CONTEXT AND BACKGROUND TO THE DRAFT DIGITAL PERSONAL DATA PROTECTION BILL, 2022.
India’s Ministry of Electronics and Information Technology (MeitY) has recently unveiled the long-awaited draft Digital Personal Data Protection Bill, 2022 (DPDP Bill). This bill followed a series of previous drafts that have been introduced and withdrawn by the Ministry since mid-2018, reflecting their ongoing efforts to establish a comprehensive data protection framework in the country. The DPDP Bill, introduced shortly after the withdrawal of its predecessor, the Personal Data Protection Bill, 2019, aims to govern the processing of digital personal data while acknowledging the individual right to safeguard data and the lawful purposes for data processing. The further step involves the bill getting tabled in the upcoming monsoon session while also retaining many contentious issues of the bill which will be further discussed in the article.
The processing of personal data, which pertains to identifiable individuals, holds great importance for businesses and government entities in the delivery of goods and services. Furthermore, it also plays a crucial role in law enforcement efforts. However, the unchecked and unregulated processing of personal data poses significant risks to individuals’ privacy rights, recognized as fundamental rights. Such risks encompass potential harm in the form of financial loss, reputational damage, and the creation of detailed profiles. Currently India does not have a standalone law on Data Protection and is regulated under Information Technology Act, 2000. It was much later when the government observed that this Act alone cannot ensure protection of Data and this was when the need for a renewed law became an imperative step.
WHAT DOES THE BILL ENTAIL?
Hence the Digital Data Protection Bill (DPDB) 2022 is introduced to reinforce the long standing notions of Data security and the “Right to Privacy”. This is exactly not the first attempt to introduce such a law but is definitely an attempt to redefine the digital engagement for the intermediary organisations engaging with private and public entities in various sectors.
The bill aims to safeguard the privacy and protect the rights of individuals with respect to their personal information. It introduces several important rights for individuals, such as the right to be forgotten, the right to access and correct personal data, and the right to data portability. It also establishes a framework for data protection and imposes obligations on data fiduciaries (entities that collect and process personal data) to handle data in a responsible and secure manner.
The ambit of the proposed Bill extends to the processing of digital personal data within the territorial boundaries of India, encompassing scenarios where such data is either collected through online means or obtained offline but subsequently digitized. Additionally, the provisions of the Bill will be applicable to the processing of personal data outside India if it pertains to the offering of goods or services or involves the profiling of individuals residing within India. For the purpose of this legislation, personal data is defined as any information relating to an identified or identifiable individual. On the other that the term “processing” in this context is understood as a series of automated operations or actions carried out on digital personal data, encompassing activities such as data collection, storage, utilization, and sharing.
RELEVANCY OF THE BILL FOR VARIOUS STAKEHOLDERS
In the status quo the proposed bill does not necessarily seek to prevent usage of personal data, instead it recognises the importance of data in a growing Digital economy and aims to balance out the inidivual personal rights and commercial interests of industries. The rights that have remained a focal point in the bill are Right to Information, Right to Withdraw consent, Right to Correction and Erasure, Right of Grievance Redressal and Right to nominate.
Further the bill tilts a juncture of accountability towards the data fiduciary, which refers to the entity responsible for determining the purpose and methods of data processing and is obligated to undertake reasonable measures to ensure the accuracy and comprehensiveness of the data. The aforementioned entity within the premises of this bill is required to establish adequate security safeguards to mitigate the risk of a data breach and promptly notify both the Data Protection Board of India and the affected individuals in the event of such an incident. Additionally, the data fiduciary must discontinue the retention of personal data once its intended purpose has been fulfilled, unless the retention is necessary for legal or business justifications (in accordance with the principle of storage limitation).
For businesses and organizations, the bill imposes various obligations to protect the privacy and security of personal data. It requires them to obtain consent before collecting and processing personal information, and also mandates the implementation of robust data protection measures. Additionally, the bill introduces provisions for cross-border transfer of data, requiring certain categories of sensitive personal data to be stored and processed only within India. For businesses and organizations, compliance with the Digital Data Protection Bill will require investments in data protection infrastructure, systems, and processes. They will need to review their data handling practices, implement stronger security measures, and ensure they have mechanisms in place to respond to data breaches and individual requests. The Digital Data Protection Bill aims to enhance accountability for entities, including internet companies, mobile apps, and businesses, regarding their data practices. It introduces strict penalties of up to Rs 250 crore per instance for violations, showcasing a strong dedication to upholding data protection standards. The Digital Data Protection Bill is relevant in the context of the increasing digitization of various sectors and the growing concern over data privacy. With the proliferation of technology and the collection of massive amounts of data, there is a need to establish a comprehensive legal framework that addresses the challenges and risks associated with data protection. The bill aims to bring India in line with global data protection standards and promote trust in digital transactions and services.
The legislation holds significant implications for various stakeholders. For individuals, it ensures greater control and protection of their personal data, allowing them to exercise their rights and make informed choices regarding their privacy. It enhances transparency and accountability in the handling of personal information, fostering trust between individuals and organizations. The bill also has implications for the government, as it establishes a regulatory framework for data protection. The Data Protection Authority or The Data Protection Boards will play a crucial role in overseeing compliance and enforcing the provisions of the legislation. The government will need to ensure the effective functioning of the DPA and provide the necessary resources to address the evolving challenges in data protection.
KEY ISSUES HIGHLIGHTED
A critical scrutiny of the bill by legal and political organisation bring certain shortcomings associated with the Bill in the frontline. The Digital Personal Data protection Bill (DPDPB) 2022 essentially did not succeed in addressing all the concerns associated with data protection and fell short on acommodating the feedback of previous Data protection Bill 2021, which was collected from diverse stakeholders over the years. Along with the evident opacity in display to received feedbacks it also is argued to have certain fallibilities.
● The DPDPB, 2022 fell short of addressing data protection concerns and failed to include extensive feedback from stakeholders gathered during the consultation process for the Data Protection Bill, 2021.
● It further exhibited various shortcomings, including the prioritization of data processing over privacy rights, provisions allowing the assumption of consent, imposition of duties on Data Principals, wide exemptions for the government, and inadequate surveillance reform.
● The bill also raised doubts about the independence of the regulatory authority and left key provisions open to executive rule-making. A more comprehensive and robust approach to data protection legislation is needed to address these concerns effectively.
● The nomenclature of the Bill, the Digital Personal Data Protection Bill, signifies its specific emphasis on the protection of personal data in the digital domain. In Section 2(13), the Bill provides a definition for “personal data,” yet it does not explicitly outline the parameters of “digital data.” In light of its exclusive focus on digital personal data, it can be inferred that the legislative intent was to exclude the application of this Bill to personal data stored in formats other than digital. Consequently, in instances where a breach involves personal data stored in non-digital forms, the provisions and safeguards offered by the 2022 Bill may not be applicable.
CONCLUSION
It is a significant step towards strengthening data protection and privacy rights in an increasingly digitising nation. It recognizes the importance of safeguarding personal data in the digital age and aims to strike a balance between individual privacy and the legitimate interests of businesses and organizations. As the bill progresses through the legislative process, it will shape the future in several ways in the realm of data protection in India and have a profound impact on the digital ecosystem as well as spark a substantial debate on digital and privacy rights in the country.
[Written by Saakhi, Research Intern, Policy Matrix]