The Joint Parliamentary Committee on the Personal Data Protection Bill submitted its report on November 22. The committee, which had been deliberating on the Bill since it was introduced in Parliament in 2019, has made several recommendations for modifying the draft. However, it steered clear of the main sticky points such as government access to private data, leading to dissent notes from panel members from the Opposition.

2017 judgment of the Supreme Court in the Puttaswamy vs.Union of India case that recognised privacy as a fundamental right protected by the Constitution.

Why is there a need for a data protection Bill?

India has nearly 800 million internet users and is the biggest market for many Big Tech firms, including Google, Meta (formerly Facebook) and WhatsApp. The country’s laws have, however, not been able to catch up with massive strides in technology and its umbrella Information Technology Act, 2000 does not even contain the words internet or smartphone. Data protection, ensuring individual privacy and clearly spelling out the state’s surveillance powers are sorely needed, and the Bill’s finalisation is a big step in that direction.

Name of the bill changed

It was earlier called the Personal Data Protection Bill, 2019, but as it will now contain provisions on non-personal data, the JCP has recommended a name change. It will be called the Data Protection Bill, 2021 and, once passed, the Data Protection Act, 2021.

What is non-personal data?

Any data that has not been defined as personal is considered non-personal data. It can be an anonymous, de-personalised data set held by the government, a not-for-profit or a large corporation – for instance, a data set by Google on how many people take a particular form of public transport on a given route at a specific time each day, or how many people in a locality order what kind of food during the weekends. These are data sets that are stripped of personal identifiers.

what this bill says

The committee has retained Section 35 of the Bill. It gives the Government the right to authorise any of its agencies to circumvent the provisions of the law if it finds it necessary to do so under “public order”, “sovereignty”, “friendly relations with foreign states” and “security of the state”.

The JPC also leaves untouched the state’s ability to process personal data without consent, as allowed under Section 12.

The JPC has also left mostly untouched the draft Bill’s provisions for data localisation. The Bill requires a copy of any user data generated in India to be kept in the country, which critics say is unnecessary and may facilitate surveillance.

The JPC has suggested that any social media that is not an intermediary be treated as a publisher. Under India’s Information Technology Act, an intermediary is a website or service that only receives, stores, and transmits information online, without any sort of selection or curation of the content. Such intermediaries enjoy “safe harbour” protection from being held liable for the content that they are hosting or transmitting. A publisher, however, is legally liable for the content that it is hosting.

JCP want certain kinds of data to be brought back to India?

The committee has said that India should no longer leave its data to be governed by any other country since national security is of paramount importance. It has asked the government to ensure that a mirror copy of sensitive and critical personal data, which may be already stored by foreign entities outside the country, should mandatorily be brought back within a specified time frame. It has also asked for data localization provisions to be followed “in letter and spirit” and sought a gradual move towards data localisation.

Important Terms Explained

Data- Data is any collection of information that is stored in such a way that computers can easily read them. Data usually refers to information about an individual’s messages, social media posts, online transactions, and browser searches.

Data Processing– The analysis of data to collect patterns, turning raw data into useful information.

Data Fiduciary (very important term) – The entity that collects and/or processes a data principal’s data.

Data Processor– The entity that a fiduciary might give the data for processing, a third-party entity.

Personal Data – It is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual.

Sensitive Personal Data – Data related to finances, health, official identifiers, sex life, sexual orientation, biometric, genetics, transgender status, intersex status

The Personal Data Protection Bill, 2019 is an important current affairs topic for the UPSC exam. It is a part of the Governance section of the General Studies Paper-II and also can be a part of the Security segment of the General Studies Paper III. In this article, you can read all about the Personal Data Protection Bill, 2019 and related privacy issues for the UPSC exam.