Data Protection Bill approved by Cabinet: Content, concerns
Source: By Soumyarendra Barik: The Indian Express
Nearly six years after the Supreme Court held privacy to be a fundamental right, the Centre has made a second attempt at framing legislation for protection of data. The Digital Personal Data Protection Bill, 2022, a draft of which was floated in November, is expected to be tabled in Parliament’s Monsoon Session that begins on 20 July 2023. The Union Cabinet approved the draft Bill on 5 July 2023.
While the contents of the Bill will remain confidential until it is brought to Parliament, The most contentious issues flagged by experts in the November draft have been retained. These include the wide-ranging exemptions to the Centre and its agencies, and diluting the role of the data protection board.
The Bill, once it becomes law, will play a crucial role in India’s trade negotiations with other nations, and especially regions like the European Union, whose General Data Protection Rules (GDPR) are among the world’s most exhaustive privacy laws.
What is the significance of a privacy law?
The Digital Personal Data Protection Bill, 2022, is a crucial pillar of the overarching framework of technology regulations the Centre is building, which also includes the Digital India Bill — the proposed successor to the Information Technology Act, 2000, the draft Indian Telecommunication Bill, 2022, and a policy for non-personal data governance.
Last August, the government withdrew from Parliament an earlier version of the data protection Bill that had been almost four years in the making, after it had gone through multiple iterations and a review by a Joint Committee of Parliament, and faced pushback from a range of stakeholders including tech companies and privacy activists.
The proposed law will apply to processing of digital personal data within India; and to data processing outside the country if it is done for offering goods or services, or for profiling individuals in India.
It requires entities that collect personal data — called data fiduciaries — to maintain the accuracy of data, keep data secure, and delete data once their purpose has been met.
A senior government official said the Bill is expected to allow “voluntary undertaking” — meaning that entities violating its provisions can bring it up with the data protection board, which can decide to bar proceedings against the entity by accepting settlement fees. Repeat offences of the same nature could attract higher financial penalties, the official said.
The highest penalty — to be levied for failing to prevent a data breach — has been prescribed at Rs 250 crore per instance, it is learnt. Government officials have said in informal conversations that the definition of “per instance” is subjective — and could mean either a single instance of a data breach, or account for the number of people impacted, and multiply it by Rs 250 crore. All of this is, however, open to interpretation by the data protection board on a case-by-case basis.
What are the concerns around the draft Bill?
The Bill approved by the Cabinet is understood to have largely retained the contents of the original version that was proposed in November 2022. This is especially true of some of the proposals that privacy experts had flagged earlier.
Wide-ranging exemptions for the central government and its agencies, which were among the most criticised provisions of the previous draft, are understood to have been retained unchanged. The Bill is learnt to have prescribed that the central government can exempt “any instrumentality of the state” from adhering to the provisions on account of national security, relations with foreign governments, and maintenance of public order among other things.
The control of the central government in appointing members of the data protection board — an adjudicatory body that will deal with privacy-related grievances and disputes between two parties — is learnt to have been retained as well. The chief executive of the board will be appointed by the central government, which will also determine the terms and conditions of their service.
There is also concern that the law could dilute the Right to Information (RTI) Act, as personal data of government functionaries is likely to be protected under it, making it difficult to be shared with an RTI applicant.
What changes are likely?
A key change in the final draft is learnt to have been made in the way it deals with cross-border data flows to international jurisdictions — moving from a ‘whitelisting’ approach to a ‘blacklisting’ mechanism.
The proposed law could allow global data flows by default to all jurisdictions other than a specified ‘negative list’ of countries — essentially an official blacklist of countries where transfers would be prohibited.
The draft that was released for public consultation in November said the central government will notify countries or territories where personal data of Indian citizens can be transferred — that is, a ‘whitelist’ of jurisdictions where data transfers would be allowed.
A provision on “deemed consent” in the previous draft could also be reworded to make it stricter for private entities, while allowing government departments to assume consent while processing personal data on grounds of national security and public interest.
How does India’s proposal compare with other countries?
An estimated 137 out of 194 countries have put in place legislation to secure the protection of data and privacy, according to the United Nations Conference on Trade and Development (UNCTAD), an intergovernmental organisation within the United Nations Secretariat.
Africa and Asia show 61% (33 countries out of 54) and 57% (34 countries out of 60) adoption respectively. Only 48% of Least Developed Countries (22 out of 46) have data protection and privacy laws.
EU model: The GDPR focuses on a comprehensive data protection law for processing of personal data. It has been criticised for being excessively stringent, and imposing many obligations on organisations processing data, but it is still the template for most of the legislation drafted around the world.
US model: Privacy protection is largely defined as “liberty protection” focused on the protection of the individual’s personal space from the government. It is viewed as being somewhat narrow in focus, because it enables collection of personal information as long as the individual is informed of such collection and use.
China model: New Chinese laws on data privacy and security issued over the last 12 months include the Personal Information Protection Law (PIPL), which came into effect in November 2021. It gives Chinese data principals new rights as it seeks to prevent the misuse of personal data.
The Data Security Law (DSL), which came into force in September 2021, requires business data to be categorised by levels of importance, and puts new restrictions on cross-border transfers
