Why in news?
The Union Cabinet on July 5 cleared the Bill that essentially allows laypersons to complain to the Data Protection Board of India, consisting of technical experts constituted by the government.
Context:
The Digital Personal Data Protection Bill, 2022, is a crucial pillar of the overarching framework of technology regulations the Centre is building, which also includes the Digital India Bill — the proposed successor to the Information Technology Act, 2000, the draft Indian Telecommunication Bill, 2022, and a policy for non-personal data governance.
Nearly six years after the Supreme Court held privacy to be a fundamental right, the Centre has made a second attempt at framing legislation for protection of data.
The Digital Personal Data Protection Bill, 2022, a draft of which was floated in November, is expected to be tabled in Parliament’s Monsoon Session that begins on July 20. The Union Cabinet approved the draft Bill on Wednesday.
All you need to Know about Digital Personal Data Protection Bill 2022:
Personal data is information that relates to an identified or identifiable individual. Businesses as well as government entities process personal data for delivery of goods and services. Processing of personal data allows understanding preferences of individuals, which may be useful for customisation, targeted advertising, and developing recommendations. Processing of personal data may also aid law enforcement. Unchecked processing may have adverse implications for the privacy of individuals, which has been recognised as a fundamental right. It may subject individuals to harm such as financial loss, loss of reputation, and profiling.
Currently, India does not have a standalone law on data protection. The usage of personal data is regulated under the Information Technology (IT) Act, 2000. It has been observed that this framework is not adequate to ensure the protection of personal data.In 2017, the central government constituted a Committee of Experts on Data Protection chaired by Justice B. N. Srikrishna to examine issues relating to data protection in the country.
The Committee submitted its report in July 2018.Based on the recommendations of the Committee, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha in December 2019.The Bill was referred to a Joint Parliamentary Committee which submitted its report in December 2021.2 In August 2022, the Bill was withdrawn from Parliament. In November 2022, the Ministry of Electronics and Information Technology released the Draft Digital Personal Data Protection Bill, 2022 for public feedback.
Key Issues and Analysis
Exemptions to data processing by the State on grounds such as national security may lead to data collection, processing and retention beyond what is necessary. This may violate the fundamental right to privacy.
The Bill accords differential treatment on consent and storage limitation to private and government entities performing the same commercial function such as providing banking or telecom services. This may violate the right to equality of the private sector providers.
The central government will prescribe the composition, and manner and terms of appointments to the Data Protection Board of India. This raises a question about the independent functioning of the Board.
The Bill does not grant the right to data portability and the right to be forgotten to the data principal.
The Bill requires all data fiduciaries to obtain verifiable consent from the legal guardian before processing the personal data of a child. To comply with this provision, every data fiduciary will have to verify the age of everyone signing up for its services. This may have adverse implications for anonymity in the digital space.
What are the concerns around the draft Bill?
The Bill approved by the Cabinet is understood to have largely retained the contents of the original version that was proposed in November 2022. This is especially true of some of the proposals that privacy experts had flagged earlier.
Wide-ranging exemptions for the central government and its agencies, which were among the most criticised provisions of the previous draft, are understood to have been retained unchanged. The Bill is learnt to have prescribed that the central government can exempt “any instrumentality of the state” from adhering to the provisions on account of national security, relations with foreign governments, and maintenance of public order among other things.
The control of the central government in appointing members of the data protection board — an adjudicatory body that will deal with privacy-related grievances and disputes between two parties — is learnt to have been retained as well. The chief executive of the board will be appointed by the central government, which will also determine the terms and conditions of their service.
There is also concern that the law could dilute the Right to Information (RTI) Act, as personal data of government functionaries is likely to be protected under it, making it difficult to be shared with an RTI applicant.
A key change in the final draft is learnt to have been made in the way it deals with cross-border data flows to international jurisdictions — moving from a ‘whitelisting’ approach to a ‘blacklisting’ mechanism.
How does India’s proposal compare with other countries?
EU model: The GDPR focuses on a comprehensive data protection law for processing of personal data. It has been criticised for being excessively stringent, and imposing many obligations on organisations processing data, but it is still the template for most of the legislation drafted around the world.
US model: Privacy protection is largely defined as “liberty protection” focused on the protection of the individual’s personal space from the government. It is viewed as being somewhat narrow in focus, because it enables collection of personal information as long as the individual is informed of such collection and use.
China model: New Chinese laws on data privacy and security issued over the last 12 months include the Personal Information Protection Law (PIPL), which came into effect in November 2021. It gives Chinese data principals new rights as it seeks to prevent the misuse of personal data.
Way forward
Government as a Role Model Given its significant role as a data fiduciary and processor, the government must lead by example in prioritizing data protection.
Establishing an independent and empowered data protection board with parliamentary or judicial oversight is crucial to ensure effective governance.
Balancing Innovation and Regulation is important. While stringent regulations are necessary to safeguard personal data, overly prescriptive and restrictive norms could stifle innovation and hinder cross-border data flows. Striking the right balance is essential to foster innovation while effectively protecting personal data.
A robust data protection law is just one aspect of a broader framework for digital governance. To ensure comprehensive regulation, cyber security, competition, artificial intelligence, and other relevant areas must also be addressed. The European Union's approach, encompassing additional instruments such as the Data Act, Digital Services Act, Digital Markets Act, and the AI Act, can provide valuable insights.
Mains Practice question:
How does data protection intersect with other areas such as privacy, consent, and data breach notification?
GS 2 : GOVERNANCE
Launch your Graphy