DIGITAL PERSONAL DATA PROTECTION BILL – IT
News:
New Digital Personal Data Protection Bill in Monsoon Session
What's in the news?
● The
Union Govt informed the Supreme Court that a new law, namely, the Digital
Personal Data Protection Bill, 2022 endeavouring to enforce individual privacy
in online space was “ready”.
Principles of Digital Personal Data Protection Bill:
1. First Principle: Usage
of personal data by organizations must be done in a manner that is lawful, fair to the individuals
concerned and transparent to individuals.
2. Second Principle:
It states that personal data must
only be used for the purposes for which it was collected.
3. Third Principle:
It talks of data minimization.
4. Fourth Principle:
It puts an emphasis on data accuracy
when it comes to collection.
5. Fifth Principle: It
talks of how personal data that is collected cannot be “stored perpetually by
default,” and storage should be limited
to a fixed duration.
6. Sixth Principle: It
notes that there should be reasonable safeguards to ensure there is “no unauthorized collection or processing of
personal data.
7. Seventh Principle:
It says that the person who decides the purpose and means of the processing of
personal data should be accountable for such processing.
Key features of Digital Personal Data Protection Bill:
1. Data Principal:
● Data
Principal refers to the individual whose data is being collected.
● In
the case of children (<18 years), their parents/lawful guardians will be
considered their “Data Principals”.
2. Data Fiduciary:
● A
Data Fiduciary is the entity (individual, company, firm, state etc), which
decides the “purpose and means of the processing of an individual’s personal
data”.
3. Significant Data Fiduciary:
● Significant
Data Fiduciaries are those who deal with a high volume of personal data.
● The
Central government will define who is designated under this category based on a
number of factors.
4. Personal Data:
● Personal
Data is “any data by which an individual can be identified”.
● Processing
means “the entire cycle of operations that can be carried out in respect of
personal data”.
5. Data protection officer and Data Auditor:
● Such
entities will have to appoint a ‘Data protection officer’ and an independent
Data Auditor.
6. The Data Protection Board:
● It
is an adjudicating body proposed to
enforce the provisions of the Bill and impose the fine after giving the
companies an opportunity of being heard.
7. Cross-border data transfer:
● The
bill also allows for cross-border storage and transfer of data to “certain notified countries and
territories.”
● However
an assessment of relevant factors by the Central Government would precede such
a notification.
8. Language of information:
● The
bill also ensures that individuals should be able to “access basic information”
in languages specified in the eighth
schedule of the Indian Constitution.
● Further,
the notice of data collection needs to be in clear and easy-to-understand
language.
9. Individual’s informed consent:
● The
bill also makes it clear that individuals need to give consent before their
data is processed.
● Every
individual should know what items of personal data a Data Fiduciary wants to
collect and the purpose of such collection and further processing.
● Individuals
also have the right to withdraw consent
from a Data Fiduciary.
● Data
principals will also have the right to nominate an individual who will exercise
these rights in the event of their death or incapacity.
10. Financial penalties:
● The
draft also proposes to impose significant penalties on businesses that undergo
data breaches or fail to notify users when breaches happen.
● Entities
that fail to take “reasonable security safeguards” to prevent personal data
breaches will be fined as high as Rs 250 crore.
● As
per the draft, the Data Protection Board - a new regulatory body to be set up
by the government can impose a penalty of up to ₹500 crore if non-compliance by
a person is found to be significant.
11. Exemptions:
● The
government can exempt certain businesses from adhering to provisions of the
bill on the basis of the number of users and the volume of personal data
processed by the entity.
● This
has been done keeping in mind startups of the country who had complained that
the Personal Data Protection Bill, 2019 was too “compliance intensive”.
Significance of the bill:
1. Strong safeguards:
● Fines for data misuse
prescribed in the previous version of the Bill were not seen as an effective
deterrent.
● The
higher penalties being proposed now will prompt entities to build strong
safeguards to protect data and enforce fiduciary discipline.
2. Strengthening of individual privacy:
● The
upcoming data protection Bill will put an end to misuse of customer data with
companies facing financial consequences.
3. Cross border data transfer:
● In
contrast to the contentious necessity of local storage of data within India’s
territory in the previous Bill, the new
Bill allows major allowances for cross-border data transfers.
● It
offers a relatively soft stand on data localization requirements and permits data
transfer to select global destinations
which is likely to foster country-to-country trade agreements.
4. Incentive to Start-ups:
● Government
could exempt certain businesses from adhering to provisions of the Bill on the
basis of the number of users and the volume of personal data processed by the
entity.
5. Right to Postmortem privacy:
● The
bill recognizes the data principal's right to postmortem privacy (Withdraw
Consent) which was missing from the PDP Bill, 2019 but had been recommended by
the Joint Parliamentary Committee (JPC).
6. Basic information in vernacular languages:
● It
ensures that individuals should be able to “access basic information” in
languages specified in the eighth schedule of the Indian Constitution.
Concerns:
1. Exemption provisions:
● The
government has been given the power to exempt not only government agencies but
any entity that is collecting user data, from having to comply with the
provisions of this bill when it is signed into law.
2. Government Control:
● The
regulator is now a Data Protection Board, with its role limited to enforcement
and penalties. The other aspects of implementing the law are left entirely up to the Union government
(which it will do through rules) and not the specialized regulator.
3. Reduced Information Requirement:
● The
previous versions required considerable information in terms of the rights of
the data principals, grievance redressal mechanism, retention period of
information, source of information collected etc. to be provided for the data
principal.
● The
current Draft reduces the scope of this information to the personal data sought
to be collected and the purpose of processing the data.
4. Data of Children:
● The Bill requires
parental consent for age less than 18 years.
Parental consent would be required every time they want to access the internet.
Some experts have criticized this as follows.
a. The
Bill fails to recognize that consent of a toddler is different from that of an
adolescent. It limits their evolving capacity.
b. It
might hamper their access to the internet.
● Such
restrictions are in violation of India’s obligations under the Convention on Rights of the Child.
WAY FORWARD:
1. Avoiding delegated legislation:
● More
provisions should be covered through the legislation rather than leaving it to
the rule-making by the Government
(Executive).
2. Future proof laws:
● Given
the rate at which technology evolves, an optimum data protection law design
needs to be future proof - it should not be unduly detailed and centered on
providing solutions to contemporary concerns while ignoring problems that may
emerge going forward.
3. Balanced approach:
● The
challenge lies in finding an adequate balance between the right to privacy of
data principles and reasonable exceptions, especially where government
processing of personal data is concerned.
4. Infrastructure development:
● Adequate
infrastructure in terms of energy, real estate, and internet connectivity also
needs to be made available for India to become a global hub for data centers.