The Unique Identification Authority of India (UIDAI), which is tasked with managing Aadhaar, the world’s largest biometric ID system, has requested an exemption from the Personal Data Protection (PDP) Law, or Data Protection Bill 2019. This piece of legislation, often referred to as the Privacy Bill, is designed to protect individual rights by regulating the collection, movement, and processing of data that is personal, or can identify individuals.
Understanding the Privacy Law
The Privacy Bill was inspired by a previous draft prepared by a committee led by retired Justice B N Srikrishna. In the landmark Puttaswamy judgement in 2017, the Supreme Court of India held that the right to privacy is a fundamental right.
The provisions of the Bill gives government bodies the authority to approve the transfer of certain types of personal data overseas and has exceptions permitting government agencies to collect their citizens’ personal data.
Data Classification Under the Privacy Law
The Privacy Bill classifies data into three categories: Personal Data, Sensitive Personal Data, and Critical Personal Data.
Personal Data refers to information from which an individual can be identified like name, address, etc. Sensitive Personal Data includes aspects such as financial status, health-related data, sexual orientation, biometric and genetic details, transgender status, caste, religious belief, and others.
Critical Personal Data refers to anything that the government can deem critical at any time, such as military or national security data.
Role of Data Fiduciaries
Data fiduciaries, who could be service providers that collect, store, and use data during the provision of goods and services, are required to provide the government with any non-personal data when asked. Non-Personal Data refers to anonymised data, such as traffic patterns or demographic data.
Establishment of a Data Protection Authority
The Bill has also proposed the establishment of a Data Protection Authority to ensure compliance with the law. It introduces the ‘Right to be Forgotten’, which states that the data principal (the person to whom the data is related) shall have the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary.
Controversial Provisions and Issues
If implemented in its current form, the PDP Law might establish two separate ecosystems. One involving government agencies who would be exempt from the law’s jurisdiction, granting them complete liberty to handle personal data, and the other encompassing private data fiduciaries who need to comply with all provisions of the law.
Section 35 of the Bill invokes aspects such as “sovereignty and integrity of India,” “public order”, “friendly relations with foreign states” and “security of the state” to empower the Central government to suspend any or all provisions of this Act for government agencies.
With respect to UIDAI, there are concerns over legal duplication as the Authority is already governed by the Aadhaar Act.
The Role of UIDAI and Data Localization
UIDAI is a statutory authority instituted on July 12, 2016, under the jurisdiction of the Ministry of Electronics and Information Technology, in line with the provisions of the Aadhaar Act 2016. UIDAI is mandated to assign a 12-digit unique identification (Aadhaar) number to all Indian residents. Originally established by the Government of India in January 2009 as an office under the Planning Commission, it was later made a statutory authority.
