Monday, November 21, 2022
A first look at the new data protection Bill - The Hindu
https://www.thehindu.com/sci-tech/technology/a-first-look-at-the-new-data-protection-bill/article66162209.ece
Trishee Goyal
9 min read
A first look at the new data protection Bill
The story so far: The latest draft of the data protection law — the Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022) — has now been made open for public comments and the government is expected to introduce the Bill in Parliament in the budget session of 2023.
Is this the first draft?
This is the fourth iteration of a data protection law in India. The first draft of the law — the Personal Data Protection Bill, 2018, was proposed by the Justice Srikrishna Committee set up by the Ministry of Electronics and Information Technology (MeitY) with the mandate of setting out a data protection law for India. The government made revisions to this draft and introduced it as the Personal Data Protection Bill, 2019 (PDP Bill, 2019) in the Lok Sabha in 2019. On the same day, the Lok Sabha passed a motion to refer the PDP Bill, 2019 to a joint committee of both the Houses of Parliament. Due to delays caused by the pandemic, the Joint Committee on the PDP Bill, 2019 (JPC) submitted its report on the Bill after two years in December, 2021. The report was accompanied by a new draft bill, namely, the Data Protection Bill, 2021 that incorporated the recommendations of the JPC. However, in August 2022, citing the report of the JPC and the “extensive changes” that the JPC had made to the 2019 Bill, the government withdrew the PDP Bill.
Why have there been so many revisions and changes?
Constant interactions with digital devices have led to unprecedented amounts of personal data being generated round the clock by users (data principals). When coupled with the computational power available today with companies (data fiduciaries), this data can be processed in ways that increasingly impair the autonomy, self-determination, freedom of choice and privacy of the data principal.
Also Read | Explained | Does data protection Bill have safeguards on privacy?
The current legal framework for privacy enshrined in the Information Technology Rules, 2011 (IT Rules, 2011) is wholly inadequate to combat such harms to data principals, especially since the right to informational privacy has been upheld as a fundamental right by the Supreme Court ( K.S. Puttaswamy vs Union of India [2017]). It is inadequate on four levels; first, the extant framework is premised on privacy being a statutory right rather than a fundamental right and does not apply to processing of personal data by the government; second, it has a limited understanding of the kinds of data to be protected; third, it places scant obligations on the data fiduciaries which, moreover, can be overridden by contract and fourth, there are only minimal consequences for the data fiduciaries for the breach of these obligations.
While the need to have an effective personal data protection regime is undisputed, India like other jurisdictions has struggled to come up with an optimum formulation for several reasons. First, while protecting the rights of the data principal, data protection laws need to ensure that the compliances for data fiduciaries are not so onerous as to make even legitimate processing impractical. Second, the challenge lies in finding an adequate balance between the right to privacy of data principals and reasonable exceptions, especially where government processing of personal data is concerned. Third, given the rate at which technology evolves, an optimum data protection law design needs to be future proof — it should not be unduly detailed and centred on providing solutions to contemporary concerns while ignoring problems that may emerge going forward. Fourth, the law needs to be designed for a framework of rights and remedies that is readily exercisable by data principals given their unequal bargaining power with respect to data fiduciaries.
What is the scope of the present formulation of the Bill?
The DPDP Bill, 2022 applies to all processing of personal data that is carried out digitally. This would include both personal data collected online and personal data collected offline but is digitised for processing. In effect, by being completely inapplicable to data processed manually, this provides for a somewhat lower degree of protection as the earlier drafts only excluded data processed manually specifically by “small entities” and not generally.
Also Read |Draft data protection Bill uses ‘she’ and ‘her’ to refer to all individuals
Furthermore, as far as the territorial application of the law is concerned, the Bill covers processing of personal data which is collected by data fiduciaries within the territory of India and which is processed to offer goods and services within India. The current phrasing, inadvertently, seems to exclude data processing by Indian data fiduciaries that collect and process personal data outside India, of data principals who are not located in India. This would impact statutory protections available for clients of Indian start-ups operating overseas, thereby impacting their competitiveness. This position further seems to be emphasised with the DPDP Bill, 2022 exempting application of most of its protections to personal data processing of non-residents of India by data fiduciaries in India.
How well does the DPDP Bill, 2022 protect data principals?
The bulwark of most data protection legislations consists of allowing maximum control to the data principal over their personal data. This happens by mandating a comprehensive notice to the data principal on different aspects of data processing based on which the data principal can provide explicit consent to such processing. While limited circumstances for non-consent based processing of personal data exists, it still gives the data principal the right to access, correct, delete etc their data. Concomitantly, the data fiduciary is placed, inter alia, with the obligation of data minimisation, which is to collect only such personal data as is required to fulfil the purpose of processing (collection limitation); process it only for the purposes stated and no more (purpose limitation) and to retain it in its servers only for so long as is required to fulfil the stated purpose (storage limitation).
The current draft removes explicit reference to certain data protection principles such as collection limitation. This would allow a data fiduciary to collect any personal data consented to by the data principal. Making collection solely contingent on consent, ignores the fact that data principals often do not have the requisite know-how of what kind of personal data is relevant for a particular purpose. For example, a photo filter app may process data related to your location or information on your contacts even though it may not require such information to carry on its primary task of applying the filter. It also does away with the concept of “sensitive personal data”. Depending on the increased potential of harm that can result from unlawful processing of certain categories of personal data, most data protection legislations classify these categories as “sensitive personal data”. Illustratively, this includes biometric data, health data, genetic data etc. This personal data is afforded a higher degree of protection in terms of requiring explicit consent before processing and mandatory data protection impact assessments. By doing away with this distinction, the DPDP Bill, 2022 does away with these additional protections.
Additionally, the Bill also reduces the information that a data fiduciary is required to provide to the data principal. While the previous iterations required considerable information in terms of the rights of the data principals, grievance redressal mechanism, retention period of information, source of information collected etc to be provided for the data principal, the current draft reduces the scope of this information to the personal data sought to be collected and the purpose of processing the data. While this may have been done in an attempt to simplify the notice and avoid information overload, there are other ways such as infographics, just-in-time notices etc that are being recommended by data protection authorities to ensure a comprehensive yet comprehensible notice.
Moreover, the DPDP Bill, 2022 seems to suppose that a notice is only to be provided to take consent of the data principal. This is a limited understanding of the purpose of notice. A notice is also important for the data principal to exercise data protection rights such as the right to know what personal data is being processed by whom, whether that data needs correction or updation and also to request deletion of data that may not be relevant for the purpose of processing. These rights exist even in cases of non-consent based processing of data. As such, limiting notice to only consent based personal data processing would limit the scope for the exercise of these rights.
The DPDP Bill, 2022 also introduces the concept of “deemed consent”. In effect, it bundles purposes of processing which were either exempt from consent based processing or were considered “reasonable purposes” for which personal data processing could be undertaken under the ground of “deemed consent”. However, there exist some concerns around this due to the vaguely worded grounds for processing such as “public interest” and the removal of additional safeguards for protection of data principals’ interests.
An important addition to the right of data principals is that it recognises the right to post mortem privacy which was missing from the PDP Bill, 2019 but had been recommended by the JPC. The right to post mortem privacy would allow the data principal to nominate another individual in case of death or incapacity.
The writer is a research fellow at the Centre for Applied Law and Technology Research, Vidhi Centre for legal policy
(This is the first of a two-part series on the draft Digital Personal Data Protection Bill, 2022)
Subscribe to:
Post Comments (Atom)
s e a r c h
Custom Search
JustACounter
The Hindu - Breaking News
BBC News | News Front Page | World Edition
Blog Archive
- October 2024 (1)
- September 2024 (8)
- August 2024 (5)
- January 2024 (2)
- December 2023 (6)
- November 2023 (6)
- October 2023 (1)
- September 2023 (2)
- August 2023 (1)
- July 2023 (1)
- June 2023 (4)
- May 2023 (2)
- February 2023 (3)
- January 2023 (3)
- November 2022 (2)
- October 2022 (2)
- September 2022 (1)
- August 2022 (2)
- May 2022 (4)
- April 2022 (3)
- March 2022 (13)
- January 2022 (1)
- December 2021 (1)
- November 2021 (5)
- October 2021 (3)
- September 2021 (5)
- August 2021 (4)
- July 2021 (4)
- June 2021 (1)
- May 2021 (2)
- April 2021 (3)
- February 2021 (1)
- January 2021 (2)
- December 2020 (5)
- November 2020 (2)
- October 2020 (11)
- September 2020 (4)
- August 2020 (5)
- July 2020 (7)
- June 2020 (2)
- May 2020 (7)
- April 2020 (14)
- March 2020 (16)
- February 2020 (7)
- January 2020 (9)
- December 2019 (8)
- November 2019 (11)
- October 2019 (7)
- September 2019 (4)
- August 2019 (5)
- July 2019 (4)
- June 2019 (7)
- May 2019 (7)
- March 2019 (1)
- February 2019 (11)
- January 2019 (6)
- October 2018 (3)
- August 2018 (3)
- May 2018 (1)
- April 2018 (1)
- March 2018 (1)
- November 2017 (2)
- August 2017 (1)
- January 2016 (1)
- September 2015 (1)
- August 2015 (2)
- April 2015 (1)
- March 2015 (1)
- October 2014 (1)
- May 2014 (3)
- April 2014 (6)
- March 2014 (3)
- February 2014 (3)
- January 2014 (4)
- November 2013 (1)
- October 2013 (2)
- October 2012 (2)
- September 2012 (1)
- June 2012 (1)
- May 2012 (1)
- April 2012 (2)
- November 2011 (2)
- September 2011 (1)
- July 2011 (1)
- May 2011 (1)
- March 2011 (1)
- February 2011 (1)
- January 2011 (1)
- December 2010 (1)
- November 2010 (3)
- October 2010 (2)
- August 2010 (5)
- July 2010 (3)
- June 2010 (6)
- May 2010 (6)
- April 2010 (6)
- March 2010 (2)
- February 2010 (3)
- January 2010 (3)
- December 2009 (6)
- November 2009 (4)
- October 2009 (4)
- September 2009 (6)
- August 2009 (4)
- July 2009 (6)
- June 2009 (3)
- May 2009 (7)
- April 2009 (5)
- March 2009 (7)
- February 2009 (1)
- January 2009 (3)
- December 2008 (2)
- November 2008 (4)
- October 2008 (5)
- September 2008 (8)
- August 2008 (4)
- July 2008 (16)
- June 2008 (9)
- May 2008 (1)
- April 2008 (3)
- January 2008 (10)
- December 2007 (1)
- November 2007 (11)
- October 2007 (11)
- September 2007 (5)
- August 2007 (8)
- July 2007 (16)
- June 2007 (19)
- May 2007 (8)
- April 2007 (9)
- March 2007 (8)
- February 2007 (7)
- January 2007 (15)
- December 2006 (5)
- November 2006 (3)
- October 2006 (1)
- September 2006 (2)
- August 2006 (10)
- July 2006 (1)
- June 2006 (2)
- May 2006 (10)
- April 2006 (17)
- March 2006 (8)
- February 2006 (5)
- January 2006 (5)
- December 2005 (2)
- November 2005 (13)
- October 2005 (6)
- September 2005 (4)
- August 2005 (2)
- July 2005 (7)
- June 2005 (9)
- May 2005 (4)
- April 2005 (13)
- March 2005 (9)
- February 2005 (7)
- January 2005 (13)
- December 2004 (5)
- July 2004 (1)
No comments:
Post a Comment