DATA PROTECTION BILL – POLITY

DATA PROTECTION BILL – POLITY

News: Data Protection Bill approved by Cabinet: Content, concerns

What's in the news?

●       Nearly six years after the Supreme Court held privacy to be a fundamental right, the Centre has made a second attempt at framing legislation for protection of data.

Key takeaways:

●       The Digital Personal Data Protection Bill, 2022, a draft of which was floated in November, is expected to be tabled in Parliament’s Monsoon Session.

●       While the contents of the Bill will remain confidential until it is brought to Parliament, some of the most contentious issues flagged by experts in the November draft have been retained.

●       These include the wide-ranging exemptions to the Centre and its agencies, and diluting the role of the data protection board.

Key changes in the Bill:

1. Blacklisting mechanism:

●       A key change in the final draft is learnt to have been made in the way it deals with cross-border data flows to international jurisdictions — moving from a ‘whitelisting’ approach to a ‘blacklisting’ mechanism.

●       The proposed law could allow global data flows by default to all jurisdictions other than a specified ‘negative list’ of countries, essentially an official blacklist of countries where transfers would be prohibited.

2. Whitelist countries:

●       The draft that was released for public consultation in November said the central government will notify countries or territories where personal data of Indian citizens can be transferred — that is, a ‘whitelist’ of jurisdictions where data transfers would be allowed.

3. Deemed consent:

●       A provision on “deemed consent” in the previous draft could also be reworded to make it stricter for private entities, while allowing government departments to assume consent while processing personal data on grounds of national security and public interest.

Global Data Protection Laws:

●       The Bill, once it becomes law, will play a crucial role in India’s trade negotiations with other nations, and especially regions like the European Union, whose General Data Protection Rules (GDPR) are among the world’s most exhaustive privacy laws.

Significance of the Digital Data Protection Bill:

1. Technology regulations:

●       The Digital Personal Data Protection Bill, 2022, is a crucial pillar of the overarching framework of technology regulations the Centre is building, which also includes the Digital India Bill — the proposed successor to the Information Technology Act, 2000, the draft Indian Telecommunication Bill, 2022, and a policy for non-personal data governance.

2. Updated from the earlier version:

●       Last August, the government withdrew from Parliament an earlier version of the data protection Bill that had been almost four years in the making, after it had gone through multiple iterations and a review by a Joint Committee of Parliament, and faced pushback from a range of stakeholders including tech companies and privacy activists.

3. Data processing:

●       The proposed law will apply to processing of digital personal data within India; and to data processing outside the country if it is done for offering goods or services, or for profiling individuals in India.

4. Security and accuracy of the data:

●       It requires entities that collect personal data called data fiduciaries to maintain the accuracy of data, keep data secure, and delete data once their purpose has been met.

5. Data Protection Board:

●       The Bill is expected to allow “voluntary undertaking” meaning that entities violating its provisions can bring it up with the data protection board, which can decide to bar proceedings against the entity by accepting settlement fees.

●       Repeat offences of the same nature could attract higher financial penalties, the official said.

6. Strict Penalties:

●       The highest penalty to be levied for failing to prevent a data breach has been prescribed at Rs 250 crore per instance.

●       The definition of “per instance” is subjective and could mean either a single instance of a data breach, or account for the number of people impacted, and multiply it by Rs 250 crore.

●       All of this is, however, open to interpretation by the data protection board on a case-by-case basis.

Concerns around the Draft Bill:

1. Affects privacy:

●       The Bill approved by the Cabinet is understood to have largely retained the contents of the original version that was proposed in November 2022.

●       This is especially true of some of the proposals that privacy experts had flagged earlier.

2. Exceptions to central government and its agencies:

●       Wide-ranging exemptions for the central government and its agencies, which were among the most criticized provisions of the previous draft, are understood to have been retained unchanged.

●       The Bill is learnt to have prescribed that the central government can exempt “any instrumentality of the state” from adhering to the provisions on account of national security, relations with foreign governments, and maintenance of public order among other things.

3. Appointment of members:

●       The control of the central government in appointing members of the data protection board — an adjudicatory body that will deal with privacy-related grievances and disputes between two parties — is learnt to have been retained as well.

●       The chief executive of the board will be appointed by the central government, which will also determine the terms and conditions of their service.

4. Dilution of RTI Act:

●       There is also concern that the law could dilute the Right to Information (RTI) Act, as personal data of government functionaries is likely to be protected under it, making it difficult to be shared with RTI applicants.