Personal Data Protection Bill, 2013 Drafted by Centre for Internet and Society

The bill calls for the regulation of personal data, where no person will be allowed to collect, store,
process, disclose or handle any private data except in accordance to the act, nothing in the act refers to
personal data collected, storage and processing of personal data for domestic use. There isnt any
provision which lays down what is considered to be domestic use. It was drafted by the Centre for
Internet and Society as discussed at the 6th Privacy Roundtable, New Delhi held on 24 August 2013.
This version of the Bill caters only to the Personal Data regime.

The main provisions around this bill are as follows:

It regulates the collection of personal data

Collection of data is allowed only with the prior consent of the subject
It regulates the storage, processing and transfer of personal data for processing.
The bill calls for the safety of personal data and the duty of confidentiality imposed by the
person who is collecting such data.
There are provisions for the disclosure of personal data (1) with prior consent and (2) without
prior consent.
The quality and accuracy of the data collected will have to be maintained by the collector of
such data
Special provisions have been given for sensitive personal data and how it can be used and
handled.
Special provisions have been given for intelligence organisations with regard to processing
and storing personal data
The bill calls for the constitution of a Data Protection Authority and enumerates the persons
who shall constitute such a body, terms of office, condition of services, removal, functions,
appointments, salaries, vacancies, procedures to conduct business and powers of such
authority
The Chairperson, members and employees shall be public servants within the meaning of
section 21 of the Indian Penal Code
The Data Protection Authority will be for all purposes of inquiry have the same powers as
vested upon a civil court under the Code of Civil Procedure 1908
The Data Protection Authority shall be deemed to be a civil court for the purposes of section
195 and Chapter XXVI of the Code of Criminal Procedure, 1973
The Bill allows for the co regulation of data controllers and the data protection authority to
formulate codes of conduct, collection, storage, processing, disclosure and handling of public
data
The Data Protection Authority may encourage data controllers to formulate professional
conduct code for the purpose of self regulation by data controllers.
The bill provides for offences and penalties; however, it does not mention the amount of time
or amount of fine to be paid in the case of imprisonment or fine.
There is a separate provision for the offences by companies.
There is a bar on jurisdiction to any other court apart from the High Court and Supreme Court
in relation to matters which have been mentioned under this act.
The Personal Data Protection Bill, 2014

This bill is to provide protection of personal data and information collected for a particular purpose by
one organisation and to prevent its usage by another for commercial and other purposes, and entitle
the individual to claim any compensation in case there has been disclosure of such data without
consent.

The features of this bill are as follows:

Data which is collected by the government or private body cannot be processed unless the
consent of the concerned person.
It allows for processing under certain instances such as prevention of crime, prosecution of
offenders, assessment or collection of any tax or duty
Personal data cannot be disclosed for the purpose of any marketing or commercial gain and if
the data is used for such purposes without consent, the person will be entitled to
compensation.
The appropriate government can make provisions for the appointment of Data Controllers in
any State or Union Territory. The appropriate government shall make terms and conditions of
service, number of officers and staff necessary, procedure for appointment of data controllers.
Any organization which is collecting data will be required to report to the data controller the
reason for collection and use of any data. They are required to take measures to maintain
confidentiality and security in handling such data and only collect essential information
Contravention of the provisions of the act can lead to imprisonment upto 3 years, fine up to
10 lakhs or both.
A company can be held liable and punished for the contravention of the provisions of this act.
All offences under this Act shall be tried summarily in the manner prescribed for summary
trial under the Code of Criminal Procedure, 1973.
The Central Government may, by notification in the Official Gazette make rules for carrying
out the purposes of this Act.

Differences between the 2013 and 2014 bills:

Both the bills have provisions which have been made for the collection storage and processing of
personal data. They both impose penalty for the use and processing of data without prior consent of
the person involves. The bills also emphasise on the need to have security of data and the need to
maintain confidentiality and not allow for disclosure without prior consent.

The major differences between the two are as follows:

There are no provisions given for the storage of data in the 2014 Bill or for transfer of data for
processing.
The 2014 bill has not looked into Sensitive Personal Information or defined it.
The 2014 bill does not address the processing of data by intelligence agencies.
The 2013 bill addressed the need for a Data Protection Authority separate from Data
Controllers. However, the 2014 bill does not mention any such authority and states that there
can be Data controllers appointed for every State or Union territory to whom any organisation
which is collecting data will have to report to.
The Data Protection Authority in the first case was given the powers of a civil court, to try
offences under the provision. The 2014 bill states that any contravention will be tried
summarily in accordance to the Code of Civil Procedure.
Current status: The Personal Data Protection Bill 2014 was introduced in the Rajya Sabha on the
28th November, 2014. Further, the Personal Data Protection Bill 2013 was never placed before the
parliament for discussion.