- The Digital Personal Data Protection Bill, 2022, a draft of which was released for public consultation last year is expected to be tabled in Parliament’s Monsoon Session this year (2023). This article discusses the concerns surrounding the bill and the probable solutions to fix them.
Important Provisions of Draft Digital Personal Data Protection Bill, 2022,
- The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitized. It will also apply to such processing outside India, if it is for offering goods or services or profiling individuals in India.
- Personal data may be processed only for a lawful purpose for which an individual has given consent. Consent may be deemed in certain cases.
- Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
- The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
- The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offenses.
- The central government will establish the Data Protection Board of India to adjudicate non-compliance with the provisions of the Bill.
Concerns surrounding the bill
- Exemptions may violate right to privacy: Exemptions to data processing by the State on grounds such as national security may lead to data collection, processing and retention beyond what is necessary. This may violate the fundamental right to privacy.
- Appointment of Data Protection Board of India: The central government will prescribe the composition, manner and terms of appointments to the Data Protection Board of India. This raises a question about the independent functioning of the Board.
- Limited scope: In its scope and definition, the DPDP Bill only protects personal data, however in the modern data economy, entities use both personal and non-personal data to target, profile, predict, and monitor users.
- Personal data refers to any data that has the potential to directly or indirectly identify an individual.
- Non-personal data is typically anonymous data that does not relate to a particular individual. For example, aggregate data on products which numerous users look at between 9pm and 11pm on Amazon.
- Limited reach of data protection board: Inability of the proposed data protection board to initiate a proceeding of its own accord is a critical concern given that it is the authority that is entrusted with enforcing this law.
- Limited knowledge of the users: In the data economy, users have less control and limited knowledge of data transfers and exchanges.
- A penal provision in the Bill that provides for financial penalties on data-processing entities for the re-identification of non-personal data into personal data has to be included.
- A provision in the DPDP Bill should be made that allows the data protection board to initiate complaints on its own on the lines of the Competition Commission of India that has the power to initiate inquiries on its own.
- An estimated 137 out of 194 countries have put in place legislation to secure the protection of data and privacy, according to the United Nations Conference on Trade and Development (UNCTAD), an intergovernmental organization within the United Nations Secretariat.
- Africa and Asia show 61% (33 countries out of 54) and 57% (34 countries out of 60) adoption respectively. Only 48% of Least Developed Countries (22 out of 46) have data protection and privacy laws.
- EU model: The General Data Protection Regulation (GDPR) focuses on a comprehensive data protection law for processing of personal data. It has been criticized for being excessively stringent, and imposing many obligations on organizations processing data, but it is still the template for most of the legislation drafted around the world.
- US model: Privacy protection is largely defined as “liberty protection” focused on the protection of the individual’s personal space from the government. It is viewed as being somewhat narrow in focus, because it enables collection of personal information as long as the individual is informed of such collection and use.
- China model: New Chinese laws on data privacy and security issued over the last 12 months include the Personal Information Protection Law (PIPL), which came into effect in November 2021. It gives Chinese data principals new rights as it seeks to prevent the misuse of personal data.