ETtech Opinion | A holistic approach to personal data protection – The Economic Times

Clipped from:

SynopsisThe Parliamentary panel’s recommendations on the Data Protection Bill 2021 also supports the growth of an innovation & data-driven digital economy

Currently, a debate is raging in India over some recommendations of the Joint Committee of Parliament on the Personal Data Protection Bill. After detailed deliberations, the Committee has made several very important recommendations, which need to be understood in the broader context of personal data protection and the need for supporting the growth of a robust innovation and data driven digital economy in India.

The Committee has proposed to include a new clause in the Bill to bring the handling of non-personal data within its ambit. Consequently, the name of the Bill has been changed to Data Protection Bill. This has been done with a view to take a holistic approach towards processing of data, both personal and non-personal, as with the advent of advanced technologies like artificial intelligence and sophisticated data analytics, it may not be too difficult in future to relate anonymised personal data (a form of non-personal data) to individuals. However, the revised Bill only contains a provision for formulating rules regarding non-personal data at a later stage. Currently, it does not have any substantive provisions in this regard.

A key provision in the Bill to allow certain exemptions to the government data fiduciaries has generated a lot of discussion. The exemptions under section 35 of the Bill need to be on a case-to-case basis and only on the grounds of sovereignty and integrity of India, security, etc. which are within the ambit of reasonable restrictions under Article 19(2) of the constitution. Further, the reasons for exemptions have to be just, fair, reasonable and proportionate which are as per the norms laid down by the Supreme Court in its 2017 privacy judgement in the Puttaswamy case. The exemptions under section 12 are narrower and more specific for facilitating better delivery of government services, disaster management, dealing with epidemics and medical emergencies, etc. It may be noted that the government entities are not exempted from their obligations as data fiduciaries and complying with the rights of data principals in general. There are adequate safeguards in the Bill to prevent any misuse of such exemptions, including oversight by the Data Protection Authority.

Another recommendation of the Committee that has generated much debate relates to making the social media platforms liable for the content hosted on their platforms from unverified accounts and making verification of accounts mandatory. However, this is only for those platforms that do not act as intermediaries eligible for safe harbour as per section 79 of the Information Technology Act, 2000. This is only a recommendation that needs to be examined by the government later and is not part of the revised Bill.

Concerns have also been raised over the compliance burden of the Bill on the start-ups and its impact on innovation. To address this concern, the Bill places much greater emphasis on compliance by the significant data fiduciaries with additional obligations, such as periodic audits, appointment of data protection officers, etc. Start-ups and small businesses do not need to comply with these additional obligations as they would not be classified as significant data fiduciaries. The Bill also provides for the creation of a sandbox for encouraging innovation. Processing of personal data of foreign nationals is also exempted under the Bill.

Another key concern has been raised with regard to the provisions for data localisation. Section 33 of the Bill makes it clear that sensitive personal data shall continue to be stored in India, while section 34 allows its transfer outside India under certain conditions. The EU GDPR places similar conditions on data transfer to only those countries which fulfil the ‘data adequacy’ norms. These provisions in the Bill will make it easier for Indian entities to attract more outsourcing business from abroad as India would fulfil these norms. Storage of sensitive personal data within India would support the growth of hyperscale data centres and an innovative data driven economy in India.

Concerns have also been raised over another recommendation relating to norms for testing the integrity of hardware and software on devices. This has been done with a view to prevent any unauthorised data breaches through insertion of any untrusted hardware. This provision has been added within the scope of functions of the DPA under section 49 and can be implemented only after the DPA formulates an appropriate code of practice in consultation with the relevant stakeholders.

The concept of privacy has evolved from the Aristotelian concept of idios, meaning the “private”, in the ancient times to its modern age focus on informational privacy. The Data Protection Bill 2021 provides a holistic framework for addressing informational privacy that will also help greatly in the growth of a robust digital economy in India.

The author is Additional Secretary, Ministry of Electronics and IT. Views are personal
(Disclaimer: The opinions expressed in this column are that of the writer. The facts and opinions expressed here do not reflect the views of

Share the joy of reading! Gift this story to your friends & peers with a personalized message. Gift Now

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s