DATA PROTECTION BILL
Copyright infringement not intended
Context: The Union Cabinet approved the Digital Personal Data Protection (DPDP) Bill on July 5, 2022. It clears the way for the Bill to be tabled in Parliament during the forthcoming Monsoon Session, which begins on July 20.
- The Bill aims to protect the privacy and rights of individuals concerning their data and to regulate the processing of such data by data fiduciaries.
- The data privacy law defines standards for the administration of personal data of Indian residents and demands specific agreement from those whose information is gathered and utilised.
- According to an official, nearly 20,000 comments were received on the draft Bill, but they will not be made public. He also stated that there has been little change between the draft that was published for public feedback and the final Bill that will be presented in parliament.
- The Union government has refused to give copies of comments on the Bills from industry, civil society, and government entities in response to Right to Information demands.
- The need for a comprehensive data protection law was felt after the Supreme Court of India declared privacy as a fundamental right in Justice K.S. Puttaswamy v/s Union of India (2017). The Court also directed the government to enact a law to safeguard the personal data of citizens from unauthorized use by state and non-state actors.
- In response, the government formed a committee under Justice B.N. Srikrishna to draft a data protection bill. The committee submitted its report and a draft bill, titled the Personal Data Protection Bill, 2018.
- The bill was then revised by the government and introduced in the Lok Sabha as the Personal Data Protection Bill, 2019. However, the bill was referred to a joint parliamentary committee for further scrutiny and public consultation.
- The joint parliamentary committee submitted its report along with a modified draft bill, titled the Digital Personal Data Protection Bill, 2022. Recently the bill was approved by the cabinet and is now ready to be presented in Parliament.
- The DPDP Bill has several features that are similar to its previous versions as well as some new provisions that reflect the changing landscape of data governance.
- It applies to all online and offline data in India that relates to an identifiable natural person or digital nagrik.
- The bill applies to data fiduciaries or entities that collect, process, store or share personal data of individuals.
- Data fiduciaries are entities that collect, store or process personal data on behalf of individuals. They have a duty of care and loyalty to protect the data from unauthorized access, misuse, or harm.
- It requires data fiduciaries to obtain consent from individuals before collecting or processing their data, except in certain cases such as for state functions, legal obligations, emergencies or public interest. The consent should be free, informed, specific, clear and revocable.
- It mandates data fiduciaries to adhere to certain principles while processing personal data, such as purpose limitation, collection limitation, data quality, storage limitation, accountability and transparency.
- The bill categorizes personal data into three types: general personal data, sensitive personal data and critical personal data.
- Sensitive personal data includes financial, health, biometric, genetic, sexual orientation, religious, political and other data that may cause harm or discrimination to individuals if misused.
- Critical personal data includes any data that the government may notify as such from time to time.
- It grants several rights to individuals concerning their data, such as the right to access, correction, erasure, portability and restriction of processing. Individuals can also file complaints against data fiduciaries for violations of their rights or seek compensation for any harm caused by such violations.
Restrictions on cross-border transfer
- The bill imposes restrictions on cross-border transfer of personal data.
- General personal data can be transferred outside India subject to contractual clauses or adequacy decisions by the government.
- Sensitive personal data can be transferred outside India only with the explicit consent of individuals and subject to additional conditions such as storage of a copy of such data in India.
- Critical personal data can only be processed and stored within India.
- The bill provides for exemptions from its provisions for certain categories of personal data or processing activities. These include personal or domestic purposes, journalistic purposes, research purposes and security purposes.
- The government can also exempt any agency from the bill for reasons of sovereignty, security, public order or friendly relations with foreign states.
Data Protection Board of India
- The bill envisages the setting up of a Data Protection Board of India to manage the implementation and enforcement of the bill.
- The board will consist of a chairperson and six members appointed by the government on the recommendation of a selection committee. It will have powers to issue codes of practice, conduct inquiries, impose penalties and perform other functions as assigned by the government.
- The bill empowers individuals to have greater control and choice over their data and to exercise their rights effectively. It protects them from potential harm or discrimination arising from misuse or breach of their data by data fiduciaries.
- It grants individuals the right to access, correct, erase, port and restricts their data, as well as the right to be forgotten and the right to object to certain processing activities.
- It requires data fiduciaries to obtain consent from individuals before processing their data, except in certain circumstances.
- It mandates data fiduciaries to provide clear and transparent notice about their data practices and to implement appropriate security safeguards and privacy by design principles.
- The bill will create a level playing field for businesses that deal with personal data and foster trust and confidence among customers and stakeholders. It enables businesses to leverage the opportunities offered by the digital economy and to innovate and compete in the global market.
- The bill provides flexibility for businesses to process personal data for reasonable purposes, subject to certain conditions and safeguards. It allows businesses to process anonymized or non-personal data for various purposes, without any restrictions.
- It encourages businesses to adopt codes of practice, certification schemes and sandbox mechanisms to demonstrate their compliance and enhance their reputation.
For the Government
- The bill will contribute to the social and economic development of the country by promoting data-driven governance, public service delivery, research and innovation.
- It will enhance the national security and sovereignty of the country by ensuring that critical personal data is processed and stored within India.
- The bill allows the government to process personal data for various purposes, such as security, law enforcement, health, welfare, taxation, etc., subject to certain safeguards and oversight.
- It empowers the government to exempt certain processing activities from the provisions of the bill, in the interest of national security or public order.
Wide-ranging exemptions to the government
- The bill grants wide-ranging exemptions to the government and its agencies from its provisions, raising concerns about the potential misuse of personal data by the state for surveillance, profiling or political purposes. There are also doubts about the independence and accountability of the Data Protection Board, given that its members are appointed by the government.
Restrictions on cross-border transfer of personal data
- The bill imposes stringent restrictions on the cross-border transfer of personal data, especially sensitive and critical personal data, which may hamper the growth and competitiveness of Indian businesses that rely on global data flows. It may also affect the interests of foreign businesses that operate in India or offer services to Indian customers.
Complex and cumbersome compliance regime
- The bill creates a complex and cumbersome compliance regime for data fiduciaries, especially small and medium enterprises, start-ups and non-profit organizations that may lack the resources and expertise to comply with its provisions. It may also increase the cost and risk of doing business in India.
Does not adequately address some of the emerging issues
- The bill does not adequately address some of the emerging issues and challenges in the field of data protection, such as anonymization, de-identification, artificial intelligence, machine learning, blockchain, cloud computing, the Internet of Things, etc. It may also become obsolete or irrelevant in the face of rapid technological changes and innovations.
- The DPDP Bill is a welcome initiative by the government to protect the privacy and rights of individuals concerning their data and to regulate the processing of such data by data fiduciaries. However, it is not without its flaws and limitations.
- The bill must be thoroughly debated and discussed in Parliament and among various stakeholders before it is enacted into law. The bill must be implemented and enforced effectively and efficiently by the Data Protection Board and other authorities.
- The bill must be reviewed and updated periodically to keep pace with the evolving trends and developments in the domain of data protection.
Digital Personal Data Protection Bill: https://www.iasgyan.in/daily-current-affairs/digital-personal-data-protection-bill
Q. How can the Digital Personal Data Protection Bill balance the competing interests of data privacy, national security, innovation and economic development, while ensuring effective enforcement and compliance with the law?