House Talk | Data Protection Bill: A Look at Its Scope & Right to Privacy Roots
House Talk | Data Protection Bill: A Look at Its Scope & Right to Privacy Roots
The Digital Data Protection Bill is a crucial component of the broader framework of technology regulations being developed by the government, which also includes the Digital India Bill, the Indian Telecommunication Bill, 2022, and a policy governing non-personal data

The government is set to table The Digital Data Protection Bill in Parliament on Thursday, aiming to make entities like internet companies, mobile apps, and business houses more accountable and answerable about collection, storage and processing of the data of citizens as part of Right to Privacy.

The initial draft of the Bill was introduced in November and underwent several rounds of public consultation. Taking into account the feedback received during these consultations, a second draft was prepared and subsequently underwent inter-ministerial discussions. It was approved by the Union Cabinet on July 5.

This Bill is a crucial component of the broader framework of technology regulations being developed by the government, which also includes the Digital India Bill (the proposed successor to the Information Technology Act, 2000), the Indian Telecommunication Bill, 2022, and a policy governing non-personal data.

DIGITAL PERSONAL DATA PROTECTION BILL, 2022

The Bill will have jurisdiction over the processing of digital personal data in India. This includes data collected online or offline and later digitized. The Bill will also apply to the processing of data outside of India if it involves offering goods or services or profiling individuals in India.

Under the Bill, personal data can only be processed for lawful purposes with the individual’s consent. In certain cases, consent may be implied. Data fiduciaries are required to ensure the accuracy and security of the data and delete it once its purpose has been fulfilled.

The Bill grants individuals certain rights, including the right to access information, request corrections and deletions, and seek redressal for grievances, according to PRS India.

The government may exempt its agencies from certain provisions of the Bill based on specified grounds such as national security or public order.

To enforce compliance with the Bill, the government will establish the Data Protection Board of India. However, exemptions granted to the government for data processing on grounds like national security raise concerns about the potential violation of the right to privacy.

The Bill treats private and government entities differently regarding consent and storage limitations, which may violate the right to equality.

The composition and functioning of the Data Protection Board of India will be determined by the central government, raising questions about its independence.

The Bill does not provide for the right to data portability or the right to be forgotten. Data fiduciaries must obtain verifiable consent from the legal guardian before processing a child’s personal data. This requirement may have implications for anonymity in the digital realm.

IS IT A MONEY BILL?

The government clarified on Thursday that the Bill will not money bill but a normal bill.

Congress leader Manish Tewari had earlier asked how the Digital Data Protection Bill can be classified as a financial bill, and had said it should be considered as a regular bill. “How Did the Digital Data Protection Bill get classified as a Financial Bill suddenly… It needs to be considered as a regular bill and go to a JPC (Joint Parliamentary Committee) again,” he tweeted.

The work on the data protection bill started after the Supreme Court ruled that Right to Privacy is a fundamental right.

The government had in August last year withdrawn the personal data protection bill, which was first presented in late 2019, and issued a new version of the draft bill in November 2022. The draft bill had earned criticism around the government getting power to exempt entities from various clauses of the bill.

Key Features

  • Scope of Application: The Bill will be applicable to the processing of digital personal data in India, whether collected online or offline and digitized. It will also apply to the processing of personal data outside of India if it involves offering goods or services or profiling individuals in India. Personal data refers to any data that can identify an individual, and processing includes activities such as collection, storage, use, and sharing, according to PRS India.
  • Consent: Personal data can only be processed for lawful purposes with the individual’s consent. Consent must be obtained through a notice that provides details about the data to be collected and the purpose of processing. Individuals have the right to withdraw consent at any time. Consent is deemed given in certain cases where processing is necessary for functions under the law, provision of services or benefits by the State, medical emergencies, employment purposes, and specified public interest purposes like national security and fraud prevention. For individuals below 18 years of age, consent will be provided by their legal guardian.
  • Rights and Duties of Data Principals: Data principals (individuals whose data is being processed) have the right to access information about processing, request correction and erasure of their personal data, nominate another person to exercise their rights in case of death or incapacity, and seek grievance redressal. Data principals also have certain duties, including not registering false or frivolous complaints and providing accurate information. Violation of these duties may result in penalties.
  • Obligations of Data Fiduciaries: Data fiduciaries, the entities determining the purpose and means of processing, must make efforts to ensure data accuracy and security. They must implement reasonable security safeguards to prevent data breaches and inform the Data Protection Board of India and affected individuals in case of a breach. Personal data should be deleted once the purpose of processing has been fulfilled, except when retention is necessary for legal or business purposes. The storage limitation requirement does not apply to government entities.
  • Transfer of Personal Data outside India: The central government will notify countries where data fiduciaries can transfer personal data. Such transfers will be subject to prescribed terms and conditions.
  • Exemptions: Certain rights of data principals and obligations of data fiduciaries, except for data security, may not apply in specific cases such as prevention and investigation of offences and enforcement of legal rights. The central government can exempt certain activities through notification, including processing by government entities in the interest of state security and public order, as well as research, archiving, or statistical purposes.
  • Data Protection Board of India: The central government will establish the Data Protection Board of India, which will monitor compliance, impose penalties, direct data fiduciaries in case of data breaches, and address grievances. The government will determine the composition, selection process, terms and conditions of appointment, and removal procedure for the Board.
  • Penalties: The Bill specifies penalties for various offences, ranging from up to Rs 150 crore for non-fulfillment of obligations concerning children’s data to up to Rs 250 crore for failure to implement security measures to prevent data breaches. The Board will impose penalties after conducting an inquiry.

What's your reaction?

Comments

https://shivann.com/assets/images/user-avatar-s.jpg

0 comment

Write the first comment for this!