From UPSC perspective, the following things are important :
Prelims level : Read the attached story
Mains level : Data Privacy and Protection
The Union government informed the Supreme Court that a new law, namely the Digital Personal Data Protection Bill, 2022, to enforce individual privacy in online space was “ready”.
Legislation on ‘Data’: A Backgrounder
- The personal data protection bill has been in the works for about five years.
- The first draft of the Bill was presented by an expert panel headed by Justice B.N. Srikrishna in July 2018, after a year-long consultation process.
Timeline of key events
- July 2018: After a year of consultations and deliberations, the PDP Bill, 2018, drafted by an expert committee headed by Justice BN Srikrishna, is presented to MeitY. Subsequently, MeitY begins drafting the next iteration of the Bill.
- December 2019: The PDP Bill, 2019, prepared by MeitY, is referred to a Joint Parliamentary Committee (JPC) for review.
- December 2021: After multiple extensions, and a leadership change, JPC Chairperson tabled the report of the JPC on the PDP Bill, 2019, as well as the draft Data Protection Bill 2021, in the parliament.
- August 2022: On August 3 this year, MeitY withdrew the 2021 Bill, stating that a more “comprehensive legal framework” will be presented soon.
DPDP Bill, 2022 is based on seven principles
According to an explanatory note for the bill, it is based on seven principles-
- Lawful use: The first is that “usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals.”
- Purposeful dissemination: The second principle states that personal data must only be used for the purposes for which it was collected.
- Data minimisation: Bare minimum and only necessary data should be collected to fulfill a purpose.
- Data accuracy: At the point of collection. There should not be any duplication.
- Duration of storage: The fifth principle talks of how personal data that is collected cannot be “stored perpetually by default,” and storage should be limited to a fixed duration.
- Authorized collection and processing: There should be reasonable safeguards to ensure there is “no unauthorised collection or processing of personal data.”
- Accountability of users: The person who decides the purpose and means of the processing of personal data should be accountable for such processing.
Key features of the bill
(1) Data Principal and Data Fiduciary
- The bill uses the term “Data Principal” to denote the individual whose data is being collected.
- The term “Data Fiduciary” the entity (can be an individual, company, firm, state etc.), which decides the “purpose and means of the processing of an individual’s personal data.”
- The law also makes a recognition that in the case of children –defined as all users under the age of 18— their parents or lawful guardians will be considered their ‘Data Principals.’
(2) Defining personal data and its processing
- Under the law, personal data is “any data by which or in relation to which an individual can be identified.”
- Processing means “the entire cycle of operations that can be carried out in respect of personal data.”
- So right from collection to storage of data would come under processing of data as per the bill.
(3) Individual’s informed consent
- The bill also makes it clear that individual needs to give consent before their data is processed.
- Every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing.
- Individuals also have the right to withdraw consent from a Data Fiduciary.
- The bill also gives consumers the right to file a complaint against a ‘Data Fiduciary’ with the Data Protection Board in case they do not get a satisfactory response from the company.
(4) Language of information
- The bill also ensures that individuals should be able to “access basic information” in languages specified in the eighth schedule of the Indian Constitution.
- Further, the notice of data collection needs to be in clear and easy-to-understand language.
(5) Significant Data Fiduciaries
- The bill also talks of ‘Significant Data Fiduciaries, who deal with a high volume of personal data.
- The Central government will define who is designated under this category based on a number of factors ranging from the volume of personal data processed to the risk of harm to the potential impact on the sovereignty and integrity of India.
(6) Data protection officer & Data auditor
- Such entities will have to appoint a ‘Data protection officer’ who will represent them.
- They will be the point of contact for grievance redressal.
- They will also have to appoint an independent Data auditor who shall evaluate their compliance with the act.
(7) Right to erase data, right to nominate
- Data principals will have the right to demand the erasure and correction of data collected by the data fiduciary.
- They will also have the right to nominate an individual who will exercise these rights in the event of death or incapacity of the data principal.
(8) Cross-border data transfer
- The bill also allows for cross-border storage and transfer of data to “certain notified countries and territories.”
- However an assessment of relevant factors by the Central Government would precede such a notification.
(9) Financial penalties
- The draft also proposes to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen.
- Entities that fail to take “reasonable security safeguards” to prevent personal data breaches will be fined as high as Rs 250 crore.
- As per the draft, the Data Protection Board — a new regulatory body to be set up by the government — can impose a penalty of up to ₹500 crore if non-compliance by a person is found to be significant.
What distinguishes this bill from its earlier versions?
- Gender neutrality: Significantly, and for the first time in the country’s legislative history, the terms ‘her’ and ‘she’ have been used irrespective of an individual’s gender. This, as per the draft, is in line with the government’s philosophy of empowering women.
- Imbibes best global practices: To prepare it, best global practices were considered, including review of data protection legislations of Australia, European Union (EU), Singapore, and a prospective one of the USA.
- Comprehensiveness: The draft has outlined six ‘Chapters’ and a total of twenty-five points. The ‘Chapters’ are: ‘Preliminary,’ ‘Obligations of Data Fiduciary,’ ‘Rights and Duties of Data Principal,’ ‘Special Provisions,’ ‘Compliance Framework,’ and ‘Miscellaneous.’
- Special emphasis for child protection: If personal data is likely to cause harm to a child, its processing will not be allowed.
Hits of the bills
- Widening the scope of data: Narrowing the scope of the data protection regime to personal data protection is a welcome move, as it resonates with the concerns of various stakeholders.
- Harnessing economic potential: Now non-personal data could be used to unlock social and economic value to benefit citizens, businesses, and communities in India with appropriate safeguards in place.
- Doing away with aggressive push for Data localisation: Relaxing data localisation provisions to notify countries to which data can flow, could aid India in unlocking the comparative advantage of accessing innovative technological solutions from across the globe, which in turn helps domestic companies.
- Free flow of data: In addition, the free flow of data will help startups access cost-effective technology and storage solutions, as our research shows.
- Allowing data transfers: This will also ensure that India is not isolated from the global value chain, helping businesses stay resilient in production and supply chain management and fostering overseas collaboration.
Some criticisms of the bill
- Wordplay: There had been use of open-ended language such as “as necessary” or “as may be prescribed”.
- Govt monopoly: The Bill did not seem to work towards protecting people, but ensures that the government retains all power without any checks or balances.
- Exemption provisions: The government has been given the power to exempt not only government agencies but any entity that is collecting user data, from having to comply with the provisions of this bill when it is signed into law.
- No protection against data breach: The Executive in India has a track record of exploiting to expand its powers. There is no right for compensation to individuals in case of a data breach. They have no right to data portability.
- Crafting such crucial legislation is no mean task. It may require some more trial and error to succeed.
- Definitely, it will involve some time and deliberation to arrive at a comprehensive legal framework.