This is part three of a three-part series on the impact of the Data Protection Bill on businesses. Read part one here and part two here.

After nearly two years, the Joint Parliamentary Committee (JPC) submitted its report on the Personal Data Protection Bill, 2019. The introduction of the new draft Data Protection Bill, 2021, that accompanied the report meant that India would have to adopt a new and comprehensive legislation on data protection. The Bill is scheduled to be introduced in Parliament soon.

The previous version of the Data Protection Bill was drafted primarily in the image of the General Data Protection Regulation (GDPR). The new Bill, however, is different from its European Union counterpart in material respects and seems to have a broader scope as it addresses issues like non-personal data, regulations on social media platforms and companies etc. 

Controversy around exemptions

One of the major issues with the earlier version of the Bill was the near blanket exemption for the government and its agencies from adhering to compliances. It was reported that the JPC had considered the view of industry as well as government (including law enforcement agencies) to gauge how exemptions should be provided.

However, the JPC, in its final suggestions, stuck close to the exemptions provided in the first version of the bill, clearly giving primacy to the concerns of government departments. This is significant when looking at accountability of those having access to sensitive data of a country and its citizens. 

Exemptions In the Data Protection Bill

The Bill offers exemptions to not only government agencies but also to certain private entities. These exemptions are based on the following factors:  

1. If the central government is satisfied that it is necessary in the interest of or for preventing incitement to the commission of a cognisable offence, then the provisions of the Act will not apply to any government agency for processing personal data.

2. Certain specified provisions will not apply to personal data if it is (i) processed in the interest of prevention, detection, investigation and prosecution of any offence or any other contravention of law, (ii) disclosed for inter alia enforcing a legal right, (iii) processed by any court or tribunal, (iv) exempted by the central government where processing of personal data of data principals not within the territory of India.

3. The PDP Bill provides that a natural person processing personal data for purely personal or domestic purposes, will not be subject to certain substantive data protection requirements.

4. If the processing of personal data is necessary for or relevant to a journalistic purpose, certain substantive data protection requirements under the PDP Bill will not be applicable.

5. The PDP Bill allows the DPA to specify different categories of research, archiving or statistical purposes and exclude the applicability of certain provisions of the Bill to such categories.

6. The Bill also provides certain exemptions in cases wherein the processing of personal data by small entities is not automated. The only entities that are likely to be covered under the manual processing exemption are those which use minimal computer resources for processing personal data automatically.

7. The PDP Bill empowers the DPA to create a sandbox to encourage innovation in artificial intelligence, machine learning or any other emerging technology in public interest. Entities included in the sandbox will be exempt from compliance with requirements such as specifying the purpose of data processing, limitations on collection of personal data, obligations directly dependent on the obligations to specify purpose and limitation on collection of personal data and restrictions on retention of personal data. 

With research inputs from The Quantum Hub.