A revised version of the Personal Data Protection Bill, now known as the Digital Personal Data Protection Bill, 2022, has been released by the Union Government. The Bill has been introduced after 3 months of the withdrawal of the Personal Data Protection Bill,2019.

The Seven Principles of the 2022 Bill

  1. Firstly,Organizations must use personal data in a way that is lawful, fair to the individuals involved, and transparent to individuals.
  2. Secondly, personal data must only be used for the purposes for which it was collected.
  3. The third principle talks about data minimization
  4. The fourth principle puts an emphasis on data accuracy when it comes to collection
  5. The fifth principle states that personal information cannot be “stored perpetually by default” and should only be preserved for a specific amount of time.
  6. The sixth principle says that there should be reasonable safeguards to ensure there is “no unauthorized collection or processing of personal data”.
  7. Seventh principle states that “the person who decides the purpose and means of the processing of personal data should be accountable for such processing”.

 

Key Features of the Digital Personal Data Protection Bill

Data Principal and Data Fiduciary:

Data Principal refers to the individual whose data is being collected.
In the case of children (<18 years), their parents/lawful guardians will be considered their “Data Principals”.
Data Fiduciary is the entity (individual, company, firm, state, etc), which decides the “purpose and means of the processing of an individual’s personal data”.
Personal Data is “any data by which an individual can be identified”.
Processing means “the entire cycle of operations that can be carried out in respect of personal data”.

Significant Data Fiduciary: Significant Data Fiduciaries are those who deal with a high volume of personal data. The Central government will define who is designated under this category based on a number of factors.
Such entities will have to appoint a ‘Data protection officer’ and an independent Data Auditor.

Rights of Individuals:

  • Access to Information: The bill ensures that individuals should be able to “access basic information” in languages specified in the eighth schedule of the Indian Constitution.
  • Right to Consent: Individuals need to give consent before their data is processed and “every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing”.
    Individuals also have the right to withdraw consent from a Data Fiduciary.
  • Right to Erase: Data principals will have the right to demand the erasure and correction of data collected by the data fiduciary.
  • Right to Nominate: Data principals will also have the right to nominate an individual who will exercise these rights in the event of their death or incapacity.

Data Protection Board:

  • The Bill also proposes to set up a Data Protection Board to ensure compliance with the Bill.
  • In case of an unsatisfactory response from the Data Fiduciary, the consumers can file a complaint to the Data Protection Board.

Cross-border Data Transfer:
The bill allows for cross-border storage and transfer of data to “certain notified countries and territories” provided they have a suitable data security landscape, and the Government can access data of Indians from there.

Financial Penalties:

For Data Fiduciary:
• The bill proposes to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen.
• The penalties will be imposed ranging from Rs. 50 crores to Rs. 500 crores.
For Data Principal:
• If a user submits false documents while signing up for an online service, or files frivolous grievance complaints, the user could be fined up to Rs 10,000.

 
Exemptions:

  • The government can exempt certain businesses from adhering to provisions of the bill on the basis of the number of users and the volume of personal data processed by the entity.
  • This has been done keeping in mind Startups of the country who had complained that the Personal Data Protection Bill, 2019 was too “compliance intensive”.
  • National security-related exemptions, similar to the previous 2019 version, have been kept intact.
  • The Centre has been empowered to exempt its agencies from adhering to provisions of the Bill in the interest of the sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order, or preventing incitement to any cognisable offense.

 

Why is Digital Personal Data Protection Bill Significant?

  • The new Bill offers significant concessions on cross-border data flows, in a departure from the previous Bill’s contentious requirement of local storage of data within India’s geography.
  • It offers a relatively soft stand on data localisation requirements and permits data transfer to select global destinations which are likely to foster country-to-country trade agreements.
  • The bill recognises the data principal’s right to postmortem privacy (Withdraw Consent) which was missing from the PDP Bill, 2019 but had been recommended by the Joint Parliamentary Committee (JPC).

 

How has India Strengthened its Data Protection Regime?

Justice K. S. Puttaswamy (Retd) vs Union of India 2017:

In August 2017, a nine-judge Supreme Court panel ruled in Justice K. S. Puttaswamy (Retd) vs. Union of India that Indians have a basic right to privacy under Article 21 of the Constitution, which is safeguarded.

B.N. Srikrishna Committee 2017:

Government appointed a committee of experts for Data protection under the chairmanship of Justice B N Srikrishna in August 2017, which submitted its report in July 2018 along with a draft Data Protection Bill.
The Report has a wide range of recommendations to strengthen privacy law in India including restrictions on the processing and collection of data, Data Protection Authority, the right to be forgotten, data localisation, etc.

Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021:

Social media platforms are required to show extra caution regarding the material on their platforms under IT Rules (2021).

 

Data Protection Laws are there in Other Nations

European Union Model:

  • Modelled after the European Union, the General Data Protection Regulation is a thorough data protection law for the handling of personal data.
  • In the EU, the right to privacy is recognized as a basic right that aims to safeguard a person’s self-respect and control over the data they produce.

US Model:

  • There is only limited sector-specific legislation in the US as opposed to a complete set of privacy rights or principles that, like the EU’s GDPR, govern the use, collecting, and disclosure of data.
  • The public and commercial sectors take diverse approaches to data protection.
  • The use of personal information by the government is well-defined and covered by sweeping laws like the Electronic Communications Privacy Act and the Privacy Act.
  • For the private sector, there are some sector-specific norms.

China Model:

  • Issued over the last 12 months the New Chinese laws on data privacy and security include the Personal Information Protection Law (PIPL), which came into effect on November 2021.
  • It gives Chinese data principals new rights as it seeks to prevent the misuse of personal data.
  • The Data Security Law (DSL), which came into force in September 2021, requires business data to be categorized by levels of importance and puts new restrictions on cross-border transfers
Views: 1
Related Posts
Economic inequality and its implications on public policy design.

Income inequality, characterized by the unequal distribution of wealth and resources, has emerged as a critical issue with profound socio-economic Read more

Press and Registration of Periodicals Bill, 2023

The Press and Registration of Periodicals Bill, 2023 (PRP Bill) is a proposed law in India that aims to simplify Read more

Need help with legal issues?
Call Back Request

Leave a Reply

Your email address will not be published. Required fields are marked *