What is DPDP Bill, 2022?

• The Ministry of Electronics and Information Technology has drafted the DPDP Bill in 2022, replacing Personal Data Protection Bill, 2019.
• The Bill frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand.
• It is one of the four proposed legislations in the IT and telecom sectors to provide the framework for the rapidly growing digital ecosystem.

What is meant by Data governance?

• Data governance is the management and control of an organization’s data assets.
• It ensures data is accurate, secure, compliant, and used effectively, through policies, standards, stewardship, quality management, security, privacy, and lifecycle management.

Who are Data fiduciaries?

• Data fiduciaries – organizations or individuals- handling personal data on behalf of others, ensuring its privacy and protection.
• It includes businesses, government agencies, service providers, and professionals- process or store personal data- compliance with applicable laws and regulations.

Who is a Data Principal?

• The DPDP bill, 2022 denotes data Principal- individual who’s data is being collected.

What is Data Portability?

• Ability of individuals– to transfer personal data from one platform, service, or organization to another.

What is Data Interoperability?

• Ability of different systems platforms, or services -to seamlessly exchange and use data with one another.

Key Principles and features of the DPDP Bill, 2022

• Personal data usage should be lawful, fair, and transparent
• Collection of minimum necessary data– only for the specific purposes
• Personal data stored- limited to a fixed duration– not indefinitely
• Implementing safeguards against unauthorized data collection and processing
• The bill defines Data Principals and Data Fiduciaries
• It grants rights such as information access, consent, correction.
• A Data Protection Board– ensures compliance, monitors, and penalises for data breach
• Cross-border data transfer is allowed to specified countries with suitable data security
• Exemptions may be granted based on user volume and national security
• Empowers individuals with data control

The need for such a bill

• Increasing use of the internet and the associated risks to individuals’ personal data
• Increasing prevalence of cyber threats and Data breaches: the need for legal frameworks
• Data monetization can compromise personal privacy- protecting individual privacy is crucial
• The absence of writ proceedings against corporate actions; the need for a data protection law; remedies for privacy violations

Advantages of the DPDP Bill, 2022

• Strengthens data protection measures and obligations to maintain the accuracy and security of personal data
• Promotes responsible data management practices— data minimization, purposeful dissemination, and authorized collection and processing of personal data
• Enhances user control and choice through data portability
• Provisions for accountability and remedies in case of privacy breaches– legal remedies
• Aligns India with international data protection standards, – smoother data transfers and trade relations with countries that prioritize privacy
• Strikes a balance between data protection and national interests

Concerns raised over the bill

• Wide-ranging exemptions for government agencies- undermine privacy protections
• Insufficient safeguards for the right to privacy- discretionary powers to the government
• Dilution of the role of the Data Protection Board- concerns about independence and effectiveness
• Open-ended language in certain provisions— ambiguity and misuse of power
• Lack of specific provisions for compensation in the case of data breaches
• Potential infringement on the RTI Act- reduction in transparency and accountability
• Challenges in standardization and compatibility for seamless data transfer and interoperability

Potential challenges in its implementation

• Implementing the provisions is both a compliance burden and technically challenging
• The requirement for local storage and processing of personal data: costs and operational complexities
• Diverse and interconnected digital landscape
• Complexities associated with cross-border data transfers
• Striking a balance between protecting privacy rights and promoting innovation and economic growth
• Keeping the legislation up-to-date and relevant to evolving data protection concerns

In comparison with other countries

• The EU’s General Data Protection Regulation (GDPR) imposes– stringent requirements and extensive obligations on organizations handling personal data
• India aims to align with GDPR to facilitate data transfers and trade relations
• The US relies on sectoral laws and focuses on individual liberties and protection from government intrusion
• China’s recently implemented Personal Information Protection Law (PIPL) and the Data Security Law (DSL)- individuals’ new rights over their personal data and impose restrictions on cross-border data transfers

India’s efforts for its data protection regime

• In 2017, the Supreme Court’s decision in- K. S. Puttaswamy (Retd) vs Union of India, which recognized- right to privacy as a fundamental right– Indian Constitution under Article 21- laid the foundation for stronger data protection measures
• B.N. Srikrishna to propose a framework for data protection, including- recommendations to strengthen privacy laws in India, – data processing restrictions, a Data Protection Authority, the right to be forgotten, and data localization
• Information Technology Rules 2021– mandate social media platforms and intermediaries to exercise- greater diligence in handling content on their platforms

What more needs to be done?

• Conduct thorough stakeholder consultations with- diverse perspectives and inputs
• Strengthen privacy safeguards by- minimizing exemptions for government agencies
• Independence and effectiveness of the Data Protection Board
• Clarify and address concerns about- potential violations of the right to privacy
• Provisions for data portability and the right to be forgotten
• Evaluate and mitigate potential implications for the RTI
• Continuously review and – update the legislation- emerging privacy challenges and technological advancements
• Awareness and educate individuals about their privacy rights
• International alignment with global privacy frameworks

Conclusion

• The DPDP 2022 is a significant step towards safeguarding individuals’ privacy rights and regulating data practices but concerns remain regarding exemptions for government agencies and the independence of the Data Protection Board. With stakeholder collaboration, transparency, and continuous adaptation, we can empower individuals, foster innovation, and ensure a future where privacy and progress go hand in hand.