Digital Personal Data Protection Bill 2023

What’s in today’s article?

• Why in News?
• Need for Digital Personal Data Protection Bill, 2023
• Key Features of Digital Personal Data Protection Bill, 2023
• Significance of Digital Personal Data Protection Bill, 2023
• What are the Concerns w.r.t. the Digital Personal Data Protection Bill, 2023?
• How do Other Countries Regulate Data Privacy?
• Conclusion

Why in News?

• The Lok Sabha allowed the introduction of the long-awaited Digital Personal Data Protection Bill, 2023.
• The Bill seeks to provide for the protection of personal data and the privacy of individuals.
• The Members of Parliament from opposition parties objected to the introduction of the proposed law and called for it to be referred to a Parliamentary committee.

Need for Digital Personal Data Protection Bill, 2023

• Personal data is defined as any data about an individual who is identifiable by or in relation to such data.
• Ministry of Electronics and Information Technology has been deliberating on various aspects of digital personal data and its protection, and has formulated a draft Bill, titled ‘The Digital Personal Data Protection Bill, 2023’.
• The purpose of the draft Bill is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes.
• The Bill is important because it provides guidance and best practice rules for organisations and the government to follow on how to use personal data including – regulating the processing of personal data.
• The Bill frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand.

Key Features of Digital Personal Data Protection Bill, 2023

• Applicability –
  • The Bill will apply to the processing of digital personal data within India.
  • It will also apply to the processing of personal data outside India, if it is for offering goods or services or profiling individuals in India.
• Consent –
  • Personal data may be processed only for a lawful purpose for which an individual has given consent. 
  • A notice must be given before seeking consent. 
  • Notice should contain details about the personal data to be collected and the purpose of processing.  Consent may be withdrawn at any point in time.
  • For individuals below 18 years of age, consent will be provided by the legal guardian.
• Rights and Duties of Data Principal –
  • An individual, whose data is being processed (data principal), will have the right to
    • obtain information about processing,
    • seek correction and erasure of personal data,
    • nominate another person to exercise rights in the event of death or incapacity
• Transfer of Personal Data outside India –
  • The central government will notify countries where a data fiduciary may transfer personal data. 
  • Transfers will be subject to prescribed terms and conditions.
• Exemptions –
  • Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases.  These include
    • prevention and investigation of offences, and
    • enforcement of legal rights or claims.
  • The central government may, by notification, exempt certain activities from the application of the Bill.  These include
    • processing by government entities in the interest of the security of the state and public order, and
    • research, archiving, or statistical purposes.
• Data Protection Board of India –
  • The central government will establish the Data Protection Board of India.
  • Key functions of the Board include
    • monitoring compliance and imposing penalties,
    • directing data fiduciaries to take necessary measures in the event of a data breach, and
    • hearing grievances made by affected persons.
• Penalties –
  • The schedule to the Bill specifies penalties for various offences such as up to
    • Rs 200 crore for non-fulfilment of obligations for children, and
    • Rs 250 crore for failure to take security measures to prevent data breaches

Significance of Digital Personal Data Protection Bill, 2023

• The Digital Personal Data Protection Bill 2023 will be able to keep the personal data of a user safe, and give them more liberty on how to port their personal data.
• Big corporations and consumers will be charged a hefty fine if they fail to do so and don’t follow the norms listed in the bill.
• The bill aims to make entities like internet companies, mobile apps, and business houses more accountable and answerable about collection, storage and processing of the data of citizens as part of "Right to Privacy".
• Once approved, several entities, both public and private, will need to seek consent from users to collect and process their data.
• This means that the right to privacy of each consumer will be valued more, and their data will be more safeguarded than before.

What are the Concerns w.r.t. the Digital Personal Data Protection Bill, 2023?

• Some of the most contentious issues include –
  • Wide-ranging exemptions to the government and its agencies,
  • Dilution of powers of the data protection board,
  • Amendment to the Right to Information Act, 2005.
• The concerns around diluting the RTI Act emanate from the fact that the Bill has a provision to amend the Act that would prohibit sharing of details linked to personal information of government officials.
  • Currently, the exemption only applies when such information does not serve larger public interest. However, the Bill proposes to remove the public interest caveat.
• Also, the Bill overrides Section 43A of the Information Technology Act, 2000 which requires companies which mishandle user data to compensate users.
  • Government sources said this was because “compensation is a judicial process”, while ex-gratia payments were at the discretion of the governments, and that legally compensation would have to be awarded through civil law.

How do Other Countries Regulate Data Privacy?

• About 70% of countries worldwide have some form of legislation for data protection, according to the United Nations trade agency UNCTAD.
• The EU's General Data Protection Regulation, which came into effect in 2018, is claimed to be the "toughest privacy and security law in the world," and seen as the global benchmark.
• Several nations including China and Vietnam have recently tightened laws governing the transfer of personal data overseas.
• Australia in 2018 passed a bill that gave police access to encrypted data.

Conclusion

• The Digital Personal Data Protection Bill, 2023 extends substantial rights to individuals and provides them with better visibility, awareness, decisional autonomy and control over their data.
• It also obligates companies to comply with the rights of the individuals and provide effective redressal mechanisms linked with significant penalties.
• The Bill also provides for a legislative backing to the Supreme Court’s landmark judgement in Justice K. S. Puttaswamy (Retd) Vs Union of India Case (2017).
  • A nine-judge bench of the Supreme Court unanimously held that Indians have a constitutionally protected fundamental right to privacy that is an intrinsic part of life and liberty under Article 21.

Q1) What is Right to Privacy in simple words?

Legally, the right of privacy is a basic law which includes: The right of persons to be free from unwarranted publicity. Unwarranted appropriation of one's personality. Publicising one's private affairs without a legitimate public concern.

Q2)  What is an Internet Intermediary?

Internet intermediaries provide the Internet's basic infrastructure and platforms by enabling communication and transactions between third parties. Examples of internet intermediaries are: Network operators, such as BSNL, Airtel and VI.

Source: India data protection bill: What's the concern? | PRS