The dangers in the Digital Personal Data Protection Bill.

Relevance:

GS 2 – Government policies and interventions for development in various sectors and issues arising out of their design and implementation; transparency & accountability and institutional and other measures.

GS4 – Information sharing and transparency in government, Right to Information.

Current Context:

The Indian government is on the verge of introducing the Digital Personal Data Protection (DPDP) Bill in Parliament, signifying a major milestone in data privacy legislation. However, the process surrounding the Bill and its potential impact have raised questions about transparency and citizens’ rights.

Seven Principles of the 2022 Bill:

  • Firstly, usage of personal data by organizations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals.
  • Secondly, personal data must only be used for the purposes for which it was collected.
  • The third principle talks of data minimization.
  • The fourth principle puts an emphasis on data accuracy when it comes to collection.
  • The fifth principle talks of how personal data that is collected cannot be “stored perpetually by default” and storage should be limited to a fixed duration.
  • The sixth principle says that there should be reasonable safeguards to ensure there is “no unauthorized collection or processing of personal data”.
  • Seventh principle states that “the person who decides the purpose and means of the processing of personal data should be accountable for such processing”.

Key Features of the Digital Personal Data Protection Bill:

  • Data Principal and Data Fiduciary:  Data Principal refers to the individual whose data is being collected. In the case of children (<18 years), their parents/lawful guardians will be considered their “Data Principals”.

Data Fiduciary is the entity (individual, company, firm, state etc), which decides the “purpose and means of the processing of an individual’s personal data”. Personal Data is “any data by which an individual can be identified”. Processing means “the entire cycle of operations that can be carried out in respect of personal data”.

  • Significant Data Fiduciary: Significant Data Fiduciaries are those who deal with a high volume of personal data. The Central government will define who is designated under this category based on a number of factors. Such entities will have to appoint a ‘Data protection officer’ and an independent Data Auditor.
  • Rights of Individuals: Access to Information: The bill ensures that individuals should be able to “access basic information” in languages specified in the eighth schedule of the Indian Constitution.
  • Right to Consent: Individuals need to give consent before their data is processed and “every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing”. Individuals also have the right to withdraw consent from a Data Fiduciary.
  • Right to Erase: Data principals will have the right to demand the erasure and correction of data collected by the data fiduciary.
  • Right to Nominate: Data principals will also have the right to nominate an individual who will exercise these rights in the event of their death or incapacity.
  • Data Protection Board: The Bill also proposes to set up a Data Protection Board to ensure compliance with the Bill. In case of an unsatisfactory response from the Data Fiduciary, the consumers can file a complaint to the Data Protection Board.
  • Cross-border Data Transfer: The bill allows for cross-border storage and transfer of data to “certain notified countries and territories” provided they have a suitable data security landscape, and the Government can access data of Indians from there.
  • For Data Fiduciary: The bill proposes to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen.
  •  Exemptions: The government can exempt certain businesses from adhering to provisions of the bill on the basis of the number of users and the volume of personal data processed by the entity.
  • This has been done keeping in mind startups of the country who had complained that the Personal Data Protection Bill, 2019 was too “compliance intensive”.
  • The Centre has been empowered to exempt its agencies from adhering to provisions of the Bill in the interest of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognizable offence.

Issues with the Digital Personal Data Protection Bill:

  • Impacting fundamental rights: The DPDP Bill of 2022 includes provisions that may impact citizens’ fundamental rights, especially the Right to Information (RTI) Act. The DPDP Bill 2022 proposes amendments to Section 8(1)(j) to exempt all personal information, jeopardizing transparency and accountability. Justice A.P. Shah Report on Privacy noted that data protection law doesn’t require changes to the RTI Act.
  • Excessive discretionary powers to the government: The DPDP Bill, 2022, grants the central government the power to exempt any government or private sector entity from the law’s provisions through a simple notification. This opens the possibility of arbitrary exemptions for favored entities, and government bodies like the UIDAI, leading to potential privacy violations.
  • Lack of autonomy to the Data Protection Board: The Data Protection Board, responsible for enforcing the law, lacks sufficient autonomy as the central government holds significant power over its composition, selection, and removal of members.

The chief executive responsible for managing the board is to be appointed by the government. The idea of a government-controlled Data Protection Board with the power to impose hefty fines raises concerns about possible misuse to target political opposition and dissenters.

Key features of Digital Personal Data Protection Bill:

  • Applicability: The Bill will apply to the processing of digital personal data within India where such data is:

collected online, or collected offline and is digitized.

It will also apply to the processing of personal data outside India, if it is for offering goods or services or profiling individuals in India.

Personal data is defined as any data about an individual who is identifiable by or in relation to such data.

Processing has been defined as an automated operation or set of operations performed on digital personal data. It includes collection, storage, use, and sharing.

  • Consent: Personal data may be processed only for a lawful purpose for which an individual has given consent. Consent will be deemed given where processing is necessary for:
  • performance of any function under a law,
  • provision of service or benefit by the State,
  • medical emergency,
  • employment purposes, and
  • specified public interest purposes such as national security, fraud prevention, and information security.
  • Rights and duties of data principal: An individual, whose data is being processed (data principal). The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
  • Obligations of data fiduciaries: The entity determining the purpose and means of processing, called data fiduciary will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
  • Transfer of personal data outside India: The central government will notify countries where a data fiduciary may transfer personal data. Transfers will be subject to prescribed terms and conditions.
  • Exemptions: The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
  • Data Protection Board of India: The central government will establish the Data Protection Board of India. The central government will prescribe the composition of the Board, selection process, terms and conditions of appointment and service, and manner of removal.
  • Functions: monitoring compliance and imposing penalties, directing data fiduciaries to take necessary measures in the event of a data breach, and hearing grievances made by affected persons.
  • Penalties: up to Rs 150 crore for non-fulfilment of obligations for children and; up to Rs 250 crore for failure to take security measures to prevent data breaches; Data fiduciaries are subject to fines of up to Rs 500 crore for non-compliance. Penalties will be imposed by the Board after conducting an inquiry.

Conclusion:

It is crucial that the data protection law addresses the flaws of the previous draft and ensures the protection of people’s fundamental rights, including the right to information and privacy. These concerns must be addressed urgently before enacting the DPDP Bill.

Source:https://epaper.thehindu.com/ccidistws/th/th_mumbai/issues/46044/OPS/G58BIF1U6.1+GVGBIG9DF.1.html