The Personal Data Protection Bill, 2019

The Personal Data Protection Bill, 2019, a significant departure from the draft prepared by the Srikrishna Committee, must be sent to the Standing Committee on IT and released for public comments” Pradeep S Mehta, CUTS International

New Delhi, December 10, 2019

The much-awaited revised version of the Personal Data Protection Bill 2019 of India (Bill) was circulated to the members of Parliament earlier today. The Bill is expected to be tabled in the Parliament in the ongoing winter session itself. The Bill differs in several aspects from the draft prepared by Justice BN Srikrishna Committee in 2018.

One of the differences has been dilution of the mandate of data localisation (DL) to the exception of sensitive personal data and critical personal data. In other words, mirror copies of personal data (which is neither sensitive nor critical) need not be stored in India. The move comes after many civil society organisations and other stakeholders voiced their views against strict DL.

Evidence based research and advocacy by CUTS International, from consumers’ and digital exports’ perspective, contributed to the dissent against strict DL.“We highlighted that unreasonable restrictions on cross border data flow could have adversely impacted consumer welfare and exports of digital services from India, and are happy that the provisions have been diluted”, noted Pradeep S Mehta, Secretary General, CUTS International.

Several new provisions have been incorporated in the Bill. For instance, the definition of personal data has been expanded to include online and offline data about a natural person, “or any combination of such features with any other information”, and to include any “inference drawn from such data for the purpose of profiling”. However, “passwords” have been removed from the list of sensitive personal data.

CUTS International had undertaken a study involving in-depth interactions with 2400 respondents on the issue of comfort in data sharing by respondents. It was found that different users perceive different information/ data differently and thus it was important to consider users’ perspectives while defining personal data and sensitive personal data. “It is unfortunate that passwords have been removed from the list of sensitive personal data, while expansion of the definition of personal data is a welcome move”, noted Mehta.

The Bill provides that the government can exempt any government agency from its provisions for national security, integrity & sovereignty, public order, friendly relations with foreign states, and for preventing any cognizable offence. It also provides for suspension of certain rights of users if personal data is processed for law enforcement, judicial reasons, journalism, and for personal reasons. Adequate checks and balances, including judicial oversight, are required to ensure that exceptions do not become a rule.

The Bill also empowers the government to direct any data fiduciary or processor to be provided anonymized personal data or other non-personal data “to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government”. There was no need to include non-personal data under the Bill. It is all together a different issue, and is currently being reviewed by an expert committee. The Bill should have refrained from commenting on non-personal data.

According to the Bill, data fiduciaries may have to get their privacy-by-design policies certified by the Data Protection Authority. It introduces the concept of consent manager; which users can use to give or withdraw consent to the data fiduciary. The Bill also provides for creation of sandbox for innovation in artificial intelligence, machine learning by the impending Data Protection Authority. It has also expanded right to correction to include right to erasure, once the data is no longer necessary for the purpose for which it was processed. These are forward looking provisions, but it needs to be ensured that stakeholders, including data fiduciaries, do not need to incur unreasonable costs, and are not unreasonably burdened. A Regulatory Impact Assessment, comprising cost-benefit analysis of different provisions of the Bill is necessary.

Social media intermediaries, classified as significant data fiduciaries, will now have to give account verification options to willing users, and such users will be given a visible mark of verification (such as, blue ticks on Twitter and Facebook).

The Bill also provides that the composition of the selection committee for recommendation of members of the Data Protection Authority will have government officials, instead of members of the judiciary, as envisaged in the previous version “This is unfortunate, given the need to ensure independence of the Data Protection Authority. The Bill, unfortunately, opens up the possibility of sinecures for retired bureaucrats, which is not a good sign”, expressed Mehta.

Pradeep S Mehta, Secretary General, CUTS International noted ‘diluting data localisation is welcome, however, many new provisions pertaining to social media intermediaries, non-personal data and government being given exceptions for data processing require scrutiny from the lens of privacy implications, and impact on relevant stakeholders. The government should not rush into passing the bill, or hush stakeholder voices.’

He even suggested that the Bill should be sent to the Parliamentary Standing Committee on Information Technology for further deliberation, and adequate time be given for inclusive public consultations on these issues, among others.

For more information, please contact:

Vijay Singh,

Sidharth Narayan,