• Legal Armor

Data Protection Bill - An analysis

The exponential growth of the Internet of Things in India has given rise to a seemingly never-ending skirmish between the protection of personal data of individuals and the Freedom of Speech and Expression. In this never-ending battle of self-righteousness between both sides, the Indian government has made an attempt to strike a balance between the two, through the recently introduced Personal Data Protection Bill, 2019 (Hereinafter “Bill”). The Bill defines personal data as data that pertains to characteristics, traits, or attributes of identity, which can be used to identify an individual and also categorizes certain personal data as sensitive personal data. [1]

Since data available on the Internet eventually loses significance over time, access to it should be restricted. Section 18 of the Bill sets out the Right of an individual (Data Principal) to seek correction of inaccurate, incomplete, or out-of-date personal data (i.e. ‘Right to correction and erasure’) from for e.g. a search engine (Data Fiduciary). Section 20 of the Bill sets out the right of an individual to restrict continuing disclosure of their personal data by the Data Fiduciary (i.e. ‘Right to be forgotten’) if such data were no longer necessary.

The Bill emphatically reiterates the significance of the Right to privacy and provides statutory recognition to the same vide the ‘Right to correction and erasure’ (Section 18 of the Bill) and the ‘Right to be forgotten’ (Section 20 of the Bill). The ‘Right to be forgotten’ was propounded in the year 2014 in the case of Google Spain SL v. AEPD [2], wherein it was established that a person has the right to demand, from a search engine, the takedown of any information which has either become obsolete with time and/or violates his/her right of privacy. The Personal Data Protection Bill, 2019 is in consonance with the opinion of the European Court of Justice in the Google Spain SL case as well as the European General Data Protection Regulation. In fact, in comparison to the European Privacy Laws, the Bill provides for stronger Privacy Rights. Sections 18 and 20 of the Bill bestow upon a person's increased control over his/her personal data.

The Bill equitably ensures that every person has the Right to determine when, how, and to what extent information/data about them is being communicated to the public. Ever since the Supreme Court judgment in the case of Justice K.S. Puttaswamy (Retd) vs Union of India [3], holding that the Right to Privacy is a Fundamental Right, there has been a need for statutory recognition of the Right to Privacy in India. The Personal Data Protection Bill, 2019 is a praiseworthy step of the Indian government to statutorily define the ambit of the Fundamental Right to Privacy. The proviso to subsection (2) of Section 20 of the Bill also precisely strikes a balance between the ‘elderly’ Freedom of speech and expression and the ‘relatively young’ Right to Privacy. The Personal Data Protection Bill, 2019 is thus the right step towards protecting the privacy of individuals over the Internet.

[1] PRS India, https://prsindia.org/billtrack/personal-data-protection-bill-2019

[2] Google Spain SL v. AEPD, Case C-131/12, 2014 ECLI: EU: C: 2014:317

[3] (2017) 10 SCC 1


About the Author:

Siddhant is an Indian Qualified Lawyer and Patent Attorney.

Here is how you can contact them: https://www.linkedin.com/in/siddhantsharma/