Government Withdraws Data Protection Bill, 2021

Context

The government has withdrawn the Personal Data Protection Bill from Parliament as it looks to come up with a “comprehensive legal framework” for regulating online space including separate legislation.

What is Personal Data?

• Data can be broadly classified into two types: personal and non-personal data.
• Personal data pertains to characteristics, traits or attributes of identity, which can be used to identify an individual.
• Non-personal data includes aggregated data through which individuals cannot be identified.
• For example, while an individual’s own location would constitute personal data; information derived from multiple drivers’ location, which is often used to analyse traffic flow, is non-personal data.

What is Data Protection?

• Data protection refers to policies and procedures seeking to minimise intrusion into the privacy of an individual caused by collection and usage of their personal data.
  
  

Why was a bill brought for Personal Data Protection?

• In August 2017, the Supreme Court had held that Privacy is a fundamental right under Article 21 of the Constitution.
• The Court also observed that privacy of personal data and facts is an essential aspect of the right to privacy.
• In July 2017, a Committee of Experts, chaired by Justice BN Srikrishna, was set up to examine various issues related to data protection in India.
• The committee submitted its report, along with a Draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology in July 2018.

Personal Data Protection Bill Features

• The Bill seeks to provide for the protection of personal data of individuals.
• The Bill governs the processing of personal data by-
• Government
• Companies incorporated in India
• Foreign companies dealing with personal data of individuals in India
• Obligations of data fiduciary: Personal data can be processed only for a specific, clear and lawful purpose. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as:
• Implementing security safeguards (such as data encryption and preventing misuse of data).
• Instituting Grievance Redressal Mechanisms to address complaints of individuals. They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.
• Rights of the individual: Seek correction of inaccurate, incomplete, or out-of-date personal data.
• Have personal data transferred to any other data fiduciary in certain circumstances.
• Restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
• Grounds for processing personal data: The Bill allows the processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent. These include-
• If required by the State for providing benefits to the individual
• Legal proceedings
• To respond to a medical emergency

How is personal data regulated currently?

• Currently, the usage and transfer of personal data of citizens is regulated by the Information Technology (IT) Rules, 2011, under the IT Act, 2000.
• The rules hold the companies using the data liable for compensating the individual, in case of any negligence in maintaining security standards while dealing with the data.