Central Idea

• Nearly six years after the Supreme Court recognized privacy as a fundamental right, the Indian government has taken a significant step towards safeguarding personal data with the Digital Personal Data Protection Bill, 2022. This legislation, expected to be tabled in the upcoming Monsoon Session of Parliament, aims to address concerns regarding data protection, while considering the country’s trade negotiations with international partners.

*Relevance of the topic*

Today India has more than 800 million internet users and it is expected to increase by 45% in the next five years to 900 million in 2025

Given the dynamic nature of the online sphere, privacy concerns and issues are rapidly changing.

Need for robust data protection policy and its implications on citizens

Significance of Privacy Law/ Data Protection Bill, 2022

• Filling the Legislative Gap: The proposed bill aims to fill the legislative gap in India regarding the protection of personal data. By enacting a comprehensive privacy law, it will provide a dedicated legal framework for the collection, storage, processing, and transfer of personal data, addressing concerns that were previously unregulated.
• Strengthening Data Protection: The bill seeks to strengthen data protection measures by placing obligations on entities, referred to as data fiduciaries, to maintain the accuracy and security of personal data. It also emphasizes the importance of deleting data once its purpose has been fulfilled, promoting responsible data management practices.
• Trade Negotiations and Global Alignment: The bill’s enactment holds significance in India’s trade negotiations, particularly with regions like the European Union. Implementing a robust privacy law aligns India with international data protection standards, such as the GDPR, which can facilitate smoother data transfers and trade relations with countries that prioritize privacy.
• Consumer Trust and Confidence: Establishing a privacy law builds consumer trust and confidence in the digital ecosystem. It assures individuals that their personal data will be protected, thereby encouraging greater participation in digital transactions, e-commerce, and other online activities. Increased trust contributes to the growth of the digital economy.
• Accountability and Remedies: The bill includes provisions for accountability and remedies in case of privacy breaches. It empowers individuals to seek legal remedies and file complaints against entities that violate the privacy provisions. This promotes a culture of accountability among organizations and strengthens individuals’ rights.
• Harmonizing Data Protection and National Interests: The proposed bill aims to strike a balance between data protection and national interests. While safeguarding privacy rights, it also provides exemptions for the central government and its agencies on grounds of national security, foreign relations, and public order, ensuring that legitimate national interests are taken into account

Concerns Surrounding the Draft Bill

• Wide-ranging Exemptions: One of the major concerns is the inclusion of wide-ranging exemptions for the central government and its agencies. These exemptions allow the government to bypass certain provisions of the bill based on reasons such as national security, relations with foreign governments, and maintenance of public order. Critics argue that these exemptions could potentially undermine privacy protections and weaken the scope of the law.
• Dilution of the Data Protection Board: The role of the data protection board, which serves as an adjudicatory body for privacy-related disputes, is perceived to be diluted in the draft bill. The control of the central government in appointing board members and determining the terms and conditions of their service raises concerns about the independence and effectiveness of the board.
• Potential Impact on the Right to Information (RTI) Act: There are concerns that the draft bill could have implications for the Right to Information (RTI) Act. The protection of personal data of government functionaries under the privacy law could make it more challenging for information to be shared with RTI applicants, potentially affecting transparency and accountability

How does India’s proposal compare with other countries?

• European Union (EU) Model: The EU’s General Data Protection Regulation (GDPR) is a comprehensive data protection law that sets high standards for the processing and protection of personal data. The GDPR is known for its stringent requirements and extensive obligations on organizations handling personal data. India’s proposed bill aims to align with international standards, including those set by the GDPR, to facilitate data transfers and trade relations with the EU.
• United States Model: Privacy protection in the United States is primarily based on sectoral laws and regulations. The focus is on safeguarding individual liberties, with an emphasis on protection from government intrusion. The US approach allows data collection as long as individuals are informed about it. In comparison, India’s proposed bill takes a more comprehensive approach, covering various aspects of data protection and placing obligations on both government and private entities.
• China Model: China has recently implemented new data privacy and security laws, including the Personal Information Protection Law (PIPL) and the Data Security Law (DSL). These laws grant individuals new rights over their personal data and impose restrictions on cross-border data transfers. While the specific provisions of India’s proposed bill may differ, both India and China aim to enhance data protection and privacy in the face of increasing digitalization.
• Global Adoption: According to the United Nations Conference on Trade and Development (UNCTAD), the majority of countries globally have established data protection and privacy laws. Africa and Asia have shown significant adoption rates, with countries in these regions implementing their own privacy frameworks. It is worth noting that the level of adoption and the specifics of these laws may vary across countries.

Implications of the bill on Citizens

1. Positive implications

• Enhanced Privacy Protection: The bill would provide individuals with greater control over their personal data and reduce the risk of unauthorized access or misuse.
• Strengthened Data Security: Stricter requirements for data fiduciaries to implement security measures can help safeguard sensitive data, enhancing trust and confidence in digital transactions.
• Increased Accountability and Remedies: The bill empowers citizens by providing them with avenues to address privacy violations, ensuring that their rights are protected and promoting a culture of accountability among data handlers.

2. Potential Negative Implications:

• Exemptions for Government Agencies: Concerns about the government’s access to and use of personal data, leading to potential privacy risks and diminished transparency.
• Weakened Role of the Data Protection Board: The perceived dilution of the data protection board’s role, particularly in terms of its independence and control by the central government may result in a lack of impartial adjudication and hinder citizens’ ability to seek redress for privacy violations.
• Potential Impact on Right to Information (RTI) Act: If personal data is shielded under the privacy law, it may restrict access to information by RTI applicants, potentially affecting transparency and accountability in the public sphere.

What changes are likely in the final version?

• Cross-border Data Flows: A key change in the final draft is a shift from a ‘whitelisting’ approach to a ‘blacklisting’ mechanism regarding cross-border data flows. This means that data transfers will be allowed to most jurisdictions by default, except for those specified in a ‘negative list’ of countries where transfers would be prohibited.
• Stricter “Deemed Consent” Provision: The provision on “deemed consent” may be reworded to impose stricter requirements on private entities while allowing government departments to assume consent for processing personal data on grounds of national security and public interest. This change aims to strengthen privacy protections for individuals.
• Clarification of Penalties: The final version of the bill is expected to provide clarity on penalties for data breaches. It is reported that the highest penalty for failing to prevent a data breach could be prescribed at Rs 250 crore per instance. The interpretation of “per instance” would be determined by the data protection board on a case-by-case basis.

Way forward

• Stakeholder Consultation: Engage with privacy experts, industry representatives, and civil society organizations for comprehensive input and diverse perspectives.
• Strengthen Privacy Safeguards: Minimize exemptions for government agencies, ensure an independent and effective data protection board, and clarify provisions on data breaches and penalties.
• Transparency and Accountability: Establish clear guidelines for data fiduciaries, conduct regular audits, and provide accessible mechanisms for citizens to file complaints and seek redress.
• Awareness and Education: Launch public awareness campaigns, privacy literacy programs, and collaborate with educational institutions to empower individuals with knowledge about their privacy rights.
• International Cooperation: Align standards with international frameworks, collaborate on data transfer mechanisms, and actively participate in global privacy discussions and forums.
• Continuous Review and Adaptation: Incorporate provisions for regular review and updates to address emerging privacy challenges and technological advancements.

Conclusion

• As India prepares to introduce the Digital Personal Data Protection Bill, 2022, it marks a significant milestone in protecting individuals’ privacy rights and regulating data practices. However, concerns regarding exemptions for government agencies and the potential impact on the RTI Act need to be carefully addressed. By striking a balance between privacy protection and national interests, India can establish a robust framework that promotes data-driven innovation, fosters international trade relations, and ensures individuals’ control over their personal data

Also read:

Digital Personal Data Protection Bill: Need A Pre-legislative Consultation

Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024

Attend Now