In News
- Recently, the latest draft of the data protection law, the Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022), has been made open for public comments.
Key Points
- Background:
- The data protection Bill has been in the works since 2018 when a panel led by Justice B N Srikrishna had prepared a draft version of the Bill.
- It is India’s first attempt to domestically legislate on the issue of data protection.
- The government made revisions to this draft and introduced it as the Personal Data Protection Bill, 2019 (PDP Bill, 2019) in the Lok Sabha in 2019.
- Due to delays caused by the pandemic, the Joint Committee on the PDP Bill, 2019 (JPC) submitted its report on the Bill after two years in December, 2021.
- The report was accompanied by a new draft bill, namely, the Data Protection Bill, 2021 that incorporated the recommendations of the JPC.
- However, in August 2022, citing the report of the JPC and the “extensive changes” that the JPC had made to the 2019 Bill, the government withdrew the PDP Bill.
- Now, the government is expected to introduce the Bill in Parliament in the budget session of 2023.
- Aim:
- Regulating online space including separate legislation on data privacy, the overall internet ecosystem, cyber security, telecom regulations, and harnessing non-personal data for boosting innovation in the country.
- Reason for so many changes:
- Harm to privacy:
- Constant interactions with digital devices have led to unprecedented amounts of personal data being generated round the clock by users (data principals).
- When coupled with the computational power available today with companies (data fiduciaries), this data can be processed in ways that increasingly impair the autonomy, self-determination, freedom of choice and privacy of the data principal.
- Inadequate present laws:
- The current legal framework for privacy enshrined in the Information Technology Rules, 2011 (IT Rules, 2011) is wholly inadequate to combat such harms to data principals, especially since the right to informational privacy has been upheld as a fundamental right by the Supreme Court (K.S. Puttaswamy vs Union of India [2017]).
- It is inadequate on four levels;
- The extant framework is premised on privacy being a statutory right rather than a fundamental right and does not apply to processing of personal data by the government;
- It has a limited understanding of the kinds of data to be protected;
- It places scant obligations on the data fiduciaries which, moreover, can be overridden by contract
- There are only minimal consequences for the data fiduciaries for the breach of these obligations.
- Harm to privacy:
Scope of Present Bill
- The DPDP Bill, 2022 applies to all processing of personal data that is carried out digitally.
- This would include both personal data collected online and personal data collected offline but is digitised for processing.
- In effect, by being completely inapplicable to data processed manually, this provides for a somewhat lower degree of protection as the earlier drafts only excluded data processed manually specifically by “small entities” and not generally.
- As far as the territorial application of the law is concerned, the Bill covers processing of personal data which is collected by data fiduciaries within the territory of India and which is processed to offer goods and services within India.
Major provisions of the revamped Bill
- High penalties:
- Companies dealing in personal data of consumers that fail to take reasonable safeguards to prevent data breaches could end up facing penalties as high as around Rs 200 crore.
- Penalties are expected to vary on the basis of the nature of non-compliance by data fiduciaries (entities that handle and process personal data of individuals).
- Companies failing to notify people impacted by a data breach could be fined around Rs 150 crore.
- Those failing to safeguard children’s personal data could be fined close to Rs 100 crore.
- In the previous version of the Bill, withdrawn earlier this year, the penalty proposed on a company for violation of the law was Rs 15 crore or 4 percent of its annual turnover, whichever is higher.
- Companies dealing in personal data of consumers that fail to take reasonable safeguards to prevent data breaches could end up facing penalties as high as around Rs 200 crore.
- The Data Protection Board
- It is an adjudicating body proposed to enforce the provisions of the Bill which is likely to be empowered to impose the fine after giving the companies an opportunity of being heard.
- Personal data
- The new Bill will only deal with safeguards around personal data and is learnt to have excluded non-personal data from its ambit.
- Non-personal data essentially means any data which cannot reveal the identity of an individual.
- The new Bill will only deal with safeguards around personal data and is learnt to have excluded non-personal data from its ambit.
Significance of the revamped Bill
- Strong safeguards: Fines for data misuse prescribed in the previous version of the Bill were not seen as an effective deterrent.
- The higher penalties being proposed now will prompt entities to build strong safeguards to protect data and enforce fiduciary discipline.
- Companies would face punitive actions in the nature of financial penalties in the event of misuse of data and data breaches.
- The upcoming data protection Bill will put an end to misuse of customer data with companies facing financial consequences.
- There will also be a strict or purpose limitation of data collected by companies and the time till which they can store it under the new Bill.
- Data fiduciaries will be required to stop retaining personal data and delete previously collected data after the initial purpose for which it was collected was fulfilled.
Way Ahead
- While protecting the rights of the data principal, data protection laws need to ensure that the compliances for data fiduciaries are not so onerous as to make even legitimate processing impractical.
- The challenge lies in finding an adequate balance between the right to privacy of data principles and reasonable exceptions, especially where government processing of personal data is concerned.
- Given the rate at which technology evolves, an optimum data protection law design needs to be future proof — it should not be unduly detailed and centred on providing solutions to contemporary concerns while ignoring problems that may emerge going forward.
- The law needs to be designed for a framework of rights and remedies that is readily exercisable by data principals given their unequal bargaining power with respect to data fiduciaries.
Data Protection Bill, Globally
|
Previous article
Financial Consumer Protection (FCP)
Next article
Hwasong-17