GS Paper 2
Syllabus: Government policies and issues arising out of it
Context: The Union Cabinet cleared the Digital Personal Data Protection (DPDP) Bill.
- With the Union Cabinet’s approval, the Centre has made a 2nd attempt at framing legislation for the protection of data.
- The Bill is expected to be tabled in Parliament’s Monsoon Session that begins on July 20.
- The Bill, once it becomes law, will play a crucial role in India’s trade negotiations with other nations, especially regions like the EU, whose General Data Protection Rules (GDPR) are among the world’s most exhaustive privacy laws.
The Digital Personal Data Protection Bill:
- It will apply to the processing of digital personal data within and outside (if it is done for offering goods or services or for profiling individuals) India.
- It requires entities that collect personal data/ data fiduciaries to maintain the accuracy of data, keep data secure, and delete data once their purpose has been met.
- It is expected to allow “voluntary undertaking”, which means that organisations who violate its rules can bring it up to the data protection board – an adjudicatory body that will deal with privacy-related grievances and disputes.
- The board may decide to stop legal action against the organisation by accepting settlement payments.
- Higher financial penalties may be imposed for similar offences committed repeatedly.
- The highest penalty – to be levied for failing to prevent a data breach – has been prescribed at Rs 250 crore per instance.
What changes are likely from the original version (proposed in Nov 2022)?
- Cross-border data flows to international jurisdictions: Moving from a ‘whitelisting’ (where personal data of Indian citizens can be transferred) approach to a ‘blacklisting’ mechanism.
- A provision on “deemed consent” could be made stricter for private entities, while allowing government departments to assume consent while processing personal data on grounds of national security and public interest.
What is the significance of privacy law?
- Considering the dramatic expansion of the digital economy in the country, bringing in a robust data protection architecture is of critical importance.
- The Bill is a crucial pillar of the overarching framework of technology regulations, which also includes the Digital India Bill, the draft Indian Telecommunication Bill 2022, and a policy for non-personal data governance.
What are the concerns around the draft Bill?
- Largely retained the contents of the original version.
- Wide-ranging exemptions for the central government and its agencies, were among the most criticised provisions of the previous draft.
- The central government can exempt “any instrumentality of the state” from adhering to the provisions on account of national security, relations with foreign governments, maintenance of public order, etc.
- The control of the central government in appointing members of the data protection board and determining the terms and conditions of their service.
- The definition of “per instance” is subjective and is open to interpretation by the data protection board on a case-by-case basis.
- The law could dilute the Right to Information (RTI) Act, as the personal data of government functionaries is likely to be protected under it.
Comparing India’s proposal with other countries:
- According to the UNCTAD, 137 out of 194 countries have put in place legislation to secure the protection of data and privacy.
- Africa and Asia show 61% (33 countries out of 54) and 57% (34 countries out of 60) adoption respectively.
- Only 48% of Least Developed Countries (22 out of 46) have data protection and privacy laws.
|EU model||It has been criticised for being excessively stringent and imposing many obligations on organisations processing data, but it is still the template for most of the legislation drafted around the world.|
|US model||Privacy protection is largely defined as “liberty protection” focused on the protection of the individual’s personal space from the government.|
|China model||The Personal Information Protection Law (PIPL) gives Chinese data principals new rights as it seeks to prevent the misuse of personal data.
The Data Security Law (DSL) requires business data to be categorised by levels of importance and puts new restrictions on cross-border transfers.
Conclusion: This Bill needs to go through a process of extensive discussion in Parliament. The provisions need to be tightened, ambiguities removed, and discretion minimised.
The Digital Personal Data Protection Bill must ensure that individuals’ personal data is collected and processed in a manner that respects their privacy rights under Article 21 of the Indian constitution. Comment.