Digital Personal Data Protection Bill 2022
The Digital Personal Data Protection Bill is a legislation that frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand. The bill is based on the following principles around the Data Economy:
- The first principle is that the usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals.
- The second principle of purpose limitation is that the personal data is used for the purposes for which it was collected.
- The third principle of data minimisation is that only those items of personal data required for attaining a specific purpose must be collected.
- The fourth principle of the accuracy of personal data is that reasonable effort is made to ensure that the personal data of the individual is accurate and kept up to date.
- The fifth principle of storage limitation is that personal data is not stored perpetually by default. The storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected.
- The sixth principle is that reasonable safeguards are taken to ensure that there is no unauthorised collection or processing of personal data. This is intended to prevent a personal data breach.
- The seventh principle is that the person who decides the purpose and means of processing personal data should be accountable for such processing. These principles have been used as the basis for personal data protection laws in various jurisdictions. The actual implementation of such laws has allowed the emergence of a more nuanced understanding of personal data protection wherein individual rights, public interest and ease of doing business especially for startups are balanced.
What is DPDP Bill, 2022?
- The Ministry of Electronics and Information Technology drafted the DPDP Bill in 2022, replacing Personal Data Protection Bill, of 2019.
- The Bill frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand.
- It is one of the four proposed legislations in the IT and telecom sectors to provide the framework for the rapidly growing digital ecosystem.
What is meant by Data governance?
- Data governance is the management and control of an organizationâs data assets.
- It ensures data is accurate, secure, compliant, and used effectively, through policies, standards, stewardship, quality management, security, privacy, and lifecycle management.
Who are Data fiduciaries?
- Data fiduciaries â organizations or individuals-Â handle personal data on behalf of others, ensuring its privacy and protection.
- It includes businesses, government agencies, service providers, and professionals- who process or store personal data- in compliance with applicable laws and regulations.
Who is a Data Principal?
- The DPDP bill, 2022 denotes a data Principal-Â an individual whoâs data is being collected.
What is Data Portability?
- Ability of individualsâ to transfer personal data from one platform, service, or organization to another.
What is Data Interoperability?
- Ability of different systems platforms, or services -to seamlessly exchange and use data with one another.
Key Principles and Features of the DPDP Bill, 2022
- Personal data usage should be lawful, fair, and transparent
- Collection of minimum necessary dataâ only for the specific purposes
- Personal data stored- limited to a fixed durationâ not indefinitely
- Implementing safeguards against unauthorized data collection and processing
- The bill defines Data Principals and Data Fiduciaries
- It grants rights such as information access, consent, and correction.
- A Data Protection Boardâ ensures compliance, monitors, and penalises for data breach
- Cross-border data transfer is allowed to specified countries with suitable data security
- Exemptions may be granted based on user volume and national security
- Empowers individuals with data control
The need for such a bill
- Increasing use of the internet and the associated risks to individualsâ personal data
- Increasing prevalence of cyber threats and Data breaches: the need for legal frameworks
- Data monetization can compromise personal privacy- protecting individual privacy is crucial
- The absence of writ proceedings against corporate actions; the need for a data protection law; remedies for privacy violations
Advantages of the DPDP Bill, 2022
- Strengthens data protection measures and obligations to maintain the accuracy and security of personal data
- Promotes responsible data management practicesâ data minimization, purposeful dissemination, and authorized collection and processing of personal data
- Enhances user control and choice through data portability
- Provisions for accountability and remedies in case of privacy breachesâ legal remedies
- Aligns India with international data protection standards, â smoother data transfers and trade relations with countries that prioritize privacy
- Strikes a balance between data protection and national interests
Concerns raised over the bill
- Wide-ranging exemptions for government agencies- undermine privacy protections
- Insufficient safeguards for the right to privacy- discretionary powers to the government
- Dilution of the role of the Data Protection Board- concerns about independence and effectiveness
- Open-ended language in certain provisionsâ ambiguity and misuse of power
- Lack of specific provisions for compensation in the case of data breaches
- Potential infringement on the RTI Act- reduction in transparency and accountability
- Challenges in standardization and compatibility for seamless data transfer and interoperability
Potential challenges in its implementation
- Implementing the provisions is both a compliance burden and technically challenging
- The requirement for local storage and processing of personal data: costs and operational complexities
- Diverse and interconnected digital landscape
- Complexities associated with cross-border data transfers
- Striking a balance between protecting privacy rights and promoting innovation and economic growth
- Keeping the legislation up-to-date and relevant to evolving data protection concerns
In comparison with other countries
- The EUâs General Data Protection Regulation (GDPR) imposesâ stringent requirements and extensive obligations on organizations handling personal data
- India aims to align with GDPR to facilitate data transfers and trade relations
- The US relies on sectoral laws and focuses on individual liberties and protection from government intrusion
- Chinaâs recently implemented Personal Information Protection Law (PIPL) and the Data Security Law (DSL)- individualsâ new rights over their personal data and impose restrictions on cross-border data transfers
Indiaâs efforts for its data protection regime
- In 2017, the Supreme Courtâs decision in- K. S. Puttaswamy (Retd) vs Union of India, which recognized- right to privacy as a fundamental rightâ Indian Constitution under Article 21- laid the foundation for stronger data protection measures
- B.N. Srikrishna to propose a framework for data protection, including- recommendations to strengthen privacy laws in India, â data processing restrictions, a Data Protection Authority, the right to be forgotten, and data localization
- Information Technology Rules 2021â mandate social media platforms and intermediaries to exercise- greater diligence in handling content on their platforms
What more needs to be done?
- Conduct thorough stakeholder consultations with- diverse perspectives and inputs
- Strengthen privacy safeguards by- minimizing exemptions for government agencies
- Independence and effectiveness of the Data Protection Board
- Clarify and address concerns about- potential violations of the right to privacy
- Provisions for data portability and the right to be forgotten
- Evaluate and mitigate potential implications for the RTI
- Continuously review and â update the legislation- emerging privacy challenges and technological advancements
- Awareness and educate individuals about their privacy rights
- International alignment with global privacy frameworks
Conclusion
The DPDP 2022 is a significant step towards safeguarding individualsâ privacy rights and regulating data practices but concerns remain regarding exemptions for government agencies and the independence of the Data Protection Board. With stakeholder collaboration, transparency, and continuous adaptation, we can empower individuals, foster innovation, and ensure a future where privacy and progress go hand in hand.