From UPSC perspective, the following things are important :
Prelims level : IT Act 2000
Mains level : Paper 3- Personal Data Protection Bill and related issues
The existing data protection framework based on IT Act 2000 falls short on several counts. The Personal Data Protection Bill seeks to deal with the shortcoming in it. The article explains how the two differs.
Need for new data protection regime
- The need for a more robust data protection legislation came to the fore in 2017 post the Supreme Court’s landmark judgment in Justice K.S. Puttaswamy (Retd) v. Union of India.
- In the judgment, the Court called for a data protection law that can effectively protect users’ privacy over their personal data.
- Consequently, the Committee of Experts was formed under the Chairmanship of Justice (Retd) B.N. Srikrishna to suggest a draft data protection law.
- The Personal Data Protection Bill, 2019, in its current form, is a revised version of the draft legislative document proposed by the Committee.
Issues with the existing data protection framework
- The Information Technology Act, 2000 governs how different entities collect and process users’ personal data in India.
- However, entities could override the protections in the regime by taking users’ consent to processing personal data under broad terms and conditions.
- This is problematic given that users might not understand the terms and conditions or the implications of giving consent.
- Further, the frameworks emphasise data security but do not place enough emphasis on data privacy.
- As a result, entities could use the data for purposes different to those that the user consented to.
- The data protection provisions under the IT Act also do not apply to government agencies.
- Finally, the regime seems to have become antiquated and inadequate in addressing risks emerging from new developments in data processing technology.
How the new regime under Data Protection Bill 2019 is different
- First, the Bill seeks to apply the data protection regime to both government and private entities across all sectors.
- Second, the Bill seeks to emphasise data security and data privacy.
- While entities will have to maintain security safeguards to protect personal data, they will also have to fulfill a set of data protection obligations and transparency and accountability measures.
- Third, the Bill seeks to give users a set of rights over their personal data and means to exercise those rights.
- Fourth, the Bill seeks to create an independent and powerful regulator known as the Data Protection Authority (DPA).
- The DPA will monitor and regulate data processing activities to ensure their compliance with the regime.
- Under clause 35, the Central government can exempt any government agency from complying with the Bill.
- Similarly, users could find it difficult to enforce various user protection safeguards (such as rights and remedies) in the Bill.
- For instance, the Bill threatens legal consequences for users who withdraw their consent for a data processing activity.
- Additional concerns also emerge for the DPA as an independent effective regulator that can uphold users’ interests.
Consider the question “What are the issues with the present framework in India for data and privacy protection? How the Personal Data Protection Bill seeks to address these issues?”
The Joint Parliamentary Committee that is scrutinising the Bill is expected to submit its final report in the Monsoon Session of Parliament in 2021 Taking this time to make some changes in the Bill targeted towards addressing various concerns in it could make a stronger and more effective data protection regime.