Draft personal data protection bill, 2018

  • The Union government on released the draft Personal Data Protection Bill, 2018, submitted as part of the recommendations of the Justice Sri Krishna Committee on data security.


  • A 10-member committee set up last year under the chairmanship of the retired Supreme Court judge, Justice B.N. Sri Krishna.
  • The committee was tasked to submit a report and recommendations on what India’s data protection regime should look like, especially in light of the Supreme Court’s 2017 judgment that asserted a fundamental right to privacy for all Indians.
  • The panel has delivered a report that covers its views on the data protection landscape in India, as well as a draft bill, which is likely to form the core of the government’s own draft.

Need for Data Protection:

  • The 21st century has witnessed such an explosive rise in the number of ways in which we use information, that it is widely referred to as ‘the information age’.
  • Much of that new information will consist of personal details relating to individuals, including information relating to the products they have purchased, the places they have travelled to and data which is produced from “smart devices” connected to the Internet.
  • Data is fundamentally transforming the way individuals do business, how they communicate, and how they make their decisions. Businesses are now building vast databases of consumer preferences and behaviour.
  • While data can be put to beneficial use, the unregulated and arbitrary use of data, especially personal data, has raised concerns regarding the privacy and autonomy of an individual, centralisation of databases, profiling of individuals, increased surveillance and a consequent erosion of individual autonomy.

Scope of data:

  • For instance, the analysis of very large and complex sets of data is done today through Big Data analytics. Employing such analytics enables organisations and governments to gain remarkable insights into areas such as health, food security, intelligent transport systems, energy efficiency and urban planning.
  • Data is valuable per se and more so, when it is shared, leading to creation of considerable efficiency. The reality of the digital environment today, is that almost every single activity undertaken by an individual involves some sort of data transaction or the other.
  • The Internet has given birth to entirely new markets: those dealing in the collection, organisation, and processing of personal information, whether directly, or as a critical component of their business.
  • There are a large number of benefits to be gained by collecting and analysing personal data from individuals. Pooled datasets allow quicker detection of trends and accurate targeting

What is data protection:

  • Data protection principles are designed to protect the personal information of individuals by restricting how such information can be collected, used and disclosed.
  • The need for data protection thus arises out of the need to prevent harms, and hinges on the question of who should be permitted to use personal information and how privacy can be protected.
  • The concept of data protection is primarily linked with the idea of informational privacy.
  • Privacy is a complex concept that has been difficult to define.
  • The harms that arise from violations of privacy are difficult to identify because very often they are intangible.
  • Informational privacy is often understood as the freedom of individuals to determine for themselves when, how, and to what extent information about them is communicated to others and this freedom allows for individuals to protect themselves from harm.
  • However, not all information about an individual is necessarily private and deserving of protection. It is for a legal framework to determine where affording such freedom is appropriate and where it is not.
  • Different norms of privacy can exist in different spheres of life.
  • Rules of data protection and privacy are designed in such a way that they allow individuals the freedom to determine how their personal information will be collected, used and disclosed.
  • Privacy laws are not identical in form to any other existing fields of law like property, copyright law, though there are some similarities. For example, laws on defamation generally prohibit disclosure of personal information only if it is false. Privacy, on the other hand, would even protect against disclosure of truthful personal information.

In Telecom sector:

  • Data protection norms in the telecom sector are primarily dictated by the Unified License Agreement (ULA) issued to Telecom Service Providers (TSP) by the Department of Telecommunications.
  • The format in which, and the types of information that are to be collected from the individual is prescribed by the DoT.
  • A TSP has an obligation to take necessary steps to safeguard the privacy and confidentiality of the information of individuals to whom it provides a service and from whom it has acquired such information by the virtue of the service provided.
  • Customer information can be disclosed only if the individual has consented to such disclosure and the disclosure is in accord.
  • TSP has to make efforts to comply with the Telegraph Act which imposes an obligation on it to facilitate the Government to carry out ‘interception’ of messages in case of emergencies – a privacy intrusion justified largely in the name of national security with the terms of consent.

In Health Sector:

  • The Clinical Establishments (Central Government) Rules, 2012 (Clinical Establishments Rules) requires clinical establishments to maintain and provide Electronic Medical Records/Electronic Health Records, thus mandating the storage of health information in an electronic format.
  • SPDI Rules apply only to the private sector thus leaving the whole of the public health sector outside its ambit.
Share Socially