Table of Contents
Context: The reworked version of India’s long-awaited data protection law has been cleared by the Cabinet and is expected to be tabled before Parliament in the Monsoon Session.
More on the News
- The Bill, once it becomes law, will play a crucial role in India’s trade negotiations with other nations, and especially regions like the European Union, whose General Data Protection Rules (GDPR) are among the world’s most exhaustive privacy laws.
- However, the bill also subsumes certain contentious clause such as wide-ranging exemptions to the Centre and its agencies, and diluting the role of the data protection board.
Understanding the Data Protection Bill
Objective of the Bill:
- The Bill seeks to establish a comprehensive legal framework governing digital personal data protection in India.
- It aims to provide for processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process it for lawful purposes.
Highlights of the Bill:
- The Bill will apply to the processing of digital personal data in India, whether it is collected online or offline and then digitized. It will also apply to the processing of digital personal data outside of India if it involves offering goods or services or profiling individuals in India.
- Personal data may be processed only for a lawful purpose for which an individual has given consent. Consent may be deemed in certain cases.
- Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
- The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
- The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
- The central government will establish the Data Protection Board of India to adjudicate non-compliance with the provisions of the Bill.
Features and Analysis:
- Notice and Consent: It contemplates seeking prior consent of the data principal (individual whose data is being collected) which should disclose description of personal data sought and purpose of processing it.
- The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.
- Obligations of the data fiduciary: To ensure that personal data is processed, stored or erased in a safe and proper manner, bill imposes some responsibilities like:
- If there is a breach, the data fiduciary (Entity- individual, company, firm or state which decides purpose and means of processing of an individual’s personal data) must inform the Board and the data principal.
- Deletion of personal data once proposed for collection is no longer served, or the retention is no longer necessary.
- Every data fiduciary must appoint a Data Protection Officer (DPO) to address the data principal’s queries and concerns.
- Additional obligations while processing personal data of children, which includes seeking consent from parents/ guardians.
- Significant Data fiduciary: Central government can identify a data fiduciary as a significant data fiduciary if it handles high volume of sensitive personal data, involves a risk of harm to data principal and impact on sovereignty and integrity of India, security of state, public order, etc.
- They must appoint an Independent Data Auditor (to ensure compliance with proposed Bill) and conduct a Data Protection Impact Assessment and periodic audit to ensure compliance.
- Duties and Rights of the data principal: Bill stipulates duties of the data principal, to the extent ensuring that it is not registering a false grievance/complaint, not providing false or misleading information, or suppressing information.
- Rights of data principal include: Right to information, right to correction or erasure and grievance redressal.
- Establishment of Data Protection Board: It also provides for setting up of a Data Protection Board, which will oversee compliance by data fiduciaries and data principals.
- Penalties imposed by Board: Bill proposes 6 types of penalties which extend to a maximum penalty of ₹500 crore.
- Transfer of data outside India: It suggests that it will notify a list of countries to whom a data fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.
Significance of the Bill:
- Plugs Loopholes in the current framework: The current legal framework for data protection in India, the Information Technology Rules, 2011, is inadequate to protect the privacy of individuals.
- The existing framework is based on privacy being a statutory right rather than a fundamental right.
- It does not apply to the processing of personal data by the government.
- It has a limited understanding of the kinds of data to be protected.
- It places scant obligations on the data fiduciaries which can be overridden by contract.
- There are only minimal consequences for data fiduciaries for breach of these obligations. The DPDP Bill, 2022 aims to address these inadequacies.
- Easier to Comprehend: While previous versions of proposed legislations were dense and voluminous, the new bill is easier to comprehend and understand.
- Ensures a Transparent regime: The Bill seeks to introduce transparency to the current system. Usage of personal data by organizations must be done in a manner that is lawful, fair, and transparent to individuals concerned.
- Empowers individuals: The Bill recognizes the linguistic diversity of India and enables individuals to access basic information in 8th schedule languages.
- It also empowers individuals by recognizing their right to post mortem privacy, which was missing from the earlier regulations.
- The bill allows data principals to nominate another individual in case of death or incapacity.
- For the first time in India’s legislative history, “her” and “she” have been used to refer to individuals irrespective of gender.
- Smooth compliance regime: The Bill proposes a forgiving framework for compliance and suggests several welcome improvements. It deletes non-personal data and does away with the onerous data localization mandate imposed by the PDP Bill, 2019. Relaxing rules on cross-border data flows could bring relief to big tech companies.
Limitations of the Bill:
- No defined timelines: The Bill imposes certain obligations on data fiduciaries, but without providing a timeframe. There is:
- Lack of deadline for deleting personal data (in case of withdrawal of consent),
- Lack of timeline for Board to adjudicate on a complaint,
- No deadline for data fiduciary to erase personal data once the intended purpose is served, etc.
- Powers of the Board: The Bill does not specify the actual composition/strength of the Board, which has been raised about the reduced independence of the proposed Board.
- Limiting penalties: Bill seems to focus on the severity of the non-compliance, and not the non-compliance itself. It states that if non-compliance is not significant, the Board may choose to close the enquiry. And remedial measures will be taken only in case non-compliance is significant.
- Large number of exceptions: It allows the Central government to exempt any data fiduciary from the provisions of the draft Bill. Also, the government can have an exemption from most data protection obligations if the processing is undertaken “in the interests of prevention, detection, investigation of any offence or any other contravention of any law.”
- Missed crucial rights for Data Principal: The Right of Data Portability and Right to be Forgotten are not part of the draft bill.
- The right to data portability allowed the data principal to receive in a structured format all the personal data they had provided to the data fiduciary.
- It also has data that the data fiduciary generated on the data principal while processing for provisioning of its services.
- The right to be forgotten allows the data principal to ask the data fiduciary to stop the continuing disclosure of their personal data.
Global Data Protection Models
An estimated 137 out of 194 countries have put in place legislation to secure the protection of data and privacy, according to the United Nations Conference on Trade and Development (UNCTAD), an intergovernmental organisation within the United Nations Secretariat.
- Africa and Asia show 61% (33 countries out of 54) and 57% (34 countries out of 60) adoption respectively. Only 48% of Least Developed Countries (22 out of 46) have data protection and privacy laws.
- EU model: The GDPR focuses on a comprehensive data protection law for processing of personal data.
- It has been criticised for being excessively stringent, and imposing many obligations on organisations processing data, but it is still the template for most of the legislation drafted around the world.
- US model: Privacy protection is largely defined as “liberty protection” focused on the protection of the individual’s personal space from the government. It is viewed as being somewhat narrow in focus, because it enables collection of personal information as long as the individual is informed of such collection and use.
- China model: New Chinese laws on data privacy and security issued over the last 12 months include the Personal Information Protection Law (PIPL), which came into effect in November 2021. It gives Chinese data principals new rights as it seeks to prevent the misuse of personal data.
India’s Strengthened Data Protection Regime
- Justice K. S. Puttaswamy (Retd) vs Union of India 2017: In August 2017, a nine-judge bench of the Supreme Court in Justice K.S. Puttaswamy Vs Union of India unanimously held that Indians have a constitutionally protected fundamental right to privacy that is an intrinsic part of life and liberty under Article 21 of the Constitution.
- B.N. Srikrishna Committee 2017: Government appointed a committee of experts for Data protection under the chairmanship of Justice B N Srikrishna in August 2017, that submitted its report with recommendations to strengthen privacy law in India including restrictions on processing and collection of data, Data Protection Authority, right to be forgotten, data localisation etc.
- Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021: IT Rules 2021 mandate social media platforms to exercise greater diligence with respect to the content on their platforms.