forgotten.
    • With historical roots in European Union law, this right allows an individual to remove consent for data collection and disclosure.

What are the two sides of the debate?

For data localization:

  • A common argument from government officials has been that data localization will help law-enforcement access data for investigations and enforcement.
  • As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties”- a process that almost all stakeholders agree is cumbersome.
  • In addition, proponents highlight security against foreign attacks and surveillance, harkening notions of data sovereignty.
  • The government doubled down on this argument after news broke that 121 Indian citizens’ WhatsApp accounts were hacked by an Israeli software called Pegasus.
  • The argument was also used prominently against WhatsApp when a spate of lynchings across the country linked to rumors that spread on the platform in the summer of 2018.
  • WhatsApp’s firm stance on encrypted content has frustrated government officials around the world.
  • Many domestic-born technology companies, which store most of their data exclusively in India, support localization.
    • PayTM has consistently supported localization (without mirroring) 
    • Reliance Jio has strongly argued that data regulation for privacy and security will have little teeth without localization, calling upon models in China and Russia.
    • Many economy stakeholders say localization will also increase the ability of the Indian government to tax Internet giants.

Against the Bill:

  • Civil society groups have criticized the open-ended exceptions given to the government in the Bill, allowing for surveillance.
    • Even as it rightly requires handlers of data to abide by globally-accepted rules about getting an individual’s consent first, it disappointingly gives wide powers to the Government to dilute any of these provisions for its agencies. 
  • Moreover, some lawyers contend that security and government access are not achieved by localization.
    • Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
  • Technology giants like Facebook and Google and their industry bodies, especially those with significant ties to the US, have slung heavy backlash.
  • Many are concerned with a fractured Internet (or a “splinternet”), where the domino effect of the protectionist policy will lead to other countries following suit.
    • Much of this sentiment harkens to the values of a globalized, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
    • Opponents say protectionism may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India, such as Tata Consulting Services and Wipro.

Please Share with maximum friends to support the Initiative.

Enquire now

Give us a call or fill in the form below and we will contact you. We endeavor to answer all inquiries within 24 hours on business days.