Data Protection Bill to be tabled this monsoon session: Here’s everything you need to know
Nearly six years after the Supreme Court recognized privacy as a fundamental right, the government is taking a second shot at crafting legislation to safeguard data. The Digital Personal Data Protection Bill, 2022, which was initially proposed in November, is set to be presented during the Monsoon Session of Parliament starting on July 20.
The Union Cabinet approved the draft Bill earlier this month. Although the specific details of the Bill are still confidential until its formal introduction in Parliament, experts involved in the discussions have revealed that certain contentious issues from the November draft have been retained. These issues include extensive exemptions for the Centre and its agencies, as well as a reduction in the powers of the data protection board.
Once enacted, this Bill will hold significant importance in India’s trade negotiations with other countries, particularly with regions like the European Union, which has stringent privacy laws under the General Data Protection Rules (GDPR).
Why do we need a Personal Data Protection Bill?
As of the current situation, India does not have a comprehensive legislation specifically dedicated to data protection. Instead, the regulation of personal data usage is governed by the Information Technology (IT) Act of 2000. However, this framework has been recognized as inadequate in effectively safeguarding personal data.
In 2017, the Indian government formed a Committee of Experts on Data Protection, led by Justice B. N. Srikrishna, to address data protection concerns within the country. The committee submitted its report in July 2018.
Following the committee’s recommendations, the Personal Data Protection Bill, 2019, was introduced in Lok Sabha in December 2019. The Bill underwent scrutiny by a Joint Parliamentary Committee, which presented its report in December 2021. However, the Bill was withdrawn from Parliament in August 2022.
In November 2022, the draft Digital Personal Data Protection Bill, 2022, was made publicly available by the Ministry of Electronics and Information Technology to gather feedback from the general public. On July 5, the draft Bill received approval from the Union Cabinet.
The Digital Personal Data Protection Bill, 2022, is a crucial element of the comprehensive technology regulatory framework being developed by the Centre. This framework also includes the Digital India Bill, intended to replace the Information Technology Act, 2000, the draft Indian Telecommunication Bill, 2022, and a policy for non-personal data governance.
In August of the previous year, the government withdrew a prior version of the data protection Bill from Parliament, which had undergone nearly four years of development, multiple revisions, and a review by a Joint Committee of Parliament. It faced opposition from various stakeholders, including technology companies and privacy activists.
The proposed law will apply to the processing of digital personal data within India and to data processing outside the country if it involves offering goods or services to, or profiling individuals in India.
Entities that collect personal data, known as data fiduciaries, will be required to maintain data accuracy, ensure data security, and delete data once its purpose has been fulfilled.
The Bill is expected to offer a “voluntary undertaking” option, allowing entities violating its provisions to approach the data protection board. The board can then decide to waive proceedings against the entity if a settlement fee is accepted. Repeat offenses of the same nature could incur higher financial penalties, according to an official statement.
The highest penalty, set at Rs 250 crore per instance, will be imposed for failing to prevent a data breach. The definition of “per instance” is subjective, as government officials explained in informal conversations. It could refer to a single instance of a data breach or take into account the number of affected individuals, multiplied by Rs 250 crore.
The data protection board will have the authority to interpret these provisions on a case-by-case basis.
Issues with Draft Digital Personal Data Protection Bill, 2022
The Bill approved by the Cabinet is believed to have mostly maintained the same provisions as the original version proposed in November 2022, particularly those highlighted by privacy experts.
The widely criticized exemptions for the central government and its agencies remain unchanged in the Bill. It is understood that the central government can exempt “any instrumentality of the state” from adhering to the data protection provisions on grounds of national security, foreign government relations, and maintaining public order, among other reasons.
Additionally, the control of the central government in appointing members of the data protection board, which serves as an adjudicatory body for privacy-related grievances and disputes, has also been retained. The central government will appoint the chief executive of the board and determine the terms and conditions of their service.
There are concerns that the new law might weaken the Right to Information (RTI) Act, as it could protect the personal data of government officials, making it difficult to share such information with an RTI applicant.
Changes to the 2023 version
In the final draft of the Bill, a significant change has been introduced concerning the handling of cross-border data flows to international jurisdictions. The approach has shifted from a ‘whitelisting’ mechanism to a ‘blacklisting’ approach.
In the earlier proposed version, data could be transferred globally by default to all jurisdictions except those listed in a specified ‘negative list’ of countries, essentially a blacklist of nations where data transfers would be prohibited. However, in the draft released for public consultation in November, it was mentioned that the central government would notify countries or territories in a ‘whitelist’ where personal data of Indian citizens could be transferred, meaning transfers would only be allowed to those specified jurisdictions.
Another noteworthy change is related to the provision on “deemed consent” in the previous draft. The rewording of this provision is expected to impose stricter requirements on private entities, while still permitting government departments to assume consent for processing personal data on grounds of national security and public interest.
India vs the rest of the world
India will be joining several other countries, including several in developing and third-world countries to have their own personal data protection laws. The three major bills that seem to have been the basis for most other countries were that of the US, EU and China.
The draft Personal Data Protection Bill in India, seems to be a balance of the three nations while keeping a focus on end users or the Indian population. Having said that Indian corporations have a degree of more access and leeway to data than foreigners.
China Model: China has recently implemented new data privacy and security laws, including the Personal Information Protection Law (PIPL), which took effect in November 2021. The PIPL grants Chinese data subjects new rights and aims to prevent the misuse of personal data.
The Data Security Law (DSL), which became effective in September 2021, introduces certain key requirements for businesses. One of the provisions mandates the categorization of business data based on its level of importance. Additionally, the DSL imposes new restrictions on cross-border transfers of data. These measures are aimed at enhancing data security and safeguarding sensitive information within and outside the country.
EU Model: The GDPR is a comprehensive data protection law that regulates the processing of personal data. While some critics argue that it is overly strict and places significant obligations on data processing organizations, it serves as the primary model for data protection legislation worldwide.
US Model: The US model of privacy protection emphasizes “liberty protection” with a focus on safeguarding individuals’ personal space from government intrusion. However, it is perceived to have a narrower scope, as it allows the collection of personal information as long as individuals are informed about such collection and use.
For all the latest Technology News Click Here