New Data Protection Bill protects privacy, simplifies matters for small players

New Data Protection Bill protects privacy, simplifies matters for small players

Context- The Union Government has released a revised personal data protection bill, now called the Digital Personal Data Protection Bill, 2022. The Bill has been introduced after 3 months of the withdrawal of the Personal Data Protection Bill, 2019.

In 2017, Supreme Court in Justice K. S. Puttaswamy Vs Union of India unanimously held that Indians have a constitutionally protected fundamental right to privacy that is an intrinsic part of life and liberty under Article 21. Government appointed a committee of experts for Data protection under the chairmanship of Justice B N Srikrishna in August 2017, that submitted its report in July 2018 along with a draft Data Protection Bill.

(Credits- I-SCOOP)

What are the provisions in the bill?

• Data Principal refers to the individual whose data is being collected.In the case of children (<18 years), their parents/lawful guardians will be considered their “Data Principals”.
• Data Fiduciary is the entity (individual, company, firm, state etc), which decides the “purpose and means of the processing of an individual’s personal data”
• Data Protection Board will act as the adjudicating body to enforce the provisions of the Bill.
• Data Protection Officer and independent data auditor will be appointed by businesses of “significant” size (based on the amount of data they process), to monitor compliance with the law.
• The new Bill relaxes data localisation rules and permits data to flow to certain global destinations, based on their data security landscape.
• Users will have the right to have their personal data in the custody of enterprises corrected and erased.
• Companies will not be obligated to keep user data that no longer serves a business purpose.
• Companies should not process personal data that could harm minors (less than 18 years of age).
• For Promoting start-up ecosystem, The government may also exclude certain enterprises from Bill’s restrictions based on the volume of users and personal data handling.
• The Central government has been empowered to exempt its agencies from adhering to provisions of the Bill in the interest of –
  • Sovereignty and integrity of India,
  • Security of the state,
  • Friendly relations with foreign states,
  • Maintenance of public order or preventing incitement to any cognisable offence.
• For Penalties, The Focus is more on financial penalties than a criminal conviction i.e. between Rs 50 – 500 crore for data breaches and noncompliance.

What are the concerns regarding the bill?

• Missing Rights for Data Principals: The Bill misses out on two main rights for Data Principals:

(a) Right of data portability: It would have allowed the data principal to receive their personal data (that they had provided to the data fiduciary and the data generated by the fiduciary through processing) in a structured format.

(b) Right to be forgotten. It would have allowed the data principal to ask the data fiduciary to stop the continuing disclosure of their personal data.

• Bill is focussed on personal data and excludes non-personal data, which was a demand by the industry and civil society alike.
• Government Control- While the Data Protection Authority was earlier envisaged to be a statutory authority (under the 2019 Bill), the Data Protection Board is now a Board set-up by the Union Government. The Government will have a say in the composition of the board, terms of service, etc.
• Data Localisation-The draft law does not require local storage of data. Unlike previous versions, it does not ask businesses to store certain sensitive and critical data exclusively in India or to mirror a copy of such data on Indian servers.
• No Criminal Liability- The DPD Bill has done away with criminal liabilities, as well as penalties that are directly linked to the turn-over or revenue of an erring Data Fiduciary.
• Data of Children-The Bill requires parental consent for age less than 18 years. Requiring consent from parents would hamper autonomous development of children since parents may not want them to be exposed to viewpoints contradictory to their own.
• Government bodies can be exempted from the application of the law in the interests of India’s sovereignty and integrity, security, foreign relations, public order and others. There is no bar on how long government agencies can retain data.
• The previous versions required considerable information in terms of the rights of the data principals, grievance redressal mechanism, retention period of information, source of information collected etc. to be provided for the data principal. The current Draft reduces the scope of this information to the personal data sought to be collected and the purpose of processing the data.

Way Forward- Government can consider addressing criticisms of the bill to develop a comprehensive modern architecture governing personal data of Indians.

Syllabus- GS-2; Fundamental Rights; Right to Privacy