Cyber Security – CERTs, Policy, etc

Explained: Personal Data Protection Bill — issues, debate


From UPSC perspective, the following things are important :

Prelims level : Read the attached story

Mains level : Debat over Data Localization Policy in India

  • India’s first attempt to domestically legislate on the topic, the Personal Data Protection (PDP) Bill, 2019 has been approved by the Cabinet and is slated to be placed in Parliament this winter session.
  • The Bill has three key aspects that were not previously included in a draft version, prepared by a committee headed by retired Justice B N Srikrishna.

What is Data?

  • Data is any collection of information that is stored in a way so computers can easily read them (think 011010101010 i.e. binary formats).
  • Data usually refers to information about your messages, social media posts, online transactions, and browser searches.

Data Principal

  • The individual whose data is being stored and processed is called the data principal in the PDP Bill.

Why this data matters?

  • This large collection of information user’s online habits has become an important source of profits, but also a potential avenue for invasion of privacy because it can reveal extremely personal aspects.
  • Companies, governments, and political parties find it valuable because they can use it to find the most convincing ways to advertise to you online.
  • It is now clear that much of the future’s economy and law enforcement will be predicated on the regulation of data, introducing issues of national sovereignty.

Who handles my data, and how?

  • Data is stored in a physical space similar to a file cabinet of documents, and transported across country borders in underwater cables that run as deep as Mount Everest and as long as four times the Indian Ocean.
  • To be considered useful, data has to be processed, which means analysed by computers.
  • Data is collected and handled by entities called data fiduciaries.
  • While the fiduciary controls how and why data is processed, the processing itself may be by a third party, the data processor.
  • This distinction is important to delineate responsibility as data moves from entity to entity.
  • For example, in the US, Facebook (the data controller) fell into controversy for the actions of the data processor — Cambridge Analytica.

Storage of data

  • The physical attributes of data — where data is stored, where it is sent, where it is turned into something useful — are called data flows.
  • Data localisation arguments are premised on the idea that data flows determine who has access to the data, who profits off it, who taxes and who “owns” it.
  • However, many contend that the physical location of the data is not relevant in the cyber world.

How does the PDP Bill propose to regulate data transfer?

  • To legislate on the topic the bill trifurcates personal data.
  • The umbrella group is all personal data — data from which an individual can be identified.
  • Some types of personal data are considered sensitive personal data (SPD), which the Bill defines as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more. Another subset is critical personal data.
  • The government at any time can deem something critical, and has given examples as military or national security data.

Changes accorded in Justice B N Srikrishna Committee recommendations


  • The draft had said all fiduciaries must store a copy of all personal data in India — a provision that was criticised by foreign technology companies that store most of Indians’ data abroad and even some domestic startups that were worried about a foreign backlash.
  • The approved Bill removes this stipulation, only requiring individual consent for data transfer abroad. Similar to the draft, however, the Bill still requires sensitive personal data to be stored only in India.
  • It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA). The final category of critical personal data must be stored and processed in India.

Non-personal data

  • The Bill mandates fiduciaries to give the government any non-personal data when demanded.
  • Non-personal data refers to anonymised data, such as traffic patterns or demographic data.
  • The previous draft did not apply to this type of data, which many companies use to fund their business model.

Data fiduciaries

  • The Bill also requires social media companies, which are deemed significant data fiduciaries based on factors such as volume and sensitivity of data as well as their turnover, to develop their own user verification mechanism.
  • While the process can be voluntary for users and can be completely designed by the company, it will decrease the anonymity of users and “prevent trolling”.

Other key features

  • The Bill includes exemptions for processing data without an individual’s consent for “reasonable purposes”.
  • These include security of the state, detection of any unlawful activity or fraud, whistle blowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.
  • The Bill calls for the creation of an independent regulator DPA, which will oversee assessments and audits and definition making.
  • Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
  • The committee’s draft had required the DPO to be based in India.

Other keywords

  • The committee’s draft had several other significant keywords that are expected to be in the Bill.
  • Purpose limitation” and “collection limitation” limit the collection of data to what is needed for “clear, specific, and lawful” purposes or for reasons that the data principal would “reasonably expect”.
  • It also grants individuals the right to data portability, and the ability to access and transfer one’s own data. Finally, it legislates on the right to be forgotten.

Debates around the Bill

  • With historical roots in European Union law, this right allows an individual to remove consent for data collection and disclosure.
  • After the Cabinet approval of the bill, an official source said this concept is still “evolving” and has not been “concretized” yet.
  • Government sources said they were open to the “widest debate on this Bill”.

Two sides of the debate

A. For data localisation

  • A common argument from government officials has been that data localisation will help law-enforcement access data for investigations and enforcement.
  • As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties” — a process that almost all stakeholders agree is cumbersome.
  • In addition, proponents highlight security against foreign attacks and surveillance, harkening notions of data sovereignty.
  • The government doubled down on this argument after news broke that 121 Indian citizens’ WhatsApp accounts were hacked by an Israeli software called Pegasus.
  • Even before that, the argument was used prominently against WhatsApp when a spate of lynchings across the country linked to rumours that spread on the platform in the summer of 2018.

Why localize data?

  • Many domestic-born technology companies, which store most of their data exclusively in India, support localisation.
  • They have strongly argued that data regulation for privacy and security will have little teeth without localisation, calling upon models in China and Russia.
  • Many economy stakeholders say localisation will also increase the ability of the Indian government to tax Internet giants.

B. Against the Bill

  • Civil society groups have criticised the open-ended exceptions given to the government in the Bill, allowing for surveillance.
  • Moreover, some lawyers contend that security and government access are not achieved by localisation.
  • Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
  • Technology giants like Facebook and Google and their industry bodies, especially those with significant ties to the US, have slung heavy backlash.
  • Much of this sentiment harkens to the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
  • Opponents say protectionism may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India, such as TCS and Wipro.
Notify of
Inline Feedbacks
View all comments