Ravi Shankar Prasad, IT Minister.
The Personal Data Protection Bill listed to be introduced in Lok Sabha on Wednesday has allowed transfer of certain types of personal data overseas, but has given broad powers to government agencies to collect personal and sensitive data of citizens.
An earlier draft Bill prepared by the Justice BN Srikrishna committee had provided exemptions to the government for collecting such data for security, criminal investigations and crime prevention. It had, however, stipulated that these exceptions be authorised by a separate law and data collected only if it was “necessary for, and proportionate to” the government’s interests.
Commonly referred to as the “privacy bill”, it is intended to protect individual rights by regulating the collection, movement, and processing of data that is personal, or which can identify the individual. The processing of such personal data includes data shared with other entities which collect and process it.
The Bill, likely be tabled in Parliament Wednesday, does not include any of these limitations on the exemptions to government agencies from the law. Instead, it states the Centre can allow any agency to process such personal data so long it is “satisfied that it is necessary or expedient” for purposes such as “preventing incitement to the commission of any cognizable offence.”
Explained | The issues, debate around Data Protection Bill
In another significant departure from the draft Bill prepared by the Srikrishna committee, the Bill allows personal data to be stored and processed abroad, without requiring a mirror of the data in India. Sensitive personal data - related to financial, health, sexual orientation, biometric, genetic, transgender status, caste and religious belief - must be stored only in India and can be processed abroad under certain conditions, including the Data Protection Authority’s approval.
The Bill excludes “Aadhaar number” in the definition of “official identifier.” The “official identifier” is included under the category of “sensitive personal data” that has certain protections, like it cannot be stored abroad. “Passwords” was also removed from the list of sensitive personal data.
The Bill also makes way for government-led technological solutions. One example is the power given to the Central Government to direct any entity to provide “non-personal” or anonymised data “to enable better targeting of delivery of services or formulation of evidence-based policies.” Another example is the rights given to the DPA to create a Sandbox, a technical environment created for software experimentation. It often uses individuals’ data for the purposes of testing a product before launch.
It also requires companies and social media intermediaries which are “significant data fiduciaries” - based on factors such as volume and sensitivity of data handled as well as their turnover - to enable users in India to “voluntarily verify their accounts” resulting in a “demonstrable and visible mark of verification, which shall be visible to all users of the service.”
The government has also sought to make a subtle change in the positioning of this Bill. To the introductory paragraph on the Srikrishna draft, “Whereas it is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation,” it has now added, “through digital governance and inclusion.”