- Prelims: Personal Data Protection Bill, Justice B N Srikrishna
- Mains GS Paper II and III: Right to privacy, Personal Data Protection Bill, Joint Committee of Parliament (JCP) on the Bill etc
ARTICLE HIGHLIGHTS
- In August 2022, the government withdrew the bill and on November 18th released the fourth iteration of the data privacy legislation: The Digital Personal Data Protection Bill, 2022 (Bill).
INSIGHTS ON THE ISSUE
Context
Background of data privacy law:
- Started in 2010 with the constitution of the Justice Srikrishna Committee.
Justice BN Srikrishna Committee Data Protection Report:
- The Committee was constituted by the union government in July 2017, to deliberate on a data protection framework.
- The Supreme Court in its Puttaswamy judgment, 2017: It declared privacy a fundamental right.
- Interests of citizens: The report has emphasized that interests of the citizens and the responsibilities of the state have to be protected, but not at the cost of trade and industry.
- It proposed a draft Personal Data Protection Bill.
New Data Protection Bill:
- Inclusion of the word “digital” in the Bill’s title speaks to India’s long standing goal of being a digitally forward society.
- Bill has two major stakeholders:
- Data Principal
- Data Fiduciary.
- Data Principal: It refers to the subject whose data is being processed
- Data Fiduciary: It is an entity that processes this data.
- fiduciary” whilst referring to a data processor is significant.
- The relationship between the two is guided by:
- trust, assurance and good faith.
- Data Fiduciary: It is responsible for safeguarding the interests of Data Principals.
- Bill describes:
- the obligations of the Data Fiduciaries towards Data Principals
- the rights and duties of the latter
- regulatory framework through which data will be processed.
- Bill lists the “duties” of the Data Principals: these have no bearing on the realization of the rights provided by the Bill.
Important aspects of bill:
- In addition to the general obligations to prevent the misuse of the personal data of individuals
- The Bill has outlined a category of Significant Data Fiduciaries entities: that are required to comply with additional measures to safeguard the personal data of individuals.
- Only companies that process vast amounts of data or have a potential impact on the country’s sovereignty and integrity need to take such stringent measures.
- Such measures reduce the compliance cost of companies that are at a nascent stage.
- Data localisation” in the previous versions of the Bill, have been omitted: The reworked Bill permits the government to notify countries to which data transfers may be permitted.
Issues:
- Section 25: It refers to the quantum of financial penalty that must be imposed on a person guilty of non-compliance in matters related to detail.
- The focus remains only on the nature and gravity of the violation.
- Financial ranking: The proposed legislation does not consider the financial ranking of a company before imposing penalties.
Need for data protection:
- Large internet coverage: India currently has over 750 million Internet users, with the number only expected to increase in the future.
- Digital India: The Government is also making a strong push for a ‘Digital India’, with increased focus on digitisation of access to health, ration, banking, insurance, especially after the COVID-19 pandemic.
- Inter-linking of data: There is a greater focus on the inter-linking of data, whether through facial recognition, Aadhaar, or the Criminal Procedure (Identification) Act, 2022.
- Highest data breaches: India has among the highest data breaches in the world.
- Around 18 of every 100 Indians have been affected by data breaches since 2004.
- Risk of data: Without a data protection law in place, the data of millions of Indians continues to be at risk of being exploited, sold, and misused without their consent.
- Non-enforcement of FR against private non-state entities: Unlike state action, corporate action or misconduct is not subject to writ proceedings in India.
Way Forward
- Govt to notify countries for data transfer: It is a major respite for several tech companies, who have long talked about the infeasibility of the data localisation provisions.
- A balance has now been struck between the legitimate concerns of businesses and the protection of personal data of individuals.
- Penalties imposed: The Bill must ensure that the penalties imposed are proportionate to the size and operations of a company – to be effective, fines must not drive companies into economic loss.
- European Union’s General Data Protection Regulation (GDPR): amongst other similar regulations, which levies penalties in accordance with the total turnover of companies.
- The Bill safeguards individual data, whilst also promoting cooperation between data fiduciaries and the government.
- It draws upon the best practices of foreign jurisdictions: such as Europe and Australia
- It has been drafted as per India’s requirements.
- The exemptions granted to the Centre are extremely restrictive and in sync with past judicial precedents and Article 19(2) of the Constitution.
- Bill marks a transition from legalese to legal simplification: It realizes that it is in our best interests to ensure that all laws especially legislation that have a significant impact on citizens are made accessible to all individuals irrespective of their professional or educational standing
QUESTION FOR PRACTICE
Q. What is the CyberDome Project? Explain how it can be useful in controlling internet crimes in India. (UPSC 2019) (200 WORDS, 10 MARKS)
Q. Examine the scope of Fundamental Rights in the light of the latest judgment of the Supreme Court on Right to Privacy. (UPSC 2017) (200 WORDS, 10 MARKS)
