Explained: What is the Personal Data Protection Bill; why the dissent notes

The bill was introduced by Prasad in the Parliament, and the JPC was set up to deliberate on the bill, give their recommendations and submit their report to the Parliament.

The bill sets up the regulatory framework necessary to protect the personal data of individuals in India. It sets up three different categories of data -- personal data, sensitive personal data, and critical personal data. Each category of data carries with it separate obligations and regulatory requirements. Indian companies as well as foreign companies dealing with data of Indian citizens will have to comply with the Act.

The bill gives each individual certain rights regarding their data. These rights include seeking confirmation from companies about whether their data has been processed by a certain company, the right to make changes to data collected for correction purposes, and the right to not have their data stored by data fiduciaries, organisations that store and process data, after the withdrawal of consent.

Additionally, the bill seeks to set up the Data Protection Authority, a regulatory body that will ensure compliance with the bill as well as prevent misuse of personal data and act as a tribunal for matters regarding the bill.

Penalties have been set at Rs 15 crore or 4 percent of the annual turnover of the data fiduciary in cases of processing or transferring personal data in violation of the provisions, or five crore or 2 percent of the annual turnover of the fiduciary if the company fails to conduct a data audit.

The Centre has granted itself wide-ranging power to exempt itself, and its agencies, from complying with the provisions of the bill. The government also has the power to demand non-personal data and anonymised personal data from data fiduciaries for the benefit of various government services.

In the JPC report, Congress MPs Jairam Ramesh and Manish Tewari added their dissent notes pertaining to the wide-ranging exemptions granted to the government from complying with the bill in the name of public interest.

“Section 35 gives unbridled powers to the Centre to exempt any government agency from compliance,” they said, adding that they had proposed an amendment to seek parliamentary sanction before exempting government entities.

The bill comes on the heels of similar legislation being introduced in other countries that seek to enshrine the right to privacy of citizens in a digital age where companies seek to track every parcel of information of citizens for their own gain. The California Consumer Privacy Act and the General Data Protection Regulation were two of the major pieces of legislation, introduced in California and the European Union that gave citizens the power over their own data.

But while the PDP Bill 2019 hopes to emulate similar levels of success, the exemptions and the power of the government to look through the data has drawn flak from privacy activists.