Data protection Bill passed in Rajya Sabha: What it says about privacy, Centre’s powers

Data protection Bill passed in Rajya Sabha: What it says about privacy, Centre’s powers

Context- Recently, The President gave her assent to the Digital Data Protection Bill 2023.

This is India’s second attempt at framing a privacy legislation, and comes after at least three previous iterations of a data protection law have been considered, and shelved, by the government.

(Credits- Indian Express)

Concerns around the Bill

  • According to the Bill, the central government will have the right to exempt “any instrumentality of the state” from adverse consequences citing national security, relations with foreign governments, and maintenance of public order, among other things.
  • The Bill also states that if an entity is penalised on more than two instances, the central government– after hearing the entity – can decide to block their platform in the country. This is a new addition to the measure, which was not present in the 2022 draft.
  • Experts have said that the proposal could add to the pre-existing online censorship regime already administered under Section 69 (A) of the Information Technology Act, 2000. The highest prescribed penalty has been capped at Rs 250 crore for not having enough safeguards against data breaches.
  • There is also concern that the law could dilute the Right to Information (RTI) Act, as personal data of government functionaries is likely to be protected under it, making it difficult to be shared with an RTI applicant.
  • The control of the Centre in appointing members of the Data Protection Board – an adjudicatory body that will deal with privacy-related grievances and disputes between two parties – is learnt to have been retained as well. The Chief Executive of the board will be appointed by the central government, which will also determine the terms and conditions of their service.
  • The decisions taken by the data protection board can be appealed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which is led by a judicial member.
  • The Bill, while laying down consent norms for entities’ collecting personal data of individuals, also allows for a leeway for certain “legitimate uses,” both by the government itself, and private entities.
  • As per the final version, the Centre can process data of citizens without expressly seeking their consent for national security reasons and to offer other services such as subsidies, benefits, certificates, licence or permit.
  • Private companies have been afforded the privilege to deal with employment-related matters, including corporate espionage.

Relief for industry on some counts

  • It has also addressed two key long-standing demands of the industry – by allowing relaxations around the age of consent for children, and by significantly easing cross-border data flows
  • One of the key flailings of earlier iterations was that they were seen as too compliance-intensive by the industry, especially smaller businesses. However, with this Bill, the government’s objective has been to balance privacy and innovation.
  • The Bill gives powers to the central government to prescribe a lower age of consent than 18 years for accessing Internet services without parental consent if the platform they are using can process their data in a “verifiably safe manner”. This would essentially mean a white-listing approach for companies in the edtech sector, and for medical purposes, among other things.
  • The Centre has proposed to significantly ease cross-border data flows to international jurisdictions – by moving away from a whitelisting approach to a blacklisting mechanism.
  • The government could notify entities as “significant data fiduciaries,” after considering factors such as the volume of personal data they possess, the risks they could pose to electoral democracy, and their impact on national security and public order, among other things.
  • Social media platforms like Facebook, YouTube and WhatsApp are likely to be clubbed under this category. These entities are required to appoint a data protection officer for grievance redressal and carry out periodic data protection impact assessments.
  • The proposed law will apply to processing of digital personal data within India; and to data processing outside the country if it is done for offering goods or services, or for profiling individuals in India.
  • It requires entities that collect personal data — called data fiduciaries — to maintain the accuracy of data, keep data secure, and delete data once their purpose has been met.

Conclusion- The Bill has retained the contents of the original version of the legislation proposed last November, including those that were red-flagged by privacy experts, such as exemptions for the Centre. Bill tries to maintain a fine balance between privacy and compliance so as to not stifle innovation.

Syllabus- GS-2; Fundamental Rights

Source- Indian Express