Draft Digital Personal Data Protection Bill 2022

In News

  • Recently, the latest draft of the data protection law, the Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022), has been made open for public comments.

Key Points

  • Background:
    • The data protection Bill has been in the works since 2018 when a panel led by Justice B N Srikrishna had prepared a draft version of the Bill.  
    • It is India’s first attempt to domestically legislate on the issue of data protection.
    • The government made revisions to this draft and introduced it as the Personal Data Protection Bill, 2019 (PDP Bill, 2019) in the Lok Sabha in 2019. 
    • Due to delays caused by the pandemic, the Joint Committee on the PDP Bill, 2019 (JPC) submitted its report on the Bill after two years in December, 2021. 
    • The report was accompanied by a new draft bill, namely, the Data Protection Bill, 2021 that incorporated the recommendations of the JPC. 
    • However, in August 2022, citing the report of the JPC and the “extensive changes” that the JPC had made to the 2019 Bill, the government withdrew the PDP Bill.
    • Now, the government is expected to introduce the Bill in Parliament in the budget session of 2023.
  • Aim: 
    • Regulating online space including separate legislation on data privacy, the overall internet ecosystem, cyber security, telecom regulations, and harnessing non-personal data for boosting innovation in the country.
  • Reason for so many changes:
    • Harm to privacy:
      • Constant interactions with digital devices have led to unprecedented amounts of personal data being generated round the clock by users (data principals). 
      • When coupled with the computational power available today with companies (data fiduciaries), this data can be processed in ways that increasingly impair the autonomy, self-determination, freedom of choice and privacy of the data principal.
    • Inadequate present laws:
      • The current legal framework for privacy enshrined in the Information Technology Rules, 2011 (IT Rules, 2011) is wholly inadequate to combat such harms to data principals, especially since the right to informational privacy has been upheld as a fundamental right by the Supreme Court (K.S. Puttaswamy vs Union of India [2017]). 
      • It is inadequate on four levels; 
        • The extant framework is premised on privacy being a statutory right rather than a fundamental right and does not apply to processing of personal data by the government; 
        • It has a limited understanding of the kinds of data to be protected;
        • It places scant obligations on the data fiduciaries which, moreover, can be overridden by contract 
        • There are only minimal consequences for the data fiduciaries for the breach of these obligations.

Scope of Present Bill

  • The DPDP Bill, 2022 applies to all processing of personal data that is carried out digitally. 
  • This would include both personal data collected online and personal data collected offline but is digitised for processing. 
  • In effect, by being completely inapplicable to data processed manually, this provides for a somewhat lower degree of protection as the earlier drafts only excluded data processed manually specifically by “small entities” and not generally.
  • As far as the territorial application of the law is concerned, the Bill covers processing of personal data which is collected by data fiduciaries within the territory of India and which is processed to offer goods and services within India. 

Major provisions of the revamped Bill

  • High penalties:
    • Companies dealing in personal data of consumers that fail to take reasonable safeguards to prevent data breaches could end up facing penalties as high as around Rs 200 crore.
      • Penalties are expected to vary on the basis of the nature of non-compliance by data fiduciaries (entities that handle and process personal data of individuals).
    • Companies failing to notify people impacted by a data breach could be fined around Rs 150 crore.
    • Those failing to safeguard children’s personal data could be fined close to Rs 100 crore. 
    • In the previous version of the Bill, withdrawn earlier this year, the penalty proposed on a company for violation of the law was Rs 15 crore or 4 percent of its annual turnover, whichever is higher. 
  • The Data Protection Board
    • It is an adjudicating body proposed to enforce the provisions of the Bill which is likely to be empowered to impose the fine after giving the companies an opportunity of being heard.
  • Personal data
    • The new Bill will only deal with safeguards around personal data and is learnt to have excluded non-personal data from its ambit. 
      • Non-personal data essentially means any data which cannot reveal the identity of an individual. 

Significance of the revamped Bill 

  • Strong safeguards: Fines for data misuse prescribed in the previous version of the Bill were not seen as an effective deterrent. 
    • The higher penalties being proposed now will prompt entities to build strong safeguards to protect data and enforce fiduciary discipline.
  • Companies would face punitive actions in the nature of financial penalties in the event of misuse of data and data breaches.
  • The upcoming data protection Bill will put an end to misuse of customer data with companies facing financial consequences.
  • There will also be a strict or purpose limitation of data collected by companies and the time till which they can store it under the new Bill.
  • Data fiduciaries will be required to stop retaining personal data and delete previously collected data after the initial purpose for which it was collected was fulfilled. 

Way Ahead

  • While protecting the rights of the data principal, data protection laws need to ensure that the compliances for data fiduciaries are not so onerous as to make even legitimate processing impractical. 
  • The challenge lies in finding an adequate balance between the right to privacy of data principles and reasonable exceptions, especially where government processing of personal data is concerned. 
  • Given the rate at which technology evolves, an optimum data protection law design needs to be future proof — it should not be unduly detailed and centred on providing solutions to contemporary concerns while ignoring problems that may emerge going forward. 
  • The law needs to be designed for a framework of rights and remedies that is readily exercisable by data principals given their unequal bargaining power with respect to data fiduciaries.

 

Data Protection Bill, Globally

  • About: 
    • An estimated 137 out of 194 countries have put in place legislation to secure the protection of data and privacy.
    • Africa and Asia showing 61% (33 countries out of 54) and 57% adoption respectively
    • Only 48% of Least Developed Countries (22 out of 46) have data protection and privacy laws.
  • EU Model: 
    • The General Data Protection Regulation (GDPR) focuses on a comprehensive data protection law for processing of personal data. 
    • It has been criticised for being excessively stringent, and imposing many obligations on organisations processing data, but it is the template for most of the legislation drafted around the world.
    • In the EU, the right to privacy is enshrined as a fundamental right that seeks to protect an individual’s dignity and her right over the data she generates. 
    • The European Charter of Fundamental Rights recognises the right to privacy as well as the right to protection of personal data, and is backed by a comprehensive data protection framework, which applies to processing of personal data by any means, and to processing activities carried out by both the government and private entities. 
    • There are certain exemptions such as national security, defence, public security, etc, but they are clearly defined and seen as exclusions on the periphery.
  • US Model:  
    • Privacy protection is largely defined as “liberty protection” focused on the protection of the individual’s personal space from the government. 
    • It is viewed as being somewhat narrow in focus because it enables collection of personal information as long as the individual is informed of such collection and use. The US template has been viewed as inadequate in key respects of regulation.
    • There is no comprehensive set of privacy rights or principles in the US that, like the EU’s GDPR, addresses the use, collection, and disclosure of data. Instead, there is limited sector-specific regulation. 
    • The approach towards data protection is different for the public and private sectors. 
    • The activities and powers of the government vis-a-vis personal information are, however, sufficiently well-defined and addressed by broad legislation such as the Privacy Act, the Electronic Communications Privacy Act, etc.

Source: TH + IE

 
Next article Hwasong-17