Vajram-And-RaviVajram-And-Ravi
hamburger-icon

India’s Data Protection Law Needs Refinement

26-08-2023

11:46 AM

timer
1 min read
Mains GS-II: Governance
India’s Data Protection Law Needs Refinement Blog Image

Why in News?

  • The government is likely to table India’s fresh data protection law in the ongoing monsoon session of Parliament, which is its third recent attempt at drafting a data protection law.
  • As the government may present a Bill that is largely like previous versions, critical gaps may affect its implementation and overall success.

 

The Digital Personal Data Protection Bill, 2022 (DPDP)

  • In November 2022, the Ministry of Electronics and Information Technology introduced a revised Bill for the protection of digital personal data. It replaced the Personal Data Protection Bill, 2019.
  • This bill has been introduced to provide for the processing of digital personal data in a manner that recognizes both: 
    • The right of individuals to protect their personal data and 
    • The need to process personal data for lawful purposes.

 

Key Features of the 2022 Bill

  • Applicability
    • The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised. 
    • Personal data is defined as any data about an individual who is identifiable by or in relation to such data.  
    • It will also apply to the processing of personal data outside India, if it is for offering goods or services or profiling individuals in India.
  • Consent
    • Personal data may be processed only for a lawful purpose for which an individual has given consent. 
    • A notice must be given before seeking consent. Consent may be withdrawn at any point in time.
  • Rights and Duties of Data Principal (An individual whose data is being processed)
    • The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
    • They will have certain duties. They must not: 
      • Register a false or frivolous complaint, 
      • Furnish any false particulars, suppress information, or impersonate another person in specified cases.
  • Obligations of Data Fiduciaries (the entity determining the purpose and means of processing)
    • Data fiduciaries must: 
      • make reasonable efforts to ensure the accuracy and completeness of data, 
      • build reasonable security safeguards to prevent a data breach and inform the Data Protection Board of India and affected persons in the event of a breach, 
      • cease to retain personal data as soon as the purpose has been met and retention is not necessary for legal or business purposes (storage limitation).
    • The storage limitation requirement will not apply in case of processing by government entities.
  • Transfer of personal data outside India
    • The central government will notify countries where a data fiduciary may transfer personal data.  
    • Transfers will be subject to prescribed terms and conditions.
  • Exemptions: The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
  • Data Protection Board of India
    • The central government will establish the Data Protection Board of India to adjudicate non-compliance with the provisions of the Bill.
    • The Central government has control in appointing members of the Data Protection Board.
  • Penalties
    • The schedule to the Bill specifies penalties for various offences such as:
      • up to Rs 150 crore for non-fulfilment of obligations for children and 
      • up to Rs 250 crore for failure to take security measures to prevent data breaches.  
    • Penalties will be imposed by the Board after conducting an inquiry.

 

Issues around the 2022 Bill

  • Exclusion of Non-Personal Data from Protection
    • In its scope and definition, the DPDP Bill only protects personal data.
    • In the modern data economy, entities use various types of data, including both personal and non-personal data to target, profile, predict, and monitor users (non-personal data is typically anonymous data that does not relate to a particular individual).
    • For example, aggregate data on products which numerous users look on Amazon is Non-Personal Data.
  • Very Limited in its Scope and Effect in Providing Meaningful Privacy
    • Often, this non-personal data when combined with other datasets can help identify individuals, and in this way become personal data, impacting user privacy.
    • Such risks were accounted for in previous versions of India’s draft data protection Bill, in 2018 and 2019, but do not find a place in the latest draft.
    • By not recognising these risks, the DPDP Bill is very limited in its scope and effect in providing meaningful privacy to Indians.
  • Limited Reach of Data Protection Board
    • Under the Bill, the board is the authority that is entrusted with enforcing the law.
    • The board can only institute a proceeding for adjudication if someone affected makes a complaint to it, or the government or a court directs it to do so.
    • The only exception to this rule is when the board can act on its own to enforce certain duties listed by the Bill for users.
    • This is for the adjudication of disputes between the law and users — for example, an obligation on users not to register a false or frivolous complaint with the board, and not between users and data-processing entities.

 

Suggestions to Make the 2022 Bill a Future Proof Legislation

  • Introduction of a Penal Provision: A penal provision in the Bill that provides for financial penalties on data-processing entities for the re-identification of non-personal data into personal data will be an effective solution to provide citizens with a meaningful legislation.
  • Empowerment of Data Protection Board on the Lines of CCI
    • The Competition Commission of India, which is responsible for the enforcement of India’s antitrust law, has the power to initiate inquiries on its own (and utilises it frequently).
    • An individual may have little resources or incentive to approach the data protection board.
    • Therefore, like CCI, the data protection board should be empowered to initiate complaints on its own.
  • Learn From EU’s Legislation on Data Protection
    • The EU’s General Data Protection Regulation (GDPR) enacted in 2018 was arguably the most comprehensive data privacy law in the world. However, the GDPR has been saddled with challenges of implementation.
    • Although the EU’s challenges may be due to its unique legal structure, India must guard against the risks of enacting a law that is toothless in effect. 

 

Conclusion

  • The constitutionally protected right to privacy of individuals, and their right to autonomy, is made vulnerable when their personal/ non-personal data is not protected.
  • Securing digital rights through legislative action is pertinent given the increasing adoption of technological solutions in India by the state and by private entities.
  • The DPDP Bill 2022 largely covers all issues and has some shortcomings as well. The government must take all suggestions in consideration and make it a future proof meaningful legislation.

 

 

 

Q1) What are some changes made to the Data Protection Bill?

One important change in the final version of the Bill relates to how it handles the transfer of data across different countries. It has moved away from a whitelisting approach, to a blacklisting mechanism. The bill allows global data flows by default to all jurisdictions other than a specified negative list of countries where such transfers would be restricted. The draft, released in November, said the Central government will notify countries or territories where personal data of Indian citizens can be transferred. A provision on “deemed consent” in the previous draft has been reworded to make it stricter for private entities. 

 

Q2) How will the new law on data protection affect the RTI Act?

In the version of the Digital Personal Data Protection Bill cleared for introduction in Parliament, there exists a section that would eliminate the majority of Section 8(1)(j) of the 2005 law. According to that section, personal information cannot be disclosed under the RTI Act “which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the larger public interest justifies the disclosure of such information”. The data Bill would remove all these caveats, prohibiting government agencies from sharing private information of any kind, regardless of the public interest it may entail.

 

Source: The Hindu

Download PDF

Download PDF

Download PDF

Share this article

Share this article
logo

© 2024 Vajiram & Ravi. All rights reserved