Draft digital data protection Bill tabled for comments

Source: The post is based on the following articles:

a) “Draft digital data protection Bill tabled for comments” published in The Hindu on 19th November 2022

b) “Draft digital personal data protection bill: Govt exemptions ‘vague’, little regulator independence, say experts” published in Indian Express on 19th November 2022.

What is the News?

The Ministry of Electronics and IT has released the new draft – the Digital Personal Data Protection Bill, 2022.

Note: The revised draft was released after the government withdrew an earlier version that sparked outrage from Big Tech and civil society.

About the Draft – the Digital Personal Data Protection Bill, 2022:

Source: Economic Times

Purpose: To provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes.

Principles: The Bill is based on seven principles: 1) usage of personal data by organizations must be done in a manner that is lawful, fair to the individuals concerned, and transparent to individuals 2) personal data must only be used for the purposes for which it was collected 3) data minimization which means minimum and only necessary data should be collected to fulfill a purpose. 4) emphasis should be on data accuracy when it comes to collection 5) personal data that is collected cannot be “stored perpetually by default,” and storage should be limited to a fixed duration 6) There should be reasonable safeguards to ensure there is “no unauthorized collection or processing of personal data” and 7) The person who decides the purpose and means of the processing of personal data should be accountable for such processing”.

Key Provisions of the Bill:

Data Principal and Data Fiduciary: The bill uses the term “Data Principal” to denote the individual whose data is being collected.

– The term “Data Fiduciary” the entity (can be an individual, company, firm, state, etc.), which decides the “purpose and means of the processing of an individual’s personal data.”

– The Bill also makes a recognition that in the case of children –defined as all users under the age of 18— their parents or lawful guardians will be considered their ‘Data Principals.’

Personal data: Under the bill, personal data is “any data by which or in relation to which an individual can be identified.”

Individual consent: The bill makes it clear that individuals need to give consent before their data is processed.

Significant Data Fiduciaries: The bill talks of ‘Significant Data Fiduciaries, who deal with a high volume of personal data. The Central government will define who is designated under this category based on a number of factors ranging from the volume of personal data processed to the risk of harm to the potential impact on the sovereignty and integrity of India.

Right to erase data: Data principals will have the right to demand the erasure and correction of data collected by the data fiduciary.

Cross-border data transfer: The bill also allows for cross-border storage and transfer of data to “certain notified countries and territories.”

Exemptions to agencies: The Central government can issue notifications to exempt its agencies from adhering to provisions of the draft law for national security reasons.

A Data Protection Board is the adjudicating body to enforce the provisions of the Bill.

Penalties: The Bill proposes to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen.

What are the concerns with the Bill?

Firstly, wide-ranging exemptions to the Centre and its agencies with little to no safeguards in place. This may not qualify the test of ‘necessity’ and ‘proportionality’ as laid down in the landmark right to privacy judgment of 2017.

Secondly, the appointment of the chairperson and members of the proposed Data Protection Board is completely left to the discretion of the central government. This is unlike the Data Protection Authority (under the 2019 Bill), which was envisaged to be statutory.