About Digital Personal Data Protection Bill: Finger On The Future

Source: The post is based on the following articles

“Finger On The Future” published in The Times of India on 30^th November 2022.

“India’s law should be practical about breaches of data” published in the Livemint on 30^th November 2022.

Syllabus: GS 2 – Government policies and interventions for development in various sectors and issues arising out of their design and implementation.

Relevance: About Digital Personal Data Protection Bill.

News: The Union government has released the Digital Personal Data Protection Bill for public comment.

Why does India need a proper data protection policy?

India needs a proper data protection policy because,

a) India, with over 820 million internet users, soon to touch 1. 2 billion, has become the world’s largest connected democracy, with the largest presence on the global internet, b) China has heavily censored the internet (or intranet). On the other hand, the internet in India, India is open, accessible and interconnected to the global digital network, just like Western democracies, c) With India assuming the presidency of G20 and also council chairmanship of the Global Partnership on Artificial Intelligence, it is natural for India to take a leadership role in shaping the future of technology.

What are the advantages of the Digital Personal Data Protection Bill, 2022?

a) Compliance burden is proportional and minimal, b) The adjudicating authority, the Data Protection Board, is independent and has a specific role of adjudicating disputes and determining financial penalties in the event of breaches, c) All standards for the larger data ecosystem will be set by MeitY through its India Data Management office, and d) The Bill is aligned to the tests of legality, necessity and proportionality as laid out by the Supreme Court.

What are the concerns associated with the Digital Personal Data Protection Bill, 2022?

-Unlike previous drafts and most data protection legislation around the world, the Bill makes no mention of the time limit. Such as how soon a notification should be made or any other remedial action that ought to be taken.

-The draft bill required to notify every affected data principal of the data breach. Not every data breach puts data at risk. Further, over-reporting will cause unnecessary panic initially and over time a serious data breach might be taken lightly by the public.

How does the new Digital India Act make India’s digital space comprehensive?

India has established a comprehensive future-ready framework for the digital economy and ecosystem consisting of IT Act & IT rules, cybersecurity directions, the National Data Governance Framework Policy, the Digital Data Protection Bill, and soon to be unveiled Digital India Act (as a successor to the 22-year-old IT Act). All this will make India’s digital space comprehensive.

What are the challenges associated with creating a data protection policy?

Need swift policy response: Agile and dynamic tech developments require agile and responsive governance. But governments around the world have lagged in swift response in framing laws and regulations to the rapidly shifting and growing challenges of crime, harassment and political interference.

No standard definition of privacy in India: Since the 2017 Right to Privacy judgment, policymaking on the digital economy focuses on trust, growth and governance. But there is no standard definition of privacy in India.

What should be done to improve data protection?

Increase data protection: Most people use a single strong password that is used across a variety of services. Thus, a single data breach puts various services at risk. This can be prevented by a) Using a password manager can greatly reduce the cascading consequences of data breach incidents, b) Promote users to use two-factor authentication.

Report only potential breaches: Data fiduciaries should report only those incidents that are likely to result in a high risk to the rights and freedoms of natural persons. This is followed by the European General Data Protection Regulation.