March 27, 2018

Data (Privacy and Protection) Bill, 2017: What To Expect

- , [ ]


As digitization increases, large volumes of data are generated and there are no measures to safeguard the privacy of this data nor regulate data retention by the platforms collecting it. Hence, we are in need of a strong data protection law

In the new media age, privacy has become a fiercely debated topic. In India, we observe that with the ongoing Aadhaar case in the Supreme Court, a new common discussion has started around the issue of digital privacy and where the law currently stands on this subject.

The debate on privacy and data protection has become a burning issue as the constitutional bench of nine judges, headed by the Chief Justice of India, is set to decide whether the right to privacy is a fundamental right, and a committee headed by Justice B. N. Srikrishna, former judge of the Supreme Court, has been constituted to suggest a draft Bill on data protection. It must be noted that it is this series of important events that may contribute to India’s focus on data protection and the Data (Privacy and Protection) Bill, 2017.

Advocate Prashant Mali is a Bombay High Court Lawyer. His area of practice is Cyber Law & Privacy. He is the Founder- President of Law Firm Cyber Law Consulting (Advocates & Attorneys)

What is Data Privacy and Data Protection

A privilege to ensure one’s information online constitutes information security. Such information could either be about an individual, undertaking, or even a government. Following the definition of personal data laid down by the European Union’s data protection guidelines, “Information concerning an identified and identifiable natural person” covers the scope of personal data. Hence, if we follow this definition, the personal information provided by individuals during biometrics would be included. But data put out through biometrics or for economic purposes remains at risk in India since no legislation has been chalked out to protect such personal data.

Where It All Started

Recently, in the Lok Sabha, Member of Parliament Baijayant “Jay” Panda tabled the Data (Privacy and Protection) Bill, 2017, proposing the right to privacy as a fundamental right for Indian citizens.

This is not the first time a Bill proposing such a right has been laid down in Parliament. As a matter of fact, Panda himself had presented a Bill in 2009 titled “The Prevention of Unsolicited Telephonic Calls and Protection of Privacy Bill”, which aimed at prohibiting unsolicited telephone calls by business promoters or individuals to persons who didn’t want to receive such calls. It stated that every person shall have the right to privacy and freedom to lead and enjoy his/ her life without any unwarranted infringement. Apart from Panda, Rajeev Chandrasekhar (2010), Vivek Gupta (2016), and Om Prakash Yadav (2016) have in the past introduced Bills pertaining to citizens’ data privacy.

What The Data (Privacy And Protection Bill 2017) Portends

Data protection is a daily part of our lives. We come across data protection issues at work, when browsing the Internet, while dealing with public authorities, when shopping, when booking online tickets, etc. As digitization increases, more and more data is being captured. How this data is used and held is becoming increasingly important.

The Data (Privacy and Protection Bill, 2017)

1. Proposes Right to Privacy as Fundamental Right of citizens

2. Follows a right-based approach and demands the consent of individuals for collection and processing of personal data

3. Gives final right to modify or remove personal data from any database, whether private or personal, solely to an individual

4. Includes data collectors and data processors (defined) who ensure that they collect and process data in a lawful and transparent manner

5. Creates obligation on data intermediaries to implement security measures to ensure the security of the data collected

6. Lays down that in case of data breach, data intermediaries are mandated to inform individuals in a fixed time period

7. Promotes creation of an end user-facing position of data protection officer for grievance redressal, with a provision for appeal to the Data Privacy and Protection Authority (DPPA)

8. Allows lawful interception and surveillance by the state for the purpose of National Security

9. Authorizes DPPA to penalize, imprison, and order compensation for losses suffered by private individuals against the government or any other private institution

10. May also engage in impact assessment, consultation, and inspection by the DPPA

Recent Developments

The Ministry of Electronics and Information Technology released a white paper by a “committee of experts” led by former Supreme Court judge, Justice B. N. Srikrishna, on a data protection framework for India.

The government had sought public comments till December 31, 2017 on the white paper, which is aimed at securing digital transactions and addressing customer and privacy protection issues.

Public discourse around data privacy is probably at its zenith in India today. As digitization increases, large volumes of data are generated and there are no measures that safeguard the privacy of this data nor regulate data retention by the platforms collecting it. Hence, we are in need of a strong data protection law.

Data Privacy Law Has To Be In Tandem With The Aadhaar Act LEGAL ERA MAGAZINE speaks to Advocate PRASHANT MALI, BOMBAY HIGH COURT, about data privacy, data security and everything in between

LE: According to you, what is the basic meaning and purpose of the Data Protection Bill, 2017?

This Bill grants a statutory Right to Privacy under Section 4. However, this Right to Privacy is only pursuant to Articles 19 and 21. While a statutory recognition of the Right to Privacy may be applauded for being a baby step in the right direction, it will have to pass the test of reasonable restrictions when it is codified. The Bill aims to define and protect the right to digital privacy and to constitute a Data Privacy Authority to protect personal data. This Bill is an attempt at empowering citizens with this right.

LE: Do you feel that the Privacy Bill is in favor of the masses or do you think it is a political and industrial gimmick? What is the territorial scope of the Privacy Bill, 2017? What about extraterritorial application of data protection laws in India as far as the Bill is concerned? What categories of exemption can be incorporated into the data protection law?

The law must have extra-territorial effect with respect to data of Indian residents, and must provide appropriate redress mechanisms for privacy violations outside India if the infringer has a business presence in India. The applicability of the law should be extra-territorial as it is as of now in the penalties and liabilities prescribed under Section 43A and 72A of the IT Act, have also been given extra-territorial applicability and would apply to contraventions committed by non-Indian companies, irrespective of the nationality of the data subject whose information is collected, processed or transferred. While the practical enforcement of penalties against a company is unlikely where such company has no presence in India, authorities may resort to other means, including blocking access to servers or networks located in India in the event of repeated and significant contraventions or failures by a company to comply with obligations under the Privacy Rules. Data already in the public domain, anonymous data, data on deceased persons, journalistic data, research data, historical data, data related to investigation, data related to national security etc. should be exempt.

LE: What are your views on cross-border transfer of data?

I feel that transfer can only be to countries with a similar or comparative level of data protection laws or having explicit treaties with India. The bill is silent on the issue of data sovereignty, which has become a persistent issue in the wake of technology enabling seamless moving of data across international borders. Covering this lacuna along with addressing the collateral issue of data storage only can make it a comprehensive privacy bill. Well defined provisions against the contractual determination of governing law, jurisdiction and dispute resolution may be considered to ensure that foreign entities comply with Indian law, and do not find ways of working around it by way of contracts or by other means.

LE: Currently, there are a variety of laws in India which deal with processing of data, including personal data and sensitive personal data. These laws operate in various sectors, such as the financial sector, health sector and the information technology sector. Should these laws be inspected and suitably amended before passage of the Data Protection Law, 2017?

All regulators currently have mandate for Privacy, in fact I have written a whole research paper around it in the current issue of NUJS, International Journal of Law & Privacy. I feel This Data Protection Law, 2017 or 2018 or 2019 whenever it is incarnated should supersede The IT Rules, The Telecom Act & all other Regulatory Privacy rules of all sectors. I feel the Aadhaar Act has more privacy provisions than any other laws, how will they complement the new law is also to be seen.

LE: Do you think that the law will break the impasse among legislators this time?

I am personally optimistic but the experience of legislators legislating and the history of the same bill since 2006 is disheartening. Even though PM Modi and the Law minister have taken all the right steps towards formulation of public opinion for the bill, I feel the intelligence agencies and opposition political parties find no grounds for the Law being made. I also feel defining Privacy would be a herculean task for parliamentarians, moreover adding reasonable restrictions to the same would be another issue. I wish the Hon. SC could have defined “Privacy” in its last Right to Privacy Judgment then things could have been easy. I personally feel Privacy would be like an obscenity which gets defined differently in different decades.

LE: With Section 33(2) of the Aadhaar Act, the state can cite 'national security' and access identity information and authentication records of citizens. Isn’t this a blurring of lines between 'data security' and 'privacy'?

Yes! it is. Data Privacy law has to be in tandem with Aadhaar Act and the state would take this stand. If you look today as well, all states invade citizen’s privacy under the garb of National Security. Section 33(2) of the Aadhaar Act is no different. I feel, as India is drafting a brand new Law, it can take precautions to balance between Privacy, National Security & Criminality.

LE: What according to you should be the safety guidelines for privacy and people? With advancing technology and easy availability of the data, how strict should be a privacy law in the country to control disruption. Your opinion please.

I strongly feel the last section of the Bill should have mentioned about the state’s role in providing “Privacy literacy” related awareness and education to Indian citizens. I feel until any state doesn’t inculcate Privacy culture among data users and make them aware about safeguards, they will remain vulnerable. India is seriously late to protect its data. We may be serious and may bring a law but are deficient and yet not ready with technology to implement the same. The architecture must address the following questions: how people give consent, how their data is released, how it is stored and encrypted? When that data is given to another party for use, what is the criteria for usage? Implementation of the said law cannot be overnight, it would need timelines and meticulous planning in the Indian context.


Disclaimer – Statements and opinions expressed in this article are those from the editorial and are well researched from various sources. The content in the article is purely informative in nature.

Related Post

follow us

Publication & Enquiries

phone icon  +91 8879635570/8879635571

mail icon