The Digital Personal Data Protection Bill, 2022, which was initially proposed in November, is anticipated to be presented during the Monsoon Session of Parliament commencing on July 20. The draft Bill has received approval from the Union Cabinet.
GS II: Polity and Governance
Dimensions of the Article:
- Significance of a Privacy Law
- Concerns around the draft Bill
- Comparison of India’s proposal with other countries
Significance of a Privacy Law
Part of a comprehensive technology regulations framework:
- The Digital Personal Data Protection Bill, 2022, is a crucial component of the overall technology regulations framework being developed by the government.
- This framework includes other bills such as the Digital India Bill and the draft Indian Telecommunication Bill.
Protection of personal data:
- The proposed law focuses on the processing of digital personal data within India. It also extends to data processing outside the country if it involves offering goods or services to individuals in India or profiling them.
Obligations for data fiduciaries:
- Entities collecting personal data, referred to as data fiduciaries, are required to maintain data accuracy, ensure data security, and delete data once its purpose has been fulfilled.
Voluntary undertakings and settlement fees:
- The Bill is expected to allow entities that violate its provisions to bring the matter to the data protection board and potentially avoid proceedings by accepting settlement fees.
- Repeat offenses may incur higher financial penalties.
Penalty for data breaches:
- The highest penalty prescribed for failing to prevent a data breach is Rs 250 crore per instance.
- The definition of “per instance” is subject to interpretation by the data protection board, which may consider the number of people impacted and multiply it by the penalty amount.
Concerns around the draft Bill
Wide-ranging exemptions for the central government:
- The Bill is reported to retain provisions that allow the central government and its agencies to be exempted from adhering to the privacy provisions.
- These exemptions are based on reasons such as national security, relations with foreign governments, and maintenance of public order.
Control of the central government in appointing members of the data protection board:
- The draft Bill is said to maintain the central government’s control in appointing members of the data protection board, which is the adjudicatory body responsible for handling privacy-related grievances and disputes.
- This raises concerns about the independence and impartiality of the board.
Potential impact on the Right to Information (RTI) Act:
- There is apprehension that the new privacy law could weaken the Right to Information Act.
- Personal data of government functionaries may receive protection under the law, making it challenging to share such information with RTI applicants.
Likely changes in the final draft:
Cross-border data flows:
- The approach to cross-border data flows is expected to change from a ‘whitelisting’ approach to a ‘blacklisting’ mechanism.
- Instead of specifying a list of countries where data transfers are allowed (whitelist), there may be a list of countries where transfers would be prohibited (blacklist).
Stricter provision on “deemed consent”:
- The provision on “deemed consent” is likely to be reworded to impose stricter requirements on private entities.
- However, government departments may still have the ability to assume consent while processing personal data based on grounds of national security and public interest.
Comparison of India’s proposal with other countries:
- EU model: The General Data Protection Regulation (GDPR) in the European Union focuses on comprehensive data protection laws for processing personal data. It is known for its strict regulations and obligations on organizations processing data.
- US model: Privacy protection in the United States is largely centered around “liberty protection” and focuses on safeguarding individuals’ personal space from government intrusion. It allows for the collection of personal information as long as individuals are informed about it.
- China model: China has recently introduced new laws on data privacy and security, such as the Personal Information Protection Law (PIPL) and the Data Security Law (DSL). These laws aim to protect personal data, grant new rights to data subjects, and impose restrictions on cross-border data transfers.
- Global adoption: According to UNCTAD, approximately 137 out of 194 countries have enacted legislation to protect data and privacy. Adoption rates vary across regions, with Africa and Asia showing higher adoption rates compared to Least Developed Countries (LDCs).
- India’s proposal: While the specifics of India’s data protection legislation are still being finalized, it is expected to contribute to the overall global trend of countries strengthening data protection and privacy laws. The proposal will shape India’s unique approach to balancing privacy rights, data protection, and national security concerns.
Source: Indian Express