Authored By- Navya Shukla

The internet has created entirely new markets for the collecting, organising, and processing of personal data, either directly or as a vital component of many business models. India currently lacks explicit data protection or privacy legislation. However, the relevant data protection laws in India are the Information Technology Act, 2000 (“IT Act, 2000”) and the Indian Contract Act, 1872. A Committee of Experts was formed to examine various aspects of data protection, the work of the Committee resulted in the creation of the first draft of the Personal Data Protection Bill in 2018. Consequently, the report of the Joint Parliamentary Committee on the proposed data protection law has given the Data Protection Bill of 2021 a new tone and tenure. The author through this article aims to analyse the elements of data privacy in Indian legislation essentially focusing on the PDP Bill and whether the laws adequately promote the utilities of the internet.
I.                 Introduction
In the well-known case of Justice K.S. Puttaswamy v Union of India[1], the Supreme Court issued a unanimous decision affirming that the right to privacy is a fundamental right guaranteed by the Indian Constitution. The Hon'ble Court also advised the Central Government to draw up a concrete data protection law for the country that protects the interests of the individuals as well as of the state while encouraging technological innovation and entrepreneurship. The Court reasoned that because there is no effective data protection law in place, determining what rights citizens possess is difficult, rendering the fundamental right to privacy practically useless.
Indian legislators were jolted awake by the Supreme Court's recognition of the right to privacy as a basic right under Article 21 of the Indian Constitution, and felt compelled to craft the necessary laws. Indian WhatsApp users are outraged by WhatsApp's most recent privacy policy amendment, which has exposed flaws in Indian data protection legislation. The bill in question is based on the General Data Protection Regulation[2] (“GDPR”) of the European Union, and it aims to protect individuals’ personal data, which is regularly acquired by digital media for a variety of reasons. A layman may be unaware of how far his or her data has travelled and who has access to it in such instances.[3]
As previously noted, the IT Act, 2000[4] now oversees data privacy and protection in India, and an entity can be held accountable for the unauthorised use of an individual's data or personal information, as well as any negligent act using such information. However, one of the legislation’s flaws is that the scope and meaning of “sensitive personal information” are limited, and the legislation’s restrictions do not apply to government agencies that use residents’ data.[5] Individual ownership over their data, the ability to track who collects their data, where it is held, how it is used, and what recourse they have if their data is misused are all principles that make up a good data protection strategy. There have been far too many instances where personal information, whether anonymized or not, has been used with malicious intent.
As a result, the PDP Bill, 2019,[6] is an attempt to protect individuals' privacy in connection to their personal data, as well as to regulate the interaction between persons and companies that process this data. It is also determined to promote innovation through digital governance in order to establish a
robust digital economy. On December 11, 2019, the Ministry of Electronics and Information Technology introduced the PDP Bill, 2019 in the Lok Sabha to restructure India's data protection management, which was previously managed by the IT Act, 2000 and its rules. The PDP Bill is mainly consistent with the requirements of the Draft Personal Data Protection Bill, 2018, and is broadly inspired by the principles of the European Union's GDPR, 2016. 
II.            Key Features Of The Pdp Bill
The Joint Parliamentary Committee gave its long-awaited report to the Indian Parliament on December 16, 2021, after two years of deliberation on the Personal Data Protection Bill, 2019.[7]This, hopefully, will be the ultimate consequence of a succession of JPC extensions, paving the way for a solid data protection law in the world's greatest democracy.
The PDP Billseeks to regulate an individual's personal data, including its collection, storage, processing, and divulgence. Following are certain key takeaways of the Bill:
·         It defines "Sensitive Personal Data" as financial data, health data, an official identifier, sex life, sexual orientation, biometric data, genetic data, transgender or intersex status, caste or tribe, religious or political beliefs.[8]
·         It seeks to govern both companies and government agencies involved in the processing of an individual's data, which is currently limited to companies under the IT Act of 2000.
·         A 'data principal' is a person whose data is being disclosed, processed, and used and who has been granted the rights to information, correction, completion, erasure, transfer, restricting disclosure, and withdrawal of their data.
·         A 'data fiduciary' is the entity that collects and stores the data of a data principal. Certain obligations apply to data fiduciaries when it comes to the processing of personal data. Such processing, for example, should be subject to certain purpose, collection, and storage constraints. Personal data can only be processed for specific, clear, and legal purposes.
·         Furthermore, all data fiduciaries must implement certain transparency and accountability measures, such as implementing security safeguards and establishing grievance redressal mechanisms to address individual complaints. Certain fiduciaries may be designated as "significant data fiduciaries," and they will be required to take additional accountability measures, such as conducting a data protection impact assessment before conducting any large-scale sensitive personal data processing (including financial data, biometric data, caste, religious or political beliefs).
·         The PDP Billwill apply to data fiduciaries or data processors who are not physically present in India if they process personal data in connection with (a) any business carried on in India, (b) systematic offering of goods and services to data principals in India, or (c) any activity involving profiling of data principals within the territory of India.
·         It proposes establishing a Data Protection Authority to serve as a grievance redressal forum for an aggrieved individual whose grievances were not adequately addressed by the data fiduciary.
·         Exemptions have been provided for processing personal data without the consent of the data principal in certain circumstances, such as (i) when required by the State to provide benefits to the individual, (ii) legal proceedings, and (iii) responding to a medical emergency.[9]
·         Personal data has been defined in terms of identifiability standards. Although 'anonymised data' is not covered by the provisions, the Central Government is empowered to create policies directing data fiduciaries or data processors to share anonymised data or non-personal data to enable better targeting of service delivery.
·         The PDP Bill emphasises compliance requirements for all forms of personal data, expands individuals' data rights, establishes a central data protection regulator, emphasises the restrictive conditions for personal data transfer, lists the penalties for reckless de-identification/misuse of data, and establishes data localization requirements for certain forms of sensitive data.
·         Any entity that re-identifies and processes de-identified personal data without consent faces a penalty of up to three years in prison, a fine, or both.
III.        Analysis And Impact Of The Bill
With the Indian economy becoming increasingly digital, a regulatory sandbox may be required. In certain cases, exempting government agencies from the PDP Bill's restrictions may contradict the bill's goal and jeopardise an individual's fundamental right to privacy. The data localization rules may generate general security and national security concerns. The PDP Bill declares that the government must have access to "important" or "sensitive" personal data, such as religious or political beliefs, if necessary to defend national interests, but such unlimited access to these informationcould lead to data misuse.[10]
Furthermore, the concept of the right to be forgotten has been discreetly placed in the PDP Bill under the right to erasure. The idea for the development of this right is that a person should be able to govern their data by requesting that data processed by a data fiduciary be erased.Users will be able to request that companies remove their personal data, which means they will have the right to be forgotten if their purpose has been met or if they desire to withdraw their consent. However, the PDP Bill grants only a limited and arbitrary right, requiring the consent and scrutiny of an Adjudicating Officer before the data can be wiped.
The scope of the Personal Data Protection Bill has been enlarged in response to the JPC Report[11] to include both personal and non-personal data. Instead of "Personal Data Protection Bill," the bill is now known as "Data Protection Bill (Bill)." Because "it is impossible to discriminate between personal and non-personal data when mass data is collected or conveyed," both categories of data will be regulated by the same regulator. The inclusion of non-personal data, including anonymized data, in the scope may be a sensitive issue, as some of the non-personal data will be considered proprietary by enterprises who have invested large resources to obtain it.
The establishment of the DPA and other accompanying infrastructure, as outlined in the study, are some critical activities that must be done in stages. Companies must quickly embrace and implement a successful compliance plan by focusing on investments and alignment of people, process, and technology. Both the government and private firms must implement dedicated training and awareness programmes to train the staff and assure timely compliance.
IV.        Conclusion
The Data Protection Bill is a much-needed and long-awaited piece of legislation that would replace India's current archaic, obsolete, and inadequate data protection policy. It would assist preserve individuals' privacy rights and promote fair and transparent data use for innovation and growth, unlocking the digital economy, in comparison to present standards. It has the potential to create jobs, increase user understanding of their privacy, and hold data fiduciaries and processors accountable. Furthermore, with the rapid adoption of cutting-edge technologies such as blockchain and artificial intelligence, it would be worthwhile to track and study how the current set of regulations would be applied to frameworks based on decentralisation and anonymization.
Despite being influenced by the EU General Data Protection Regulation, India has developed its own approach to data protection, including merging personal and non-personal data under one roof, data localization, hardware device coverage, social media platform management, and more. Though it still has certain flaws, it will bring India up to speed with other countries' rigorous data privacy rules once completely implemented. Companies should start preparing for compliance with the various provisions as soon as possible. Enterprises should contemplate conducting periodic audits and assessments of their privacy procedures in order to better visualise the types of data collected, its flow within the company, storage timelines and locations, and to initiate remediation steps to close any gaps they discover.
Compliance with the requirements of data privacy can be difficult in today's information age. However, if organisations are proactive and plan ahead of the enforcement date, this does not have to be the case. Organizations can confidently embrace the Bill and, once compliant, consider it a competitive advantage by implementing a tiered, comprehensive data security strategy.