Digital Personal Data Protection Bill
Why in News
The Union Cabinet has approved the Digital Personal Data Protection Bill and will table it in the monsoon session of Parliament (July 20-August 11).
- The draft Bill was placed in the public domain in December 2022.
About Draft Digital Personal Data Protection Bill, 2022
- The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.
- It will also apply to such processing outside India, if it is for offering goods or services or profiling individuals in India.
- Personal data may be processed only for a lawful purpose for which an individual has given consent.
- Consent may be deemed in certain cases.
- Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
- The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
- The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds.
- The central government will establish the Data Protection Board of India
- The board will adjudicate non-compliance with the provisions of the Bill.
Key Concerns
- Exemptions to data processing by the State on grounds such as national security may lead to data collection, processing and retention beyond what is necessary.
- This may violate the fundamental right to privacy.
- The Bill accords differential treatment on consent and storage limitation to private and government entities performing the same commercial function such as providing banking or telecom services.
- This may violate the right to equality of the private sector providers.
- The central government will prescribe the composition, and manner and terms of appointments to the Data Protection Board of India.
- This raises a question about the independent functioning of the Board.
- The Bill does not grant the right to data portability and the right to be forgotten to the data principal.
- The Bill requires all data fiduciaries to obtain verifiable consent from the legal guardian before processing the personal data of a child.
- To comply with this provision, every data fiduciary will have to verify the age of everyone signing up for its services.
- This may have adverse implications for anonymity in the digital space.
- There is also concern that the law could dilute the Right to Information (RTI) Act.
- Personal data of government functionaries is likely to be protected under new bill, making it difficult to be shared with an RTI applicant.
Note : The Bill, once it becomes law, will play a crucial role in India’s trade negotiations with other nations, and especially regions like the European Union.
- General Data Protection Rules (GDPR) of the EU are among the world’s most exhaustive privacy laws.
Data Protection in Other Countries
- An estimated 137 out of 194 countries have put in place legislation to secure the protection of data and privacy.
- This is according to the United Nations Conference on Trade and Development (UNCTAD).
- Africa and Asia show 61% (33 countries out of 54) and 57% (34 countries out of 60) adoption respectively.
- Only 48% of Least Developed Countries (22 out of 46) have data protection and privacy laws.
- EU model: The GDPR focuses on a comprehensive data protection law for processing of personal data.
- It has been criticised for being excessively stringent, and imposing many obligations on organisations processing data.
- But it is still the template for most of the legislation drafted around the world.
- US model: Privacy protection is largely defined as “liberty protection” focused on the protection of the individual’s personal space from the government.
- It is viewed as being somewhat narrow in focus, because it enables collection of personal information as long as the individual is informed of such collection and use.