Data Protection Bill: Govt plans to ease norms for cross-border flow of data

Table of Contents☰

What’s in today’s article?

Why in News?
What is the Digital Personal Data Protection Bill 2022?
News Summary Regarding the Changes to the Bill under Consideration

Why in News?

The government is considering some changes to the draft Digital Personal Data Protection Bill 2022.
These could include allowing global data flows by default to all jurisdictions other than a specified negative list of countries, a provision on “deemed consent”, etc.

What is the Digital Personal Data Protection Bill 2022?

Background:
- The Original bill (2019) was prepared by retired SC Justice B N Srikrishna, to provide for protection of personal data of individuals and establish a Data Protection Authority.
- The revised draft (2022) was released after the government withdrew an earlier version that sparked outrage from Big Tech and civil society.
- The Bill is a key pillar of an overarching framework of technology regulations the Centre is building which also includes –
  - The Digital India Bill – the proposed successor to the IT Act 2000;
  - Indian Telecommunication Bill 2022; and
  - A policy for non-personal data governance.
Salient provisions in the new draft:

Image Caption: Salient provisions of the Data Protection Bill 2022

It provides for the purpose, specified grounds and limitations for collecting and processing of personal data.
A Data Protection Board as the adjudicating body to enforce the provisions of the Bill. Also, a Data Protection Officer and an independent data auditor to evaluate compliance with provisions of the law.
Offers significant concessions on cross-border data flows.
- The Centre will notify regions, based on their data security landscape, to which data of Indians can be transferred.
- The previous Bill required businesses to keep a copy of some “sensitive personal data” within India and prohibits the export of undefined “critical” personal data from the country.
- It was one of the most serious issues raised by IT corporations.
- The new Bill takes a softer stance on data localisation rules and allows data flow to specific worldwide destinations based on predetermined evaluations.
Companies will no longer be required to retain user data, which no longer serves its business purpose.
Users will have the right to have their personal data in the custody of enterprises corrected and erased.
Companies should not process personal data that is “likely to cause harm” to children (less than 18 years of age) and cannot run targeted advertising on children.
National security-related exemptions: The Centre has been empowered to exempt its agencies from adhering to provisions of the Bill in the interest of –
- Sovereignty and integrity of India,
- Security of the state,
- Friendly relations with foreign states,
- Maintenance of public order or preventing incitement to any cognisable offence.
Keeping in mind the start-up ecosystem of the country, the government could also exempt certain businesses from adhering to provisions of the Bill on the basis of volume of users and personal data processed.
- Penalties for companies: Ranging from Rs 50 crore to Rs 500 crore for data breaches and noncompliance.
- Penalties for users: A customer who provides fraudulent documentation for an online service or files frivolous grievance complaints may be penalised up to Rs 10,000.
Concerns:
- Wide-ranging, excessively vague exemptions to the state agencies: This may not qualify the test of ‘necessity’ and ‘proportionality’ as laid down in the landmark right to privacy (KS Puttaswamy) judgement of 2017
- Reduced independence of a proposed regulator: The appointment of the chairperson and members of the proposed Data Protection Board is completely left to the discretion of the central government.
  - This is unlike the Data Protection Authority (under the 2019 Bill), which was envisaged to be a statutory authority.

News Summary Regarding the Changes to the Bill under Consideration:

After receiving input from a variety of stakeholders, the proposed data protection Bill changes are currently being considered.
The current provision on cross-border data flows is likely to be amended with the Bill allowing cross-border data flows to all geographies with an official blacklist of countries where transfers would be restricted.
This change is seen as a move to ensure business continuity for enterprises and to place India as a crucial part of the global data transfer network – an important element of trade negotiations the country is currently exploring with the EU, etc.
- One concern has been unchecked data transfers to China.
- Recently, apps and websites believed to transfer data to China have been blocked and scrutiny has stepped up (changes in FDI policy) over funds coming into India from Chinese entities.
- This called for prior approval of the government for FDI by any entity based in any country (earlier Pakistan or Bangladesh) sharing a border with India.
Private entities may be excluded from ‘deemed consent’ provisions which allow for personal data processing for certain purposes without requiring fresh consent.
- Under the original draft, if a user has voluntarily shared her data with an entity for a certain purpose, that entity can assume her consent for other adjacent purposes.

Q1) How the Digital Personal Data Protection Bill 2022 regulates cross-border data flows?

The previous Bill (original draft) required businesses to keep a copy of some “sensitive personal data” within India and prohibits the export of undefined “critical” personal data. The new draft takes a softer stance on data localisation rules and allows data flow to specific worldwide destinations based on predetermined evaluations.

Under the original draft, if a user has voluntarily shared her data with an entity for a certain purpose, that entity can assume her consent for other adjacent purposes