Vajram-And-RaviVajram-And-Ravi
hamburger-icon

What India’s Draft Digital Privacy Law Says — And How It Compares With Data Protection Laws Elsewhere

26-08-2023

11:39 AM

timer
1 min read
Prelims: Polity & Governance
What India’s Draft Digital Privacy Law Says — And How It Compares With Data Protection Laws Elsewhere Blog Image

Why in News?

  • The new Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022) was opened recently by Union Ministry of Electronics and IT (MeitY) for public comments, three months after it withdrew the earlier draft.

 

Background

  • The latest DPDP Bill, 2022 is the fourth iteration of a data protection law in India.
  • First draftThe Personal Data Protection Bill, 2018, was proposed by the Justice Srikrishna Committee set up MeitY with the mandate of setting out a data protection law for India.
  • Second draft: The government made revisions to earlier draft and introduced it as the Personal Data Protection Bill, 2019 (PDP Bill, 2019) in the Lok Sabha in 2019. It was then referred to a joint parliamentary committee (JPC).
    • Owing to delays by Covid-19 pandemic, the JPC submitted its report on the PDP Bill, 2019 after two years in December, 2021.
  • Third draft: The JPC report was accompanied by a new draft bill, namely, the Data Protection Bill, 2021 that incorporated the recommendations of the JPC.
  • Final draft: However, in August 2022, citing the report of the JPC and the “extensive changes” that the JPC had made to the 2019 Bill, the government withdrew the 2019 PDP Bill and came up recently with latest draft of DPDP Bill, 2022.

 

Why multiple revisions of the bill are needed?

  • For protecting rights of the users: Constant interactions with digital devices have led to unprecedented amounts of personal data being generated round the clock by users (data principals).
    • When coupled with the computational power available today with companies (data fiduciaries), this data can be processed in ways that increasingly impair the autonomy, self-determination, freedom of choice and privacy of the data principal.
  • To frame a holistic law: Hence the DPDP Bill, 2022 seeks to establish a comprehensive legal framework governing digital personal data protection in India, recognizing both the:
    • Rights of Data principals to protect their personal data by a strict user-consent regime for data processing
    • Duties/obligations of the Data Fiduciary (consumer internet and social-media companies) to process and use collected data lawfully.
  • To make the law in line with the apex court judgment: The right to informational privacy has been upheld as a fundamental right by the Supreme Court (S. Puttaswamy vs Union of India) in 2017 and the DPDP Bill, 2022 seeks to incorporate it.

 

Salient provisions of the DPDP Bill, 2022

  • Scope: It applies to all processing of personal data that is carried out digitally, i.e., both personal data collected online and personal data collected offline but is digitised for processing.
  • Territorial application: The Bill covers processing of personal data which is collected by data fiduciaries within the territory of India and which is processed to offer goods and services within India.
    • It seems to exclude data processing by Indian data fiduciaries that collect and process personal data outside India, of data principals who are not located in India.
  • Cross-border data transfer: The bill also allows for cross-border storage and transfer of data to “certain notified countries and territories.”
    • However, an assessment of relevant factors by the Central Government would precede such a notification.
  • Data Protection Board (DPB): The draft bill incorporates the DPB that will act as the adjudicating body to enforce the provisions of the Bill.
    • It will be independent and will have a purely adjudicatory mechanism to decide on the issue of data breaches.
    • It carries the same rank as a civil court and its decisions can be appealed in a High Court.
  • Data Protection Officer and independent data auditor: They will be appointed by businesses of “significant” size (based on the volume of data they process), to evaluate compliance with provisions of the law.
  • Right to correction/eraser: Users will have the right to have their personal data in the custody of enterprises corrected and erased.
  • Duties of data fiduciaries: Companies will not be obligated to keep user data that no longer serves a business purpose and should not process personal data that could harm minors (less than 18 years of age).
  • Promoting start-up ecosystem: The government may also exclude certain enterprises from Bill’s restrictions based on the volume of users and personal data handling.
  • Exemptions: The Central government has been empowered to exempt its agencies from adhering to provisions of the Bill in the interest of sovereignty, integrity and security of India, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offence etc.
  • Penalties: Focus in the draft DPDP Bill 2022 is more on financial penalties than a criminal conviction. For example, companies can be fined between Rs 50 – 500 crores for data breaches and non-compliance.
    • For users, a consumer who submits false documents for an online service or makes bogus grievance complaints may face a Rs 10,000 fine.
  • Right to post mortem privacy: The draft DPDP Bill 2022 recognises the right to post mortem privacy which was missing from earlier bill. It would allow the data principal to nominate another individual in case of death or incapacity.
  • Incorporates “deemed consent”: Deemed consent refers to consenting to voluntarily provide data that may be used for purposes other than what it was initially collected for.
    • The PDP Bill 2019 stated that personal data can be processed for the purpose consented to by the data principal.
    • The DPDP Bill, 2022, on the other hand, states that personal data can be processed for "lawful purposes" or for which processing could be performed on the basis of "deemed permission."

 

Significant principles of the DPDP Bill 2022

  • Usage of personal data by organisations must be done for the purposes it was collected and in a manner that is lawful, fair to the and transparent to individuals concerned.
  • Data minimization, i.e., a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose.
  • Emphasis on data accuracy when it comes to collection.
  • The storage of personal data should be limited to a fixed duration.
  • Reasonable safeguards to ensure there is no unauthorised collection or processing of personal data
  • The person who decides the purpose and means of the processing of personal data should be accountable for such processing.

 

Concerns:

  • Wide-ranging exemptions: The central government can issue notifications to exempt its agencies from adhering to provisions of the draft law for national security and public interest reasons.
  • Dliution of Data Protection Board: While the Data Protection Authority was earlier envisaged to be a statutory authority (under the 2019 Bill), the new draft leaves the appointment of the chairperson and members of the DPB entirely to the discretion of the central government.
  • No compensation: While the bill proposes heavy penalties for non-compliance, the victim can’t seek monetary compensation of any form, in case of a data breach.
  • Non-application to manual data processing: By being completely inapplicable to data processed manually, the bill provides for a lower degree of protection as the earlier drafts only excluded data processed manually specifically by “small entities” and not generally.
  • Issue with deemed consent: The 'deemed consent' provision may allow anyone to gather data with a 'take it or leave it' attitude, which goes against the letter and spirit of Puttaswamy's privacy judgment.

 

Data privacy laws in other countries

  • An estimated 137 out of 194 countries have put in place legislation to secure the protection of data and privacy.
  • For example, Africa and Asia showing 61% (33 countries out of 54) and 57% adoption respectively, according to data from the United Nations Conference on Trade and Development (UNCTAD).
  • Only 48% of Least Developed Countries (22 out of 46) have data protection and privacy laws.

 

EU model

  • In the EU, the right to privacy is enshrined as a fundamental right that seeks to protect an individual’s dignity and her right over the data she generates.
  • The General Data Protection Regulation (GDPR) focuses on a comprehensive data protection law for processing of personal data.
  • It has been criticised for being excessively stringent, and imposing many obligations on organisations processing data.

 

USA model

  • In USA, privacy protection is largely defined as “liberty protection” focused on the protection of the individual’s personal space from the government.
  • However, there is no comprehensive set of privacy rights or principles in the US that, like the EU’s GDPR, addresses the use, collection, and disclosure of data.
  • Instead, there is limited sector-specific regulation and varied approach followed towards data protection for the public and private sectors.

 

China model

  • Personal Information Protection Law (PIPL): It gives Chinese data principals new rights as it seeks to prevent the misuse of personal data.
  • Data Security Law (DSL): It requires business data to be categorized by levels of importance, its relevance to national security and the public interest and puts new restrictions on cross-border transfers.
Download PDF

Download PDF

Download PDF

Share this article

Share this article
logo

© 2024 Vajiram & Ravi. All rights reserved