IAS Gyan

Daily News Analysis

DRAFT DATA PROTECTION BILL            

4th March, 2022 Science and Technology

Disclaimer: Copyright infringement not intended.

Context

  • The Ministry of Electronics and Information Technology is studying the inputs it has received on the draft of the data protection Bill and will not rush with the tabling of the Bill in Parliament.

Importance of data

  • Data usually refers to information related to messages, social media posts, online transactions, and browser searches. It has become an important source of profits.
  • Companies, governments and political parties find it valuable because they can use it to find the most convincing ways to advertise online.
  • Much of the future’s economy and law enforcement will be predicated on the regulation of data, introducing issues of national sovereignty.

Handling of data

  • Data is stored in a physical space similar to a file cabinet of documents and transported across country borders in underwater cables. Data is collected and handled by entities called data fiduciaries.
  • While the fiduciary controls how and why data is processed, the processing itself may be done by a third party, the data processor.
  • The physical attributes of data — where data is stored, where it is sent, where it is turned into something useful — are called data flows.

Provisions of the Draft Data Protection Bill

  • The bill trifurcates personal data. The umbrella group is all personal data — data from which an individual can be identified.

Personal Data

  • Some types of personal data are considered sensitive personal data (SPD), which the Bill defines as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief and more.

Critical Data

  • Another is critical data, which is determined by government for national security purposes. It requires individual consent for data transfer abroad.
  • The bill requires sensitive personal data to be stored only in India.
  • It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA).

Critical Personal Data

  • The final category of critical personal data must be stored and processed in India.

Mandate for Fiduciaries

  • The bill mandates fiduciaries to give the government any non-personal data when demanded.
  • The bill also requires social media companies, which are deemed significant data fiduciaries based on factors such as volume and sensitivity of data as well as their turnover, to develop their own user verification mechanism.

Individual consent

  • The bill includes exemptions for processing data without an individual’s consent for “reasonable purposes” including security of the state, detection of any unlawful activity or fraud, whistle-blowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.
  • It also grants individuals the right to data portability and the ability to access and transfer one’s own data.
  • It legislates on the right to be forgotten.

Independent Data Protection Agency

  • The Bill calls for the creation of an independent regulator DPA, which will oversee assessments and audits and definition making.
  • Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.

Concerns related to the bill

  • The appointment of members to the DPA will not be made through an independent body but by a handful of people, mostly bureaucrats, selected by the government.
  • Civil society groups have criticized the open-ended exceptions given to the government in the Bill, allowing for surveillance.
  • There is a blanket power of exemption from all provisions of the law (including access to personal data without consent, citing national security, investigation and prosecution of any offence, public order) in favour of a government agency.
  • A new watchdog without teeth, with no functional autonomy, would mean governments are legally immune from charges of data-mining.
  • Justice (Rtd) BN Srikrishna, who headed the committee that formulated the original draft of the Bill, has reportedly called it “a piece of legislation that could turn India into an Orwellian state”.
  • Technology giants like Facebook and Google and their industry bodies, especially those with significant ties to the US, have slung heavy backlash.
  • Many are concerned with a fractured Internet where the domino effect of the protectionist policy will lead to other countries following suit.
  • Much of this sentiment harkens to the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
  • Allowing the government to force companies to transfer non-personal data raises serious intellectual property concerns, and can still threaten users even if they’re not individually identified.

Need for data localization

  • Will help law-enforcement access data for investigations and enforcement.
  • Proponents highlight security against foreign attacks and surveillance, harkening notions of data sovereignty.
  • Many domestic-born technology companies, which store most of their data exclusively in India, support localisation.
  • Reliance Jio has strongly argued that data regulation for privacy and security will have little teeth without localisation, calling upon models in China and Russia.
  • Instances of cyber attacks and surveillance will be checked. Recently, many WhatsApp accounts were hacked by an Israeli software called Pegasus. Social media is being used to spread fake news, which has resulted in lynchings, national security threats, which can now be monitored, checked and prevented in time.
  • Data localisation will increase the ability of the Indian government to tax Internet giants.
  • Strong data protection legislation will also help to enforce data sovereignty.

https://indianexpress.com/article/explained/mos-it-tabling-data-bill-7800015/