Why in News
The Union Cabinet has approved the Digital Personal Data Protection Bill and will table it in the monsoon session of Parliament (July 20-August 11).
- The draft Bill was placed in the public domain in December 2022.
About Draft Digital Personal Data Protection Bill, 2022
- The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.
- It will also apply to such processing outside India, if it is for offering goods or services or profiling individuals in India.
- Personal data may be processed only for a lawful purpose for which an individual has given consent.
- Consent may be deemed in certain cases.
- Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
- The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
- The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds.
- The central government will establish the Data Protection Board of India
- The board will adjudicate non-compliance with the provisions of the Bill.
- Exemptions to data processing by the State on grounds such as national security may lead to data collection, processing and retention beyond what is necessary.
- This may violate the fundamental right to privacy.
- The Bill accords differential treatment on consent and storage limitation to private and government entities performing the same commercial function such as providing banking or telecom services.
- This may violate the right to equality of the private sector providers.
- The central government will prescribe the composition, and manner and terms of appointments to the Data Protection Board of India.
- This raises a question about the independent functioning of the Board.
- The Bill does not grant the right to data portability and the right to be forgotten to the data principal.
- The Bill requires all data fiduciaries to obtain verifiable consent from the legal guardian before processing the personal data of a child.
- To comply with this provision, every data fiduciary will have to verify the age of everyone signing up for its services.
- This may have adverse implications for anonymity in the digital space.
- There is also concern that the law could dilute the Right to Information (RTI) Act.
- Personal data of government functionaries is likely to be protected under new bill, making it difficult to be shared with an RTI applicant.
Note : The Bill, once it becomes law, will play a crucial role in India’s trade negotiations with other nations, and especially regions like the European Union.
- General Data Protection Rules (GDPR) of the EU are among the world’s most exhaustive privacy laws.
Data Protection in Other Countries
- An estimated 137 out of 194 countries have put in place legislation to secure the protection of data and privacy.
- This is according to the United Nations Conference on Trade and Development (UNCTAD).
- Africa and Asia show 61% (33 countries out of 54) and 57% (34 countries out of 60) adoption respectively.
- Only 48% of Least Developed Countries (22 out of 46) have data protection and privacy laws.
- EU model: The GDPR focuses on a comprehensive data protection law for processing of personal data.
- It has been criticised for being excessively stringent, and imposing many obligations on organisations processing data.
- But it is still the template for most of the legislation drafted around the world.
- US model: Privacy protection is largely defined as “liberty protection” focused on the protection of the individual’s personal space from the government.
- It is viewed as being somewhat narrow in focus, because it enables collection of personal information as long as the individual is informed of such collection and use.