Draft Digital Personal Data Protection Bill 2022

Draft Digital Personal Data Protection Bill 2022

Subject : Science and Technology

Context:

The draft Digital Personal Data Protection Bill 2022 has been released by the Ministry of Electronics and IT (MeitY).

Concept :

Seven principles:

• Lawful-Usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals
• Purposeful limitation-Personal data must only be used for the purposes for which it was Data minimisation-Bare minimum and only necessary data should be collected to fulfill a purpose.
• Accuracy-data accuracy at the time of collection.
• Storage-personal data that is collected cannot be “stored perpetually by default,” and storage should be limited to a fixed duration.
• Safeguards-ensure there is no unauthorised collection or processing of personal data.
• Accountability-The person who decides the purpose and means of the processing of personal data should be accountable for such processing.

Key features of the bill

• Defines Data Principal and Data Fiduciary
  • “Data Principal” denotes the individual whose data is being collected.
    • In the case of children – all users under the age of 18— their parents or lawful guardians will be considered their ‘Data Principals.’
  • “Data Fiduciary” denotes  the entity (can be an individual, company, firm, state etc), which decides the purpose and means of the processing of an individual’s personal data.
• Data Collection and Processing
  • Personal data is any data by which or in relation to which an individual can be identified. .
  • The  individuals need to give consent before their data is processed and that every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing.
    • Processing means “the entire cycle of operations that can be carried out in respect of personal data.”
  • The bill ensures that individuals should be able to “access basic information” in languages specified in the eighth schedule of the Indian Constitution
  • The notice of data collection needs to be in clear and easy-to-understand language.
  • Individuals also have the right to withdraw consent from a Data Fiduciary.
• Significant Data Fiduciaries
  • ‘Significant Data Fiduciaries-deals with a high volume of personal data. 
  • Designated by the Central government  based on factors ranging from the volume of personal data processed to the risk of harm to the potential impact on the sovereignty and integrity of India.
  • It needs to fulfill certain additional obligations to enable greater scrutiny of its practices.
  • Such entities will have to appoint a ‘Data protection officer’ -point of contact for grievance redressal. They will also have to appoint an independent Data auditor who shall evaluate their compliance with the act.
• Rights
  • Data principals will have the right to demand the erasure and correction of data collected by the data fiduciary.
  • They will also have the right to nominate an individual who will exercise these rights in the event of death or incapacity of the data principal.
  • The bill also gives consumers the right to file a complaint against a ‘Data Fiduciary’ with the Data Protection Board in case they do not get a satisfactory response from the company.
• Cross-border data transfer
  • The bill allows for cross-border storage and transfer of data to “certain notified countries and territories preceded by an assessment of relevant factors by the Central Government
• Financial penalties
  • The Bill imposes significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen.
    • Entities that fail to take “reasonable security safeguards” to prevent personal data breaches will be fined as high as Rs 250 crore as
• Exemptions
  • The government could also exempt certain entities from adhering to provisions of the Bill on the basis of the number of users and the volume of personal data processed by the entity for national interest. 
• Data Protection Board 
  • The bill proposes a new regulatory body to be set up by the government — can impose a penalty of up to ₹500 crore if non-compliance by a person is found to be significant.

Data protection laws in other geographies:

• EU MODEL-General Data Protection Regulation or GDPR 
  • The European Charter of Fundamental Rights recognises the right to privacy as well as the right to protection of personal data, and is backed by a comprehensive data protection framework
  • The GDPR focuses on a comprehensive data protection law for processing of personal data. 
    • It applies to processing of personal data by any means, and to processing activities carried out by both the government and private entities. There are certain exemptions such as national security, defence, public security, etc
• US MODEL
  • Privacy protection is largely defined as “liberty protection” focused on the protection of the individual’s personal space from the government.
    • It enables collection of personal information as long as the individual is informed of such collection and use.
  • There is no comprehensive set of privacy rights or principles in the US that, like the EU’s GDPR
  • There is limited sector-specific regulation– the approach towards data protection is different for the public and private sectors-sufficiently well-defined and addressed by broad legislation such as the Privacy Act, the Electronic Communications Privacy Act and other sector-specific norms.
• CHINA MODEL– multiple laws
  • The Personal Information Protection Law (PIPL)-gives Chinese data principals new rights as it seeks to prevent the misuse of personal data.
    • China’s PIPL is deemed to be “similar” to the EU’s GDPR in that it gives Chinese consumers the right to access, correct, and delete their personal data gathered by businesses, but credibly impacts offshore data processors.
    • The law includes stringent penalties, with fines as high as RMB 50 million, or up to 5% of a company’s turnover in the previous financial year. Businesses may also be required to suspend operations until they “demonstrate compliance”.
  • The Data Security Law (DSL)-requires business data to be categorized by levels of importance, and puts new restrictions on cross-border transfers.
    • Companies that mishandle data under the DSL face severe penalties.