Explained: Will the Digital Personal Data Protection Bill 2022 bring more privacy to India?
Explained: Will the Digital Personal Data Protection Bill 2022 bring more privacy to India?
The Ministry of Electronics and Information Technology (MeitY) released a draft of the Digital Personal Data Protection (DPDP) Bill, 2022, on Friday (18 November). The Centre has also invited feedback and recommendations from the public on the 24-page Bill concerning personal data protection till 17 December.
Minister of electronics and information technology Ashwini Vaishnaw took to Twitter to share the draft Bill and seek suggestions from the public.
Seeking your views on draft Digital Personal Data Protection Bill, 2022.
Link below: https://t.co/8KfrwBnoF0
— Ashwini Vaishnaw (@AshwiniVaishnaw) November 18, 2022
The new draft comes five years after the first draft of the Bill on data protection was presented by an expert committee headed by Justice BN Srikrishna in July 2018.
What is the revised Digital Personal Data Protection (DPDP) Bill, 2022? What are the main highlights of the Bill? Why have some experts raised concerns? Let’s take a detailed look.
What is DPDP Bill 2022?
An explanatory note for the Digital Personal Data Protection Bill, 2022, says the legislation lays down “the rights and duties of the citizen (digital nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand”.
According to the Bill, ‘Data Principal’ is the individual whose personal data is being collected.
‘Data Fiduciary’ is any entity (individual, company, firm, state, etc) that decides the “purpose and means of processing of an individual’s personal data”.
Personal data is any information through “which or in relation to which an individual can be identified”, says the explanatory note.
Highlights of the Bill
The 2022 Bill requires an individual to provide consent before their data is processed. It further mentions that “every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing.”
This rule is not required in circumstances where seeking the individual’s consent is “impracticable or inadvisable due to pressing concerns”.
The Data Principal can withdraw their consent at any time, says the Bill. “The consequences of such withdrawal shall be borne by such Data Principal”, it adds.
The draft also makes it clear that individuals should have access to “basic information” in languages specified in the eighth schedule of the Indian Constitution.
The Bill allows the central government to notify a new regulatory body called the Data Protection Board of India to oversee compliance with the Act.
The proposed legislation empowers the Union government to appoint the chairperson and members of this Board.
“The chief executive entrusted with the management of the affairs of the Board shall be such individual as the central government may appoint and terms and conditions of her service shall be such as the central government may determine,” states the Bill.
The Board will have the power to impose a penalty of up to Rs 500 crore if non-compliance is ‘significant’.
The draft also elaborates on six types of penalties for non-compliance including failure to notify the Board and affected users in case of a personal data breach.
The Bill could exempt certain entities from adhering to the law depending on the volume and nature of personal data processed.
It also allows the Centre to exempt any “instrumentality of the state in the interests of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognizable offence relating to any of these”.
Another point that emerges from the Bill is that when it comes to children – which it defines as all users under the age of 18 — their parents or lawful guardians will be considered their ‘Data Principals.’
In such cases, the Data Fiduciary must obtain “verifiable parental consent” before processing personal data.
An individual will have to cough up a penalty of up to Rs 10,000 if they furnish false information while “applying for any document, service, unique identifier, proof of identity or proof of address”.
The proposed Bill permits cross-border storage and transfer of data to “certain notified countries and territories” in accordance with the specific terms and conditions.
The individuals will have the right to file a complaint with Data Fiduciary, and if not specified with their response, they can register the grievance with the Data Protection Board.
ALSO READ: Regulatory cobwebs threaten to scupper India’s data economy: A closer look at threats, opportunities
Reactions to the Bill
Prasanna S, a Delhi-based lawyer, has expressed concern about a lack of compensation in case of personal data breach.
“In case of a data breach, the victim, under the proposed Act, can’t seek monetary compensation of any form,” he told The Wire.
He also said the Bill specifies “duties of data principal” which is “unheard of and doesn’t exist in any data privacy law anywhere else”.
Experts have also questioned the autonomy of the proposed Data Protection Board that will be established by the Centre.
“While the Data Protection Authority was earlier envisaged to be a statutory authority (under the 2019 Bill), the Data Protection Board is now a central government set up board. The government continues to have a say in the composition of the board, terms of service, etc.,” Nehaa Chaudhari, partner at Delhi-based Ikigai Law, was quoted as saying by Indian Express.
However, minister of state for electronics and IT Rajeev Chandrasekhar has refuted concerns regarding the independence of the Board.
“We have clearly stated in the Bill that the Data Protection Board will be very independent… The board will have a purely adjudicatory mechanism to decide on the issue of data breaches. It carries the same rank as a civil court and its decisions will be appealable to a High Court. This…is enough of an incentive or disincentive for the board to work transparently,” he told Indian Express.
Laws on data protection in other countries
According to the United Nations Conference on Trade and Development (UNCTAD), an intergovernmental organisation, around 137 out of 194 countries have laws on the protection of data and privacy, reports Indian Express.
In 2018, the European Union (EU) released its landmark law — the General Data Protection Regulation (GDPR) — for the protection of personal data and its ongoing security.
Moreover, countries such as the US, China, Canada, The Philippines and Brazil, among others have engaged in some “form of international privacy laws for data protection”, as per Thales Group.
With inputs from agencies
Read all the Latest News, Trending News, Cricket News, Bollywood News,
India News and Entertainment News here. Follow us on Facebook, Twitter and Instagram.
What's Your Reaction?
