Type To Search

logotype

Type To Search

Digital Protection Data Protection Bill, 2023 (DPDP Bill,2023)
Home GS- II Governance Government Policies and Interventions Digital Protection Data Protection Bill, 2023 (DPDP Bill,2023)
01 Nov

Digital Protection Data Protection Bill, 2023 (DPDP Bill,2023)

Government Policies and InterventionsBy Sheetal Giri0 Comments
674 Views 

< General Studies Home Page
Contents

Need of a Personal Data Protection Law

i. National Security: Unauthorized leaks, hacking, cyber-crimes, and frauds may negatively impact India’s national security.

ii. Preventing Misuse of Data: Misuse of data has become rampant for commercial and political activities: e.g. Cambridge Analytica

iii. Protecting Fundamental Rights of Citizens: Ensuring Right to Privacy which is a fundamental right (KS Puttaswamy judgement)

  • Increased digital penetration -> increase in personal data breaches from major service
    providers

iv. Strengthening of bargaining powers of Data Principals who generally have unequal bargaining powers with respect to data fiduciaries and a law is needed for empowering them.

v. Current data governance provisions have been ineffective in protecting users data.

  • Presently, IT Act 2000 and some other sector regulations govern how different agencies collect and process user’s data. However, these regimes fall short of providing effective protection to users and their personal data.
    • Under IT Act, the extant protection is premised on privacy being a statutory right, rather than a fundamental right.
    • It emphasizes on data security, but doesn’t emphasize data privacy enough.
    • It has limited understanding of the kinds of data to be protected.
    • It places scant obligations on the data fiduciaries which, moreover, can be overridden by contract/user consent and;
    • The regime is not applicable on government agencies and leaves a large vacuum for data protection as government itself collects and processes large amount of
      personal data.
  • Finally, the current regimen seems to be completely inadequate against the new technologies of data collection and processing which have emerged.

vi. Absence of Institutional Framework for data privacy and security. For e.g. there is a lack of independent supervisory authority such as privacy commissioner that individuals may approach in case of non compliance.

vii. There is also a need to regulate surveillance system to ensure there is a balance between government’s need of surveillance and citizen’s right to privacy.

viii. Right to Forget is increasingly being considered an integral part of right to privacy, but this is not available in India yet.

Some challenges in setting up an effective data protection regime:

i. Balancing Rights of Data Principals and need of data fiduciaries to process data.

ii. Balancing Right to Privacy of data principals and reasonable exceptions need for government.

iii. Due to fast changing technologies we need law which should be future proof, but at the same time it should not be very bulky and unduly detailed.

Therefore, government has been working on a Data protection bill since 2017 and a new Bill, the Digital Personal Data Protection Bill 2023 has been passed in both Lok Sabha and Rajya Sabha in Aug 2023

Key Provisions

i. Definitions:

1. Personal Data is defined as any data about an individual who is identifiable by or in
relation to such data.

2. Processing has been defined as wholly or partially automated operation or set of
operations performed on digital personal data.

ii. Unlike the 2019 bill, this bill narrows the scope of the data protection regime to personal data protection.

  • It will apply to the processing of digital personal data within India where such data is
    collected online, or collected offline and is digitized. It will also apply to such processing outside India, if it is for offering goods and services in India.

iii. Consent: Personal Data may be processed only for a lawful purpose upon consent of an
individual.

  • Consent may not be required for specified legitimate uses such as voluntary sharing of
    data by the individual or processing by the state for permits, licenses, benefits and
    services.

iv. Special Protection to Children: The bill places three conditions on data processing entities for children’s data:

  • Obtaining Verifiable consent; Not causing harm to children; and no tracking or
    monitoring children or targeting ads to them.

v. Rights and Duties of Data Principal:

  • Right to obtain information about processing, seek correction and erasure; Nominate
    other person to exercise rights in the event of death or incapacity; grievance redressal.
  • Duties include not registering false complaints; not furnishing false info or impersonate other person;
  • Violation of duties will be punishable.

vi. Obligation of Data Fiduciaries: Data Fiduciaries are required to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met; inform data principal and data protection board in case of a breach.

vii. Concession to Cross Border Data flow: The bill allows transfer of personal data outside India, except to countries restricted by the Central government through notification.

viii. Exemptions: Central government may exempt government agencies from the provisions in the interest of security of state, public order, and prevention of offences.

  • Personal data which is processed for research, archiving, or statistical purpose will also
    be exempted under clause 17(2)(b).

ix. Data Protection Board of India – To be established by central government to adjudicate on non-compliance with the provision of the bill.

  • The members will be appointed for a period of 2 years and can be reappointed.
  • Amendment to IT Act, 2000 to remove clause for obligation on corporates to award
    damages to affect persons in case of negligent handling of sensitive data.
  • Note: Section 43A of the IT Act, 2000 imposes an obligation on corporates to award damages to affected persons in case of negligent handling of their sensitive data. Clause 44(2) of the bill aims to exclude the application of section 43A, thereby rendering an individual who has suffered breach of their data without any relief.

x. Amendment to RTI Act, 2005 to protect the personal information from disclosure.

  • Section 44(3) of the bill amends section 8(1)(j) of the RTI Act, which will have the  effect of totally exempting personal information from disclosure.

­ Advantages:

  • Right to Privacy (no use without consent, obligations on data fiduciary to secure data)
  • Ease of doing business – concession on cross border data flow
  • Priority to security, public order etc.
  • Institutional Framework – to ensure data protection in the form of Data Protection Board.

Key Issues:

i. Exemptions to government agencies on various grounds may lead to unchecked processing of data leading to adverse implication for privacy of individuals, which has been recognized as fundamental rights.

  • Parliamentary Standing committee had recommended that order should specify a
    procedure, which is fair, just and reasonable. But, the bill doesn’t require any procedure of safeguard to be specified.

ii. No differentiation between Personal Data and Sensitive Personal Data – Thus there is a
negation of elevated level of protection that should be available to sensitive personal data.

iii. No regulation of harm arising from processing of Data: The previous bills had defined various harms which may arising from processing of personal data including mental injury, identity theft, financial loss etc. But, this is missing in the current bill.
iv. Right of Data Portability and Right to be forgotten is missing in the bill

  • The Joint Parliamentary Committee, (which examined the 2019 bill) has recommended
    retaining of right to data portability and right to be forgotten. General Data Protection
    Regulations (GDPR) also recognizes these rights

v. Cross border data flow may also lead to violation of fundamental rights of citizens if protection is not available in the country where data has been transferred.

vi. Independence/Autonomy of Data Protection Board of India may be affected by short term of the members and scope of reappointment.

vii. Weakening of RTI regime: RTI activists have expressed concerns that the Bill undermines the democratic essence by depriving citizens of the valuable RTI.

Conclusion:

In its attempt to balance national security, public order, ease of doing business, global diplomacy and cross-border cooperation, technology velocity, and data volumes, the DPDP Bill, 2023 does a fine balancing act. If some limitations discussed above are remedied, the bill can be global digital personal data protection laws’ fore-runner.

Example Questions:

  • Discuss the key challenges of the present personal data protection regime in India. How does the Digital Personal Data Protection Bill, 2023 remedy some of these challenges [15 marks, 250 words]
  • Critically analyze the provisions of the Digital Personal Data Protection Bill, 2023 in their ability in ensuring Fundamental Right to Privacy to citizens of the country [10 marks, 150 words].
  • The Digital Personal Data Protection Bill, 2023 fails to confront India’s growth into a surveillance society. Discuss [10 marks, 150 words]
  • ‘Data protection law is crucial not only for securing fundamental rights of citizens, but also for National Security and Economic Security’ Elaborate [10 marks, 150 words]

SC Puts Maharashtra Speaker on Deadline Over Deflection Pleas

October 31, 2023

Right of Access to Internet and Internet Shutdown in India

November 1, 2023

Related Posts

12 Feb
Government Policies and InterventionsBy Sheetal Giri0 Comments

Demand for Maratha Reservation

READ MORE
30 Nov
Government Policies and InterventionsBy Sheetal Giri0 Comments

Cinematograph Act, 1952 & 2023 Amendments

READ MORE

Leave a Reply

Your email address will not be published. Required fields are marked *