Data Protection & Privacy

Background
In the absence of a dedicated data protection regime, the Information Technology Act, 2000 read with its supplementary Rules [titled the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011] acts as a framework for data protection and privacy in India. This framework is accompanied by a patchwork of guidelines, standards and directives issued by sectoral regulators that specify certain data protection obligations for that sector.

Landmark changes

• As rapid technological advancement gave rise to privacy concerns, a Group of Experts was constituted to understand privacy issues and identify interventions to effectively address them. The group studied national and international privacy laws and practices and, in their 2012 report, issued nine national privacy principles which were central to the interpretation of the right to privacy. The report also recommended for the creation of an overarching law for privacy protection based on the on five salient features viz., (a) Technological neutrality and inter-operability with international standards, (b) Multi-dimensional privacy, (c) Horizontal applicability, (d) Conformity with privacy principles, and (e) Co-regulatory enforcement regime.
• In 2017 the Supreme Court of India recognized the right to privacy as an element of the fundamental right to life and personal liberty under Article 21 of the Indian Constitution in the Puttaswamy judgment. It also advised that the Central Government establish a data protection policy that balances the needs of individuals with legitimate concerns of the state, while encouraging entrepreneurship and innovation.
• Consequently, the government formed an expert committee “to study and identify key data protection issues and recommend methods for addressing them”, and prepare a draft Data Protection Bill. The committee submitted its report along with the Personal Data Protection Bill 2018 which was subject to significant contention.
• Based on the committee’s recommendations and draft statute, the Government of India introduced the draft Personal Data Protection (PDP) Bill, 2019 which was subject to significant contention. Thus, a Joint Parliamentary Committee (JPC) was formed to review the draft bill. After extensive consultations, the JPC released its report in 2021 wherein it undertook a clause-by-clause examination of the Bill to arrive at its final recommendations; and submitted a revised version of the PDP Bill titled the Data Protection Bill, 2021 which now sought to cover both personal and non-personal data.
• In certain instances, sectoral regulators have issued data protection guidelines and standards outlining data protection obligations;- The Reserve Bank of India (RBI) released Guidelines on Regulation of Payment Aggregators and Payment Gateways in 2020 based on the principle of ‘data minimization’ to regulate storage of card data wherein only necessary data
  elements that are required for processing are collected and stored.- The Bureau of Indian Standards issued IS 17428 as standards for assurance of data privacy practices of organizations in 2021. This privacy framework is divided into two parts, with part 1 providing the management and engineering parameters required for establishing a Data Privacy Management System, and part 2
  providing a reference framework for implementing good data management practices within organisations.
• – The National Health Authority released Data Sharing Guidelines in 2022 after extensive stakeholder consultation. These guidelines outline measures taken to protect the personal data of beneficiaries of the Ayushman Bharat scheme by, inter alia, providing a guidance framework for secure handling of personal data, outlining specific purposes for sharing of such data, and establishing mechanisms for collection of personal data.
• The Ministry of Electronics and Information Technology (MeitY) also constituted an Expert Committee to study issues relating to non-personal data. The committee published its report in 2020 containing the draft of a Non-Personal Data Governance Framework for public consultation. After receiving extensive feedback, the Expert Committee released its revised report on a Non-Personal Data Governance Framework which outlined conditions wherein data would fall under this framework (i.e., be considered non-personal data as opposed to personal data which would be governed by the PDP Bill), and emphasized on the importance of consent of individuals opting in or out of having their data anonymized.
• In February 2022, MeitY published the Draft India Data Accessibility & Use Policy, 2022 which proposed that government data, which has been collected at the Central level and has “undergone value addition/transformation”, can be sold in the open market for an “appropriate price”. After this policy faced widespread criticism for allowing the government to monetize data without a national data protection framework in place, MeitY published the draft National Data Governance Framework Policy in May 2022 as its substitute. This draft Policy was formulated with the aim of transforming and modernizing government data collection and management processes by creating a large repository of datasets to enable artificialintelligence and data lead research.

Recent Developments
The Personal Data Protection Bill was withdrawn from parliament in August 2022. The government now seeks to replace it with a ‘comprehensive legal framework’ to regulate the
online space, which will include separate laws on data privacy.