Context: The Digital Personal Data Protection Bill, 2022, a draft of which was floated in November, is expected to be tabled in Parliament’s Monsoon Session that begins on July 20. The Union Cabinet approved the draft Bill on Wednesday.
Data protection is the process of securing digital information while keeping data usable for business purposes without trading customer or end-user privacy.
- Data protection is becoming more intricate as the number of devices to monitor and protect expands. Today, it includes IoT devices and sensors, industrial machines, robotics, wearables and more.
- Data protection helps reduce risk and enables a business or agency to respond quickly to threats.
Need for data protection
- Data protection is important because the total number of computing devices increases each year, and computing is now more complex which connects large number of individuals breach of their data will have disastrous consequences.
- The implications of a data breach or data loss incident can bring organizations to their knees. Failure to protect data can cause financial losses, loss of reputation and customer trust, and legal liability, considering most organizations today are subject to some data privacy standard or regulation.
- Personal data reveals a lot about an individual, his thoughts, and his life. This data can easily be exploited to harm him, and that’s especially dangerous for vulnerable individuals and communities, such as journalists, activists, human rights defenders, and members of oppressed and marginalized groups. That is why data must be strictly protected.
Status of Data Protection in India
- Information Technology Act of 2000 was passed to uplift e-governance, provide legal backing for online transactions, and fight cybercrime.
- The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) which governs the “collecting, receiving, possessing, storing, dealing, handling, retaining, using, transferring, disclosing sensitive personal data or information, security practices and procedures for handling personal information”.
- The rules define sensitive personal data under Rule 3.
- Under Rule 6, a body corporate is not permitted to publish or disclose such data or information to any third party without the information provider’s prior consent.
- Hon’ble Supreme Court of India established the right to privacy as a fundamental right under Article 21 of the Constitution of India as part of the right to life and personal liberty in the case of Justice K.S. Puttaswamy v. Union of India (2017), also called the “privacy judgement.”
- Section 8(1)(j) of the Right to information act, 2005 deals with the non-disclosure of personal information.
Need for data protection laws in India
- In India, the confluence of multiple regulations for different areas produces ambiguity, which is one of the key reasons for data breaches.
- In India, there is no single codified law that addresses all areas of data privacy and keeps track of the penalties that should be applied.
- When dealing with situations involving data breaches and cybersecurity, the enforcement mechanism typically confronts a number of implementation challenges in the absence of a codified law.
- Since India is a nation-state, the data of the citizens is considered a national asset.
- Depending on India’s security and geopolitical objectives, this national asset may need to be protected and stored within national borders. That would include not only the corporates, but also Non- Governmental Organisations and governmental bodies. For the regulation of which India need a law.
- Article 38, Which is a Directive Principles of State Policy, is concerned with the general well-being of citizens. Privacy and data protection are fundamentally linked to the welfare state.
- Article 51 also specifies that the State shall seek to encourage conformity to treaty obligations and international law in order to foster international peace and security. India being a member to several international organisations that focus on data protection mechanisms like the United Nations Commission on International Trade should make a comprehensive law on data protection.
Draft Digital Personal and Data Protection (DPDP) Bill 2022
The purpose of the bill is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto.
The data protection legislation specifies norms on management of personal data of Indian residents and requires explicit consent from people whose data is collected and used.
Key Provisions of DPDP Bill
- Bill requires entities that collect personal data — called data fiduciaries — to maintain the accuracy of data, keep data secure, and delete data once their purpose has been met.
- Bill defines “Data Principal” as an individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child.
- In Bill “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary.
- Data Protection Board of India
- It consists of technical experts constituted by the government
- if board has reason to believe that their personal data has been used without their consent – for example, cell phone numbers or Aadhaar details. The Board will institute an investigation into the breach.
- Bill has provision regarding “Data Protection Officer” who will represent the Significant Data Fiduciary under the provisions of this Act and be based in India
- The Data Protection Officer will be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary and will be the point of contact for the grievance redressal mechanism under the provisions of the bill.
- DPDP Bill also outlines practices for entities that collect personal data, how that data should be stored and processed to ensure there is no breach, as well as rights of the persons whose data is being used.
- Bill has a clause for offering voluntary undertaking in case an entity wants to admit that a breach has occurred and pay penalty as mitigation measure to avoid court litigation.
- The fines would be levied by the Data Protection Board of India, which would be set up under the Act.
Benefits of the DPDP Bill
- Once passed, the Bill will be critical in India’s trade negotiations with other countries, particularly with the European Union, whose General Data Protection Regulations (GDPR) are among the most comprehensive privacy rules in the world.
- The Digital Personal Data Protection Bill, 2022, is a crucial pillar of the overarching framework of technology regulations the Centre is building, which also includes the Digital India Bill — the proposed successor to the Information Technology Act, 2000, the draft Indian Telecommunication Bill, 2022, and a policy for non-personal data governance.
Issues with the DPDP Bill
- The bill empowers the executive to draft rules and notifications on a vast range of issues, which increases executive discretion and decreases accountability.
- For example, the central government can exempt any government or even private sector entity from the application of provisions of the law by merely issuing a notification.
- The Centre was also empowered to appoint members to the data protection board, raising concerns over the control it could potentially exert on the institution in cases where it was an interested party.
- Exemptions from data processing by the state for reasons such as national security may result in data collection, processing, and retention that exceeds what is necessary. This may violate the fundamental right to privacy.
- Any data collected by government agencies is exempted even if the data is later processed by a different agency and regardless of the legality of the purpose.
- The Bill differentiates between private and government companies performing the same commercial activity, such as providing banking or telecommunications services, in terms of consent and storage limitation. This may violate the right to equality of the private sector providers.
- Which is contrary to the idea of data justice present in the original draft of the Personal Data Protection Bill created by the B N Srikrishna Committee in 2018.
- The composition, manner, and tenure of appointments to the Data Protection Board of India will be determined by the Central government. This raises a question about the independent functioning of the Board.
- The Bill does not grant the right to data portability and the right to be forgotten to the data principal.
- Before processing a child’s personal data, all data fiduciaries must get verified consent from the child’s legal guardian, according to the Bill. To comply with this regulation, any data fiduciary must verify the age of anyone who signs up for its services. This may have negative consequences for online anonymity.
- The bill proposes amendments to Section 8(1)(j) of the RTI act to expand its purview and exempt all personal information from disclosure. This threatens transparency and accountability regime in the country as the personal data of government officials will be protected under it and cannot be disclosed to an RTI applicant.
- The bill does not have stringent norms like GDPR including provisions that put limitation on the mass collection of the public data, which gives monopolistic power to first mover corporations and can cause harm to socio-economic rights.
- The bill put publicly available data outside of its regulation, but such data has the potential to reveal, via machine learning, sensitive intelligence that individuals did not consent to reveal when they posted some harmless data on the internet.
- Private entities are exempted even if they collect the personal data of the employee if it is for performance evaluation purposes. Which can lead to invasive data collection in office spaces, Invasive biometrics on blue-collar workers, enabling more sophisticated exploitation and universalising a culture of surveillance.
- Under the bill private entities in possession of someone’s data can also assume consent and share that data with other private entities, for an unspecified duration, without informing the person.
Need for asymmetric power to state
- Government needs certain exemptions because it deals with issues including terrorism, law and order, and public health emergencies. These exemptions are needed for the government to work efficiently.
- The Digital Personal Data Protection Bill is only one of the pieces that form part of its larger policy vision for the entire digital economy and must be seen in that light.
Model of Data Protection
- The GDPR focuses on a comprehensive data protection law for processing of personal data.
- The GDPR levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
- It has been criticised for being excessively stringent, and imposing many obligations on organisations processing data, but it is still the template for most of the legislation drafted around the world.
- The United States follows a sectoral approach to data privacy protection.
- There is no all-encompassing federal legislation that ensures the privacy and protection of personal data. Instead, legislation at the federal level primarily protects data within sector-specific contexts.
- Privacy protection is largely defined as “liberty protection” focused on the protection of the individual’s personal space from the government.
- It is viewed as being somewhat narrow in focus, because it enables collection of personal information as long as the individual is informed of such collection and use.
- China’s two newest data security laws—the “Data Security Law” (DSL) and the “Personal Information Protection Law” (PIPL)—came into effect at the end of 2021.
- The DSL sets a framework for companies to classify data based on its economic value and relevance to China’s national security, while the PIPL recalls Europe’s GDPR in setting a framework to ensure user privacy.
- The DSL references two main categories of sensitive data—national core data and important data—with new guidelines for governing each.
- The PIPL covers all data activities related to the personal information of Chinese citizens, whether it is originally collected within China or abroad.
On the one hand, Data Privacy is important because it safeguards personal integrity, promotes trust in digital interactions, and upholds the fundamental rights of individuals in an increasingly data-driven world on the other protecting data from internal or external corruption and illegal access protects a company from financial loss, reputational harm, consumer trust degradation, and brand erosion. In this regard DPDP Bill has a central importance in the economic, inclusive and secure development of India.