The Union Ministry of Electronics and Information Technology (MeitY) recently released a new draught titled the Digital Personal Data Protection Bill, 2022. Among the significant changes in the revised Bill are:
- easing cross-border data transfers;
- increasing penalties for data breaches and noncompliance; and
- allowing the government to exempt state agencies from the law in the interests of national security.
GS Paper – 2 – Government Policies & Interventions
GS Paper – 3- Cyber Security, IT & Computers
“Any policy governing data accessibility and use is incomplete unless adequate public safeguards are provided through a comprehensive data protection framework.” Consider this statement in light of the Draft India Data Accessibility and Use Policy 2022. (250 Words)
Background to the Digital Personal Data Protection Bill of 2022:
- The revised draught was made public after the government retracted an earlier version that sparked outrage from Big Tech and civil society.
- Initial bill (2019): It was prepared by retired Supreme Court Justice B N Srikrishna to provide for the protection of individuals’ personal data and the establishment of a Data Protection Authority. • The new draught, which has 30 provisions (compared to more than 90 in the 2019 bill), is now open for public comment, and the final version is scheduled to be tabled in Parliament during the Budget session next year.
The following are the key provisions in the new draft:
- Limitations on the purpose of collection and processing of personal data.
- A Data Protection Board as the adjudicating body to enforce the Bill’s provisions
- Provides substantial concessions on cross-border data flows.
- Based on their data security landscape, the Centre will notify regions to which Indians’ data can be transferred.
- The previous Bill required businesses to keep a copy of certain “sensitive personal data” within India and forbade the export of undefined “critical” personal data from the country.
IT raised one of the most serious concerns.
The new Bill relaxes data localisation rules and allows data to flow to specific global destinations based on predetermined evaluations.
- Businesses will no longer be required to keep user data that no longer serves a business purpose.
- Users will be able to have their personal data held by enterprises corrected and erased.
- Companies should not process personal data that is “likely to cause harm” to children (those under the age of 18), and they should not target advertising to children.
- National security exemptions have been preserved. The Centre has been given the authority to exempt its agencies from the Bill’s provisions in the interests of
- India’s sovereignty and integrity,
- state security,
- friendly relations with foreign states,
- maintenance of public order, or preventing incitement to any cognisable offence.
- Keeping in mind the country’s start-up ecosystem, the government may exempt certain businesses from the Bill’s provisions based on the volume of users and personal data processed.
- Penalties for corporations: For data breaches and noncompliance, fines range from Rs 50 crore to Rs 500 crore.
- User penalties: A customer who provides fraudulent documentation for an online service or files frivolous grievance complaints may face a fine of up to Rs 10,000.
- Extensive, overly broad exemptions for state agencies: This may not meet the test of ‘necessity’ and ‘proportionality’ outlined in the landmark right to privacy decision of 2017.
- A proposed regulator’s independence is weakened: The chairperson and members of the proposed Data Protection Board are entirely at the discretion of the central government.
- In contrast, the Data Protection Authority (under the 2019 Bill) was intended to be a statutory body.