News Highlights:
- India’s digital economy is set to reach a whopping $1 trillion by 2026. People are going digital rapidly for everything from shopping and socialising to education and government services.
- It generates massive amounts of personal data, which becomes critical in handling and protecting.
- The Digital Personal Data Protection (DPDP) Bill 2022 outlines citizens’ rights over their personal data and the responsibilities of data collectors.
Data protection:
- About
- Data protection is the process of safeguarding important information from corruption, compromise or loss.
- The importance of data protection increases as the amount of data created and stored continues to grow at unprecedented rates.
- There is also little tolerance for downtime which can make it impossible to access important information.
- Consequently, a large part of a data protection strategy is ensuring that data can be restored quickly after any corruption or loss.
- Protecting data from compromise and ensuring data privacy are other key components of data protection.
- Key focuses of data protection:
- Data security – protecting data from malicious or accidental damage.
- Data availability – Quickly restoring data in the event of damage or loss.
- Access control – ensuring that data is accessible to those who actually need it and not to anyone else.
Digital Personal Data Protection Bill 2022:
- About:
- The government introduced the Personal Data Protection Bill 2019 in the Lok Sabha in 2019.
- However, the bill was withdrawn in August 2022, citing the inadequacy of the provisions in meeting global standards regarding data privacy.
- The new bill has been introduced after a revamp of the provisions.
- Significance of the bill:
- The proposed bill was brought into being only after a comprehensive review of similar laws in the EU, Singapore, and many other jurisdictions.
- The proposed bill would provide predictability of law and enable the companies to align their policies in consonance with the proposed legislation.
Key Features of the Data Protection Bill:
- Data Principal:
- Data Principal refers to the individual whose data is being collected.
- In the case of children (<18 years), their parents/lawful guardians will be considered their “Data Principals”.
- Data Fiduciary:
- Data Fiduciary is the entity (individual, company, firm, state etc.) which decides the “purpose and means of processing an individual’s data”.
- Personal Data is “any data by which an individual can be identified”.
- Processing means “the entire cycle of operations that can be carried out concerning personal data”.
- Significant Data Fiduciary:
- Significant Data Fiduciaries are those who deal with a high volume of personal data.
- The Central government will define who is designated under this category based on several factors.
- Such entities must appoint a ‘Data protection officer’ and an independent Data Auditor.
- Rights of Individuals:
- Access to Information: The bill ensures that individuals should be able to “access basic information” in languages specified in the eighth schedule of the Indian Constitution.
- Right to Consent: Individuals need to consent before their data is processed, and “every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing”. Individuals also have the right to withdraw consent from a Data Fiduciary.
- Right to Erase: Data principals will have the right to demand the erasure and correction of data collected by the fiduciary.
- Right to Nominate: Data principals will also have the right to nominate individuals who will exercise these rights in the event of their death or incapacity.
- Data Protection Board:
- The Bill also proposes to set up a Data Protection Board to ensure compliance with the Bill.
- In case of an unsatisfactory response from the Data Fiduciary, the consumers can file a complaint to the Data Protection Board.
- Cross-border Data Transfer:
- The bill allows for cross-border storage and transfer of data to “certain notified countries and territories” provided they have a suitable data security landscape, and the Government can access data of Indians from there.
- Financial Penalties:
- For Data Fiduciary: The bill proposes to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen.
- The penalties will be imposed, ranging from Rs. 50 crores to Rs. 500 crores.
- For Data Principal: If a user submits false documents while signing up for an online service or files frivolous grievance complaints, the user could be fined up to Rs 10,000.
Way Forward:
- The prime challenge is to balance between the growth opportunities posed by Free Data and the Right to Privacy as Fundamental rights as declared by Puttaswamy Judgement 2017.
- In this context, India must promote Data Localisation with care and by more scientific and organic categorisations. The open-ended definitions must be clearly defined.
- The Localised Data will also help new entrepreneurs to fill the digital infrastructure gap.
Pic Courtesy: The Hindu
Content Source: The Hindu