What is Digital Personal Data Protection Bill, 2022?

What’s in today’s article?

• Why in news?
• What is Digital Personal Data Protection Bill, 2022?
• What are the Key features of the Digital Personal Data Protection Bill, 2022?
• News Summary: Bill on data protection gets Cabinet approval
• Changes made in the approved bill (as compared to the draft bill released in November 2022)

 

Why in news?

• The Union Cabinet approved the draft data protection Bill, paving the way for its introduction in the Monsoon session of Parliament. 
• If passed, the law will become India’s core data governance framework, six years after the Supreme Court declared privacy as a fundamental right.

 

What is Digital Personal Data Protection Bill, 2022?

• Background:
  • In November 2022, the Ministry of Electronics and Information Technology introduced a revised Bill for the protection of digital personal data.
  • The bill was titled as “The Digital Personal Data Protection Bill, 2022”.
    • This bill replaced the Personal Data Protection Bill, 2019.

  • 

Image caption: Previous attempts to bring data protection bill

• About
  • This bill has been introduced to provide for the processing of digital personal data in a manner that recognizes both: 
    • the right of individuals to protect their personal data and 
    • the need to process personal data for lawful purposes.

 

What are the Key features of the Digital Personal Data Protection Bill, 2022?

• Applicability
  • The Bill will apply to the processing of digital personal data within India where such data is: (i) collected online, or (ii) collected offline and is digitised. 
    • Personal data is defined as any data about an individual who is identifiable by or in relation to such data.  
  • It will also apply to the processing of personal data outside India, if it is for offering goods or services or profiling individuals in India.
• Consent
  • Personal data may be processed only for a lawful purpose for which an individual has given consent.  A notice must be given before seeking consent.
  • Consent may be withdrawn at any point in time.
• Rights and duties of data principal (An individual whose data is being processed)
  • The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
  • They will have certain duties.  They must not: 
    • register a false or frivolous complaint, 
    • furnish any false particulars, suppress information, or impersonate another person in specified cases.
• Obligations of data fiduciaries (the entity determining the purpose and means of processing)
  • Data fiduciaries must: 
    • make reasonable efforts to ensure the accuracy and completeness of data, 
    • build reasonable security safeguards to prevent a data breach and inform the Data Protection Board of India and affected persons in the event of a breach, 
    • cease to retain personal data as soon as the purpose has been met and retention is not necessary for legal or business purposes (storage limitation).
      • The storage limitation requirement will not apply in case of processing by government entities.
• Transfer of personal data outside India
  • The central government will notify countries where a data fiduciary may transfer personal data.  
  • Transfers will be subject to prescribed terms and conditions.
• Exemptions
  • The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
• Data Protection Board of India
  • The central government will establish the Data Protection Board of India to adjudicate non-compliance with the provisions of the Bill.
  • The Central government has control in appointing members of the Data Protection Board.
• Penalties
  • The schedule to the Bill specifies penalties for various offences such as:
    • up to Rs 150 crore for non-fulfilment of obligations for children and 
    • up to Rs 250 crore for failure to take security measures to prevent data breaches.  
  • Penalties will be imposed by the Board after conducting an inquiry.

 

News Summary: Bill on data protection gets Cabinet approval

• Union Cabinet approved the Digital Personal Data Protection Bill, 2022.
  • The Bill is one of the four proposed legislations in the IT and telecom sectors to provide the framework for the rapidly growing digital ecosystem.
  • The other three proposed legislations are:
    • Digital India Bill — the proposed successor to the Information Technology Act, 2000; 
    • Indian Telecommunication Bill, 2022; and 
    • a policy for non-personal data governance.
• The 2022 Bill, approved by the Cabinet, have retained the contents of the original version of the legislation proposed last November.

 

Changes made in the approved bill (as compared to the draft bill released in November 2022)

• One important change in the final version of the Bill relates to how it handles the transfer of data across different countries.
  • It has moved away from a whitelisting approach, to a blacklisting mechanism.
    • The bill allows global data flows by default to all jurisdictions other than a specified negative list of countries where such transfers would be restricted.
  • The draft, released in November, said the Central government will notify countries or territories where personal data of Indian citizens can be transferred.
• A provision on “deemed consent” in the previous draft has been reworded to make it stricter for private entities.
• It, however, allows government departments to assume consent while processing personal data on grounds of national security and public interest.

 

---

Q1) What is Data Governance?

Data governance refers to the overall management and control of an organization's data assets. It involves establishing policies, procedures, and frameworks to ensure that data is used, stored, and shared in a consistent, secure, and compliant manner throughout the organization. Data governance aims to ensure that data is accurate, reliable, accessible, and protected, and that it is used in accordance with legal, regulatory, and ethical requirements. It involves defining roles, responsibilities, and processes for managing data, as well as establishing standards for data quality, data integration, data security, and data privacy.

 

Q2) Who are called data fiduciaries? 

The term "data fiduciaries" refers to individuals or organizations that are entrusted with the responsibility of managing and safeguarding personal data on behalf of data subjects. The concept of data fiduciaries often arises in the context of data protection and privacy laws.

 

---

Source: Bill on data protection gets Cabinet approval, to be presented in Parliament | MEITY | PRS India | Bar and Bench| India Today