The Personal Data Protection Bill, 2019 (“Bill”), when enacted, will be a turning point for data protection and privacy jurisprudence in India. According to the Justice B.N. Srikrishna Committee Report[i], “the transformative potential of the digital economy to improve lives in India and elsewhere is seemingly limitless at this time”.[ii] This Bill aims to protect the privacy of individuals and regulate the flow and usage of personal data that is being processed. The Bill further provides protective measures through a framework of accountability and remedial measures for unauthorised and harmful processing.
For the purpose of understanding the Government’s role in framing of policies for a digital economy, let’s analyse Clause 91(2) (“Clause”), which deals with the mandatory disclosure of non-personal data, and provides that the Central Government may direct any “data fiduciary”[iii] or “data processor”[iv] to produce all non-personal or anonymised personal data for the “better targeting of delivery of services or formulating evidence-based policies by the Central Government”[v].
For more clarity, ‘anonymisation’ of personal data refers to the process of removing specific identifiers in a manner ensuring that the risk of identification of an individual is negligible[vi]. Anonymised data cannot be re-identified. See the illustration below:
Illustrated above is the original data
Illustrated above is the anonymised data
On the other hand, non-personal data means data that does not contain any individual’s personally identifiable information. For example, any data related to weather, geographical terrain, etc., collated by an entity that is relevant for its business.
There are a few ambiguities in the Clause, which are as enumerated below:
- The Bill doesn’t define “data” as property per se, but rather as a “representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means”[vii]. In this regard, there exists some similarity between Clause 91(2) and the law of eminent domain, which refers to the government’s sovereign right to take private property for public use[viii]. This Clause is similar to the one in the Land Acquisition Act, 1894 that gives the Government the right to acquire land upon providing compensation. But in this Clause, there is no compensation prescribed.
- The purposes for which non-personal data sharing is mandated under the Clause is for “framing of any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse”. Here, there should ideally be further classification and expansion of reasons for collection of such data for better clarity for the data fiduciaries and data processors.
- There is certain ambiguity in the phrase “any personal data anonymised or other non-personal data”, which could be interpreted to include knowledge assets like trade secrets and other intellectual property. The Bill could be clearer about the Government’s requirement to gain access to this data.
This Bill expands the fundamental right to privacy, drawn from Justice K.S. Puttaswamy (Retd.) v. Union of India[ix], into the digital realm of data protection. By implementing suitable measures within its own organisational framework, data fiduciaries and data processors would be better equipped to provide data as and when required under this Clause.
[i] The Justice B. N. Srikrishna Committee was constituted to examine issues regarding data protection in India. They submitted a report that recommended methods to address these, along with draft a Data Protection Bill.
[ii] A Free and Fair Digital Economy, Protecting Privacy, Empowering Indians, Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, pg. 5
[iii] Clause 3 (13) defines “data fiduciary” means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data;
[iv] Clause 3 (15) defines “data processor” means any person, including the State, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary;
[v] The Personal Data Protection Bill (2019) Chapter XIV Clause 91(2)
[vi] A Free and Fair Digital Economy Protecting Privacy, Empowering Indians Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, pg. 28 https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
[vii] The Personal Data Protection Bill (2019) Chapter I Clause (11)
[ix] (2017) 10 SCC 1