Digital Personal Data Protection (DPDP) Bill 2022

Context:  Recently, the Union Cabinet cleared the Digital Personal Data Protection (DPDP) Bill. 
PYQ Q. Data security has assumed significant importance in the digitised world due to rising cyber-crimes. The Justice B.N. Sri Krishna Committee Report addresses issues related to data security. What, in your view, are the strengths and weaknesses of the Report relating to protection of personal data in cyberspace? (2018)
 About Data and Data Protection:
  • Data: Data refers to collections of information stored in a computer-readable format, including social media messages, online habits, transactions, medical records, and personal details.
  • Data Protection: Data protection aims to safeguard personal data while finding a balance between individual privacy rights and data utilisation.

Image Source: Hindustan Times

  • Data Protection Laws in Other Countries:   
    • Japan: Japan has the ‘Act on Protection of Personal Information’.
    • European Union: The General Data Protection Regulation (GDPR) was adopted in 2018.
    • China: New Chinese laws on data privacy and security issued over the last 12 months include the Personal Information Protection Law (PIPL), which came into effect in November 2021.
  • Data Protection in India:
    • Lack of Dedicated Framework: India does not have a specific legal framework for data protection.
    • Existing Acts: Some existing acts provide limited data protection
      • Information Technology Act 2000: Section 43A protects user data from misuse by corporate entities but does not apply to government agencies. It covers sensitive personal data, such as medical history and biometric information.
      • Other Acts: Acts like the Consumer Protection Act 2015 and Copyrights Act 1957 also offer some protection for personal information.
  • Draft Bill: In 2018, a draft version of the Personal Data Protection Bill was prepared by a committee led by retired Justice B N Srikrishna.

Image Source: The Indian Express

Need for Data Protection:
  • Invasion of Privacy: India has approximately 400 million internet users and 250 million social media users who engage in substantial online activities.
    • Without effective data protection, there is a risk of heightened surveillance and profiling of individuals without their consent.
  • Economic Losses: As per the Cost of a Data Breach report, the per capita cost per lost or stolen record in data breaches reached Rs 5,019 in 2018, representing a significant increase.
  • Increasing Sophistication of Cyber Crimes: India is witnessing a shift in the nature of cyber crimes, which have become more organised and collaborative.
    • The expanding volume of data on the internet and the emergence of technologies like artificial intelligence, internet of things, and big data pose a risk of data abuse and misuse.

Image Source: Mckinsey Global Institute Report

Key Features of Digital Personal Data Protection (DPDP) Bill 2022:
  • Data Principal and Data Fiduciary: The bill uses the term “Data Principal” to refer to the individual whose data is being collected.
    • The term “Data Fiduciary” refers to the entity (such as an individual, company, firm, or state) that determines the purpose and means of processing the individual’s personal data.
    • For children, defined as users under the age of 18, their parents or lawful guardians are considered their Data Principals.
  • Defining Personal Data and its Processing:
    • Personal data is defined as “any data by which or in relation to which an individual can be identified.”
    • Processing refers to the entire cycle of operations carried out in respect of personal data, including collection and storage.
  • Cross-Border Data Flows: The Centre will notify regions to which data of Indians can be transferred, based on data security landscape and the government’s access to Indian data from those regions.
  • Data Protection Board: The Bill proposes the establishment of a Data Protection Board to enforce compliance. The Data Protection Board will be “digital by design.”
  • User Rights and Privacy: Users have the right to correction and erasure of their personal data held by businesses.
    • Companies of significant size must appoint a Data Protection Officer and an independent data auditor to evaluate compliance.
    • The Bill prohibits processing of personal data that may cause harm to children and targeted advertising on children below 18 years of age.
  • Exemptions and National Security: The Bill includes exemptions for national security reasons, allowing the government to exempt state agencies from adhering to provisions in the interest of sovereignty, integrity, and security of the state.
    • Certain businesses, based on the number of users and volume of data processed, can also be exempted. This addresses concerns from the start-up ecosystem.
  • Penalties:
    • For Users: The Bill prescribes penalties for users who submit false documents during sign-up or file frivolous grievance complaints, with fines up to Rs 10,000.
    • For Entity: Penalties for data breaches and non-compliance have been increased, ranging from Rs 50 crore to Rs 500 crore.
The Significance of the Digital Personal Data Protection Bill, 2022:
  • Protection of Personal Data: A privacy law provides legal protection for personal data, ensuring that individuals have control over how their personal information is collected, used, and shared.
  • Data Security and Accuracy: The law mandates entities collecting personal data, known as data fiduciaries, to maintain the accuracy of data and implement necessary security measures to protect the data from unauthorised access or breaches.
  • Purpose Limitation: The law requires data fiduciaries to delete personal data once its purpose has been fulfilled, ensuring that data is not retained indefinitely without a valid reason.
  • Jurisdiction and Extraterritorial Reach: The law applies to the processing of digital personal data within India.
    • It also extends to data processing outside the country if it involves offering goods or services to individuals in India or profiling individuals in India.
  • Enforcement and Penalties: The law establishes a data protection board that can address violations of its provisions.
    • Entities found in violation may be subject to penalties, including financial penalties. Repeat offences may attract higher penalties.
 Concerns Associated with the Bill:
  • Dilution of Right to Information (RTI) Act:
    • The proposed Digital Personal Data Protection Bill seeks to amend Section 8(1)(j) to expand its scope and exempt all personal information from the purview of the RTI Act.
    • This amendment would eliminate the ability to invoke Section 8(1)(j) to protect privacy and deny access to personal information under the RTI Act.
Section 8(1)(j) of the RTI: It protects privacy by allowing the denial of personal information if it has no relationship to public activity or interest or if its disclosure would cause unwarranted invasion of privacy.
  • Inadequate protection of the Right to Privacy: The Bill grants wide discretionary powers to the Central government in drafting rules, raising concerns about the potential infringement on individuals’ right to privacy.
    • For instance, under Section 18, it empowers the Central government to exempt any government, or even private sector entities, from the provisions of the Bill by merely issuing a notification.
  • Lack of autonomy for the Data Protection Board: The Appointment of the Board is under the Central government, which raises questions about its independence and the government’s direct control over the institution.
    • The government can also assign the Board functions under other laws, further impacting its autonomy.
  • Limited access to the Internet:  The Bill stipulates that the Data Protection Board shall be ‘digital by design’, including receipt and disposal of complaints.
    • As per the latest National Family Health Survey, only 33% of women in India have ever used the Internet.
    • The DPDP Bill, therefore, effectively fails millions of people who do not have meaningful access to the Internet.
Conclusion: 
  • A data protection law must safeguard and balance peoples’ right to privacy and their right to information, which are fundamental rights flowing from the Constitution.
  • The approval of the Digital Personal Data Protection Bill, 2022, by the Union Cabinet marks a significant milestone for India’s digital landscape.
  • As the regulatory framework for data protection in India progresses, implementation, enforcement mechanisms, and compliance will play crucial roles in establishing responsible data governance.
News Source: The Hindu

Leave a Comment