The Digital Personal Data Protection Bill, 2023 Flashcards
Why in news?
Recently, Lok Sabha passed the Data Protection Bill, India’s 2nd attempt in framing a privacy legislation.
What is the history of Data Protection Bill?
In 2017, the central government constituted the B.N.Srikrishna Committee to examine issues relating to data protection in the country.
Based on the recommendation of the Committee, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha.
It is formulated based on the data regulation of European Union (General Data Protection Regulation (GDPR)) which empower citizens to have a greater say in how their online data is used.
What are the key features of the bill?
Applicability- The Bill applies to the processing of digital personal data within India where such data is
Collected online, or
Collected offline and is digitised.
It will also apply to the processing of personal data outside India if it is for offering goods or services in India.
Consent- Personal data may be processed only for a lawful purpose after obtaining the consent of the individual.
For individuals below 18 years of age, consent will be provided by the parent or the legal guardian.
Consent may be withdrawn at any point in time.
Rights of data principal- Data principal is an individual whose data is being processed. He/She will have the right
To obtain information about processing
To seek correction and erasure of personal data
To nominate another person to exercise rights in the event of death or incapacity and
Grievance redressal
Duties of Data Principals- Data Principals must not
Register a false or frivolous complaint
Furnish any false particulars or impersonate another person in specified cases
Violation of duties will be punishable with a penalty of up to Rs 10,000.
Obligations of data fiduciaries- Data fiduciary is the entity determining the purpose and means of processing.
Data fudiciary must
Make reasonable efforts to ensure the accuracy and completeness of data
Build reasonable security safeguards to prevent a data breach
Inform the Data Protection Board of India and affected persons in the event of a breach
Erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes
In case of government entities, storage limitation and the right of the data principal to erasure will not apply.
Personal data outside India- It allows transfer of personal data outside India, except to countries restricted by the central government through notification.
Exemptions- Rights of the data principal and obligations of data fiduciaries will not apply in specified cases such as
Prevention and investigation of offences
Enforcement of legal rights or claims
The Central government may exempt certain activities
In the interest of the security of the state and public order
Research, archiving, or statistical purposes
Data Protection Board of India- It will be established by the Central Government. Key functions of the Board include
Monitoring compliance and imposing penalties
Directing data fiduciaries to take necessary measures in the event of a data breach
Grievance redressal
Appeal- The decisions of the board can be appealed to Telecom Dispute Settlement and Appellate Tribunal.
PENALTY
Penalty
Reason
Rs 200 crore
Non fulfilment of obligations for children
Rs 250 crore
Failure to take security measures to prevent data breaches
What is the significance of the bill?
Multi-pronged approach - This framework encompasses various legislative measures such as the
Digital India bill that would replace existing Information Technology Act, 2000,
Draft Indian Telecommunication Bill, 2022, and
Policy addressing the governance of non-personal data.
Privacy - It will enhance the privacy cognizance of Indian citizens through transformative accountability measures to be adopted by enterprises.
Compliance- It is due to robust protection and security measures, combined with effective privacy policies and grievance redressal mechanisms
Data breach- Multiple exemptions were provided to prevent data breaches such as the
privacy breach in CoWIN portal where the personal details of vaccinated users had been leaked on Telegram.
12,000 confidential records of State Bank of India employees were reportedly made public on Telegram.
ISSUES
Article 21- It violates the fundamental right to privacy because of the exemptions provided to the State on grounds such as national security.
Regulation- The Bill does not regulate risks of harms arising from processing of personal data.
Rights - The Bill does not grant the right to data portability and the right to be forgotten to the data principal.
Right to data portability- The right to data portability allows data principals to obtain and transfer their data from data fiduciary.
It is obtained for their own use, in a structured, commonly used, and machine-readable format.
It gives the data principal greater control over their data.
Right to be forgotten- It refers to the right of individuals to limit the disclosure of their personal data on the internet.
Personal data outside India- This mechanism may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed.
Independence - The short term (2 years) of the members of the Data Protection Board of India with scope for re-appointment may affect the independent functioning of the Board.
Multiple exemptions- Exemptions citing national security etc., resemble China’s data regulation.
Right to Information (RTI) Act- The personal data of government functionaries is protected making it difficult to be shared with an RTI applicant.
No compensation - Section 43A of IT Act,2000 imposes an obligation on corporates to award damages to affected persons in case of negligent handling of their sensitive data. However, the Bill excludes the application of Section 43A.
Models for data protection laws
European Union Model- The GDPR focuses on a comprehensive data protection law for the processing of personal data
Right to privacy is enshrined as a fundamental right that seeks to protect an individual’s dignity and her right over the data that she generates.
Digital Services Act focuses on issues such as regulating hate speech, counterfeit goods etc.
Digital Markets Act has defined a new category of “dominant gatekeeper” platforms and is focused on non-competitive practices and the abuse of dominance by these players.
The US Model- Privacy protection is largely defined as a “liberty protection” which is focused on the protection of the individual’s personal space from the government.
There is no comprehensive set of privacy rights or principles that collectively address the use, collection and disclosure of data in the US.
China model- The Personal Information Protection Law (PIPL), gives data principals, the right to prevent the misuse of personal data.
Data Security Law requires business data to be categorised by different levels of importance and puts new restrictions on cross-border transfers.
It gives the government overreaching powers to both collect data and regulate private companies that collect and process information.
Businesses may also be required to suspend operations until they demonstrate compliance.
India too, has introduced a similar provision, where any platform that has violated its norms for at least 2 times can be blocked by the Central government.
