Withdrawal of Personal Data Protection Bill

Context: After nearly four years of being in the works, the Personal Data Protection Bill was withdrawn from Parliament by the government, after stating that the government will come out with a “set of fresh legislations” that will fit into the comprehensive legal framework for the digital economy.

Genesis of the Bill 

• The genesis of this Bill lies in the report prepared by a Committee of Experts headed by Justice B.N. Srikrishna.
• The committee was constituted by the government in the course of hearings before the Supreme Court in the right to privacy case (Justice K.S. Puttaswamy v. Union of India).

Personal Data Protection Bill, 2019 proposed

• The withdrawn Bill had proposed restrictions on the use of personal data without the explicit consent of citizens.
• It had also sought to provide the government with powers to give exemptions to its probe agencies from the provisions of the Act, a move that was strongly opposed by the opposition MPs who had filed their dissent notes.
• Also proposed to specify the flow and usage of personal data, protect the rights of individuals whose personal data are processed, as it works out the framework for the cross-border transfer, accountability of entities processing data, and moots remedies for unauthorised and harmful processing.
• The Bill sets out certain rights of the individual (or data principal). These include the right to:
  • Obtain confirmation from the fiduciary on whether their personal data has been processed
  • Seek correction of inaccurate, incomplete, or out-of-date personal data
  • Have personal data transferred to any other data fiduciary in certain circumstance
  • Restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.

The original Bill, which was first tabled in 2019, included exemptions for processing data without an individual’s consent for “reasonable purposes”, including security of the state, detection of any unlawful activity or fraud, whistle-blowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.

Contentious Section 35 & Article 12(a)

• According to Article 35, the central government could exempt any government agency from the law’s provisions “in the interest of India’s sovereignty and integrity, the state’s security, friendly relations with foreign states, public order, and if it is satisfied that it is necessary or expedient to do so, subject to procedures, safeguards, and oversight mechanisms to be prescribed by the Government.”
• Article 12(a), meanwhile, eliminated the need for the data principal’s informed consent for the processing of their data when it is required “for the performance of any function of the state authorised by law for I the provision of any service or benefit to the data principal from the state; or (ii) the issuance of any certification, licence, or permit by the state for any action or activity of the data principal by the state.”

Conclusion

Members of the erstwhile Joint Committee on Personal Data Protection Bill as well as industry leaders have welcomed the government’s move to withdraw the legislation, saying it was better to bring a new legislation after more than 80 amendments suggested by the panel.

Source: News 18