Revamped Digital Personal Data Protection Bill

In News

  • The government is close to finalising the revamped Bill and will come out with a final draft version soon.

Background

  • The data protection Bill has been in the works since 2018 when a panel led by Justice B N Srikrishna had prepared a draft version of the Bill.  
    • It is India’s first attempt to domestically legislate on the issue of data protection.
  • In August 2022, the government withdrew the earlier Personal Data Protection Bill from Parliament after putting in nearly four years and having gone through multiple iterations including deliberations by a Joint Committee of Parliament.  
  • It aims at regulating online space including separate legislation on data privacy, the overall internet ecosystem, cyber security, telecom regulations, and harnessing non-personal data for boosting innovation in the country.

Major provisions of the revamped Bill

  • High penalties
    • Companies dealing in personal data of consumers that fail to take reasonable safeguards to prevent data breaches could end up facing penalties as high as around Rs 200 crore.
      • Penalties are expected to vary on the basis of the nature of non-compliance by data fiduciaries (entities that handle and process personal data of individuals).
    • Companies failing to notify people impacted by a data breach could be fined around Rs 150 crore.
    • Those failing to safeguard children’s personal data could be fined close to Rs 100 crore. 
    • In the previous version of the Bill, withdrawn earlier this year, the penalty proposed on a company for violation of the law was Rs 15 crore or 4 percent of its annual turnover, whichever is higher. 
  • The Data Protection Board
    • It is an adjudicating body proposed to enforce the provisions of the Bill which is likely to be empowered to impose the fine after giving the companies an opportunity of being heard.
  • Personal data
    • The new Bill will only deal with safeguards around personal data and is learnt to have excluded non-personal data from its ambit. 
      • Non-personal data essentially means any data which cannot reveal the identity of an individual. 

Do you know?

  • Data Principal: The individual whose data is being stored and processed is called the data principal in the PDP Bill.
  • Data Transfer: Data is transported across country borders in underwater cables.
  • Data localisation: It is the act of storing data on any device physically present within the borders of a country.

Criticism of the previous Bill  

  • Pushback from big tech companies: It faced major push back from a range of stakeholders including big tech companies such as Facebook and Google, and privacy and civil society activists. 
    • They have questioned the provision of data localisation, under which it would have been mandatory for companies to store a copy of certain sensitive personal data within India, and the export of undefined “critical” personal data from the country would be prohibited.
  • Too many delays in the Bill: it is a matter of grave concern that India, one of the world’s largest Internet markets, did not have a basic framework to protect people’s privacy.
  • No relevance of Localised Data: Few critics point out to the fact that even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
  • Open Ended Definitions: National security or reasonable purposes are open-ended terms; this may lead to intrusion of the state into the private lives of citizens.
  • Against the concept of Free Market: Protectionist regime suppresses the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.

Significance of the revamped Bill 

  • Strong safeguards: Fines for data misuse prescribed in the previous version of the Bill were not seen as an effective deterrent. 
    • The higher penalties being proposed now will prompt entities to build strong safeguards to protect data and enforce fiduciary discipline.
  • Companies would face punitive actions in the nature of financial penalties in the event of misuse of data and data breaches.
  • The upcoming data protection Bill will put an end to misuse of customer data with companies facing financial consequences.
  • There will also be a strict or purpose limitation of data collected by companies and the time till which they can store it under the new Bill.
  • Data fiduciaries will be required to stop retaining personal data and delete previously collected data after the initial purpose for which it was collected was fulfilled. 

Conclusion

  • The prime challenge is to balance between the growth opportunities posed by Free Data and Right to Privacy as Fundamental Right as declared by Puttaswamy Judgement 2017. In this context, India must promote Data Localisation with care and by more scientific and organic categorisations. The open ended definitions must be clearly defined.

Source: IE

 
Previous article Online Safety of Women
Next article Rhodes Scholarship