Indian data protection bill 2021 (major points along with the issue of security and privacy) 

On 16 December 2021, the Joint Parliamentary Committee has published its report
along with the finalised Data Protection Bill, 2021. When passed into law, this has
the potential to change the way in which data is used by businesses.
Some of the key JPC recommendations reflected in the New Bill that impact doing
business in India are regarding some below mentioned concepts:
 Data Localisation 
 Cross Border Data Transfer
 Non Personal Data (Recommendation no.2 ,point 26)
 Data Breach
 Children’s Personal Data
 Social Media Platforms
 Children’s data (Recommendation No. 38, pp. 72-74)
   Data regulation sans privacy (Recommendation Nos. 8, 14, p. 37, pp. 46-47)

Security and Privacy

 The Bill has been heavily criticised since its introduction for being biased
towards the data collecting entity and might have major issues concerning a
user’s rights. Globally, data privacy legislations have handed over most of
the collection and consent rights to user’s, and rightfully so.
 By arming a user with the required rights and power to decide when and
how they wish to deal with their data, the laws equip the user to decide how
and when can their data be collected, used, stored and shared.
 The DP Bill, however, makes the exercise of the user’s rights difficult, even
while it does expressly grant individuals certain rights and protections.
 The DP Bill complicates a user’s rights to withdraw its consent by stating
that if the withdrawal of consent is without any ‘valid reason’, the data
subject will have to bear the legal consequences of such withdrawal. This
makes the exercise of a right to withdrawal consent prohibitive but also
unnecessarily taxing and cumbersome, and also negates the rights of the
individual to practice such a right.
 To add to this, even more, ambiguity is added since the law does not lay
down what constitutes ‘valid reason’ and what the nature and extent of the
legal consequences contemplated under the section are.
 Furthermore, the law creates situations where it provides for the processing
of data without the consent of the data principals. Since technology
processes and products already have several layers and complications, the
laws providing for such grey areas only makes matters worse for
unsuspecting users.

 Another concerning area of this Bill is the exemption given to employers to

process data of employees without their consent for the recruitment or
termination of employees, for delivering services to employees, for
verifying the attendance of employees, or for the assessment of the
performance of the employees.
 A bare reading of these provisions clarifies that the Bill does not consider or
respect the privacy of employees, or how their data is being handled by their
employer, giving them an unnecessary leeway to misuse their rights and
position of authority.
 Also interesting is that the DP Bill is applicable to the processing of
personal data, sensitive personal data, non-personal data and anonymised
personal data and the Bill is now titled ‘Data Privacy Bill’, the term
‘personal’ being removed from its title, in order to perhaps clarify that the
law caters to both types of data.
 The Bill also grants the government the right to permit government
authorities from the applicability in the interest of the sovereignty, public
order, security, foreign relations, or for preventing cognisable offence,
thereby giving the State, the right to access each subject’s data and use it
accordingly.
 The Bill has been criticised for focusing more on the government’s interests
than on data owners’ privacy. The phrase “to ensure the interest and security
of the State” is inserted in the Bill’s preamble, therefore, contextualising it
in terms of protecting the State’s interest and security.
 The exceptions in the Bill for processing personal data of users without their
consent have relatively little protection in circumstances of data processing
 by the State. This might lead to widespread monitoring under the guise of
public order or State security.
 Despite the fact that the DPA will regulate government entities, the DP Bill
gives the government the authority to decide the members of the DPA,
decreasing the DPA’s autonomy substantially.
 The need for the DPA to confer with the Central government before
granting any permissions or decisions on cross-border data transfers would
also result in an exceedingly sluggish and inefficient decision-making
process, undermining the DPA’s autonomy and efficiency.

 Some have observed that the Bill violates the principles of the fundamental
right to privacy established in the Puttaswamy decision by granting multiple
exemptions to the government. Another notable point is that the notion of
‘guardian data fiduciaries’ has been eliminated in the Bill.
 The Data fiduciary is now prohibited from profiling and tracking data
relating to children and the only way to know that the data fiduciary is
working with an adult and not a child is for each person to attest that they
are of legal age, an important aspect which can be easily surpassed.
Additionally, the replacement of the concept of ‘best interests of the child’ is
also extremely controversial.
 The Bill recommends that the phrase ‘social media intermediary’ in the law
should be replaced with the term ‘social media platform’. This change is
crucial as the present law and regulations provide the provisions relating to
‘intermediaries’ and not the ‘platform’.
 This change alone could lead to several misinterpretations and loopholes, a
major concern considering the massive amount of transactions and
businesses that intermediary platforms are involved in and the huge amount
of data they collect through the transactions.
 The Bill takes away the basic autonomy that the Data Protection Authority
requires to function without any bias. Reducing the role of government and
 increasing the independence of the Data Protection Authority needs to be
given importance.
 Furthermore, the provisions relating to non-personal data shall be given
enough attention and shall be open for more deliberation and suggestions
from the stakeholders as the personal data was given, because any fast and
reckless law regarding the same will lead to a regressive business
environment.
 It’s been two years since the PDP Bill was brought. The present draft bill
shows that India still has a long way to go to have its data protection regime.
 Another important aspect of all this is the concept of Mass Surveillance.