The latest draft of the data protection law — the Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022) — has now been made open for public comments and the government is expected to introduce the Bill in Parliament in the budget session of 2023.
GS II: Polity and Governance
Dimensions of the Article:
- Data Bill based on seven principles
- Applicability of the Bill
- Key features of the bill
- Some criticisms of the bill
Data Bill based on seven principles
- The first is that “usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals.”
- The second principle states that personal data must only be used for the purposes for which it was collected.
- This third principle talks of data minimisation, while the fourth puts an emphasis on data accuracy when it comes to collection.
- The fifth principle talks of how personal data that is collected cannot be “stored perpetually by default,” and storage should be limited to a fixed duration.
- The sixth principle notes that there should be reasonable safeguards to ensure there is “no unauthorised collection or processing of personal data.”
- The seventh principle “is that the person who decides the purpose and means of the processing of personal data should be accountable for such processing.”
Applicability of the Bill
- Processing of personal data collected within the territory of India when the data is collected online or is collected offline and digitised.
- Processing of personal data outside of India, if the processing is in connection with profiling people in India or offering goods and services to people in India. Profiling here means “any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a Data Principal.”
- Does not apply to:
- non-automated processing of personal data
- offline personal data
- personal data processed by an individual for any personal or domestic purpose
- personal data about an individual that is contained in a record that has been in existence for at least 100 years.
Key features of the bill
Data Principal and Data Fiduciary
- The bill uses the term “Data Principal” to denote the individual whose data is being collected.
- The term “Data Fiduciary” the entity (can be an individual, company, firm, state etc), which decides the “purpose and means of the processing of an individual’s personal data.”
- The law also makes a recognition that in the case of children –defined as all users under the age of 18— their parents or lawful guardians will be considered their ‘Data Principals.’
- Under the law, personal data is “any data by which or in relation to which an individual can be identified.”
- Processing means “the entire cycle of operations that can be carried out in respect of personal data.” So right from collection to storage of data would come under processing of data as per the bill.
- The bill also ensures that individuals should be able to “access basic information” in languages specified in the eighth schedule of the Indian Constitution.
- The bill also makes it clear that individual needs to give consent before their data is processed and that “every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing.”
- Further, the notice of data collection needs to be in clear and easy-to-understand language.
- Individuals also have the right to withdraw consent from a Data Fiduciary.
Significant Data Fiduciaries
- The bill also talks of ‘Significant Data Fiduciaries, who deal with a high volume of personal data.
- The Central government will define who is designated under this category based on a number of factors ranging from the volume of personal data processed to the risk of harm to the potential impact on the sovereignty and integrity of India.
- “This category needs to fulfil certain additional obligations to enable greater scrutiny of its practices,” according to the bill’s explanatory note.
Data protection officer & Data auditor
- Such entities will have to appoint a ‘Data protection officer’ who will represent them.
- They will be the point of contact for grievance redressal.
- They will also have to appoint an independent Data auditor who shall evaluate their compliance with the act.
Right to erase data, right to nominate
- Data principals will have the right to demand the erasure and correction of data collected by the data fiduciary.
- They will also have the right to nominate an individual who will exercise these rights in the event of death or incapacity of the data principal.
- The bill also gives consumers the right to file a complaint against a ‘Data Fiduciary’ with the Data Protection Board in case they do not get a satisfactory response from the company.
Cross-border data transfer
- The bill also allows for cross-border storage and transfer of data to “certain notified countries and territories.”
- However, “an assessment of relevant factors by the Central Government would precede such a notification,” adds the note.
- The draft also proposes to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen.
- Entities that fail to take “reasonable security safeguards” to prevent personal data breaches will be fined as high as Rs 250 crore.
- As per the draft, the Data Protection Board — a new regulatory body to be set up by the government — can impose a penalty of up to ₹500 crore if non-compliance by a person is found to be significant.
Some criticisms of the bill
- There had been use of open-ended language such as “as necessary” or “as may be prescribed”.
- The Bill did not seem to work towards protecting people, but ensures that the government retains all power without any checks or balances.
- The government has been given the power to exempt not only government agencies but any entity that is collecting user data, from having to comply with the provisions of this bill when it is signed into law.
- The Executive in India has a track record of exploiting to expand its powers. There is no right for compensation to individuals in case of a data breach. They have no right to data portability.
-Source: The Hindu