Digital Personal Data Protection Bill, 2023 has been passed by the parliament. How is it different from its previous version? What are the domains where it has made improvements and the ones where it is lacking? What does personal data protection entail? Read here to understand better.
Digital personal data protection refers to the safeguarding of individuals’ personal information in the digital realm.
With the increasing use of technology and the internet, individuals share a substantial amount of personal data online, ranging from financial information to private communications.
Protecting this data from unauthorized access, breaches, and misuse has become a critical concern in the modern digital age.
Also read: Data Localisation
Aspects of Personal Data Protection
Many countries have enacted data privacy laws and regulations that govern the collection, processing, storage, and sharing of personal data. These laws provide individuals with rights over their data and impose obligations on organizations that handle personal data.
- Organizations are required to obtain individuals’ informed consent before collecting and using their personal data. Consent should be freely given, specific, informed, and revocable.
- Adequate security measures must be implemented to protect personal data from breaches, unauthorized access, and cyberattacks. This includes encryption, secure storage, access controls, and regular security assessments.
- Organizations are expected to provide clear and easily understandable information about their data practices, including how data is collected, processed, and shared.
- Data subjects (individuals whose data is being collected) have rights to access their data, correct inaccuracies, request deletion, and restrict or object to certain processing activities.
- Organizations are often required to notify individuals and authorities in the event of a data breach that could pose a risk to individuals’ rights and freedoms.
- When personal data is transferred across borders, organizations must ensure that appropriate safeguards are in place to protect the data’s privacy and security.
- Organizations are responsible for complying with data protection laws and demonstrating their commitment to data privacy through policies, practices, and documentation.
- Many countries have established data protection authorities or agencies responsible for enforcing data privacy laws, conducting audits, and addressing complaints.
The General Data Protection Regulation (GDPR) in the European Union is one of the most comprehensive data privacy regulations globally.
Other countries have introduced similar regulations, such as the California Consumer Privacy Act (CCPA) in the United States.
The Digital Personal Data Protection Bill, 2023
The Ministry of Electronics and Information Technology (MeiTY) established an expert committee in 2017, which marked the beginning of the process towards a data protection law.
- The Data Protection Bill, 2021 (DPB, 2021) was published in December 2021, which was a significant step.
- On August 3, 2022, it was retracted in Parliament by Ashwini Vaishnaw, the minister of communications and information technology.
- A draught of the Digital Personal Data Protection Bill, 2022 (DPDPB, 2022) was made available for public comment on November 18, 2022.
- The comments submitted as part of this consultation process were kept private.
- In a Right to Information case, the demand for the submissions to be made publicly available was also rejected.
Highlights of 2023 Bill
- The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.
- It will also apply to such processing outside India, if it is for offering goods or services in India.
- Personal data may be processed only for a lawful purpose upon consent of an individual. Consent may not be required for specified legitimate uses such as voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services.
- Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
- The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
- The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offenses.
- The central government will establish the Data Protection Board of India to adjudicate non-compliance with the provisions of the Bill.
Issues with the 2023 Bill
- Exemptions to data processing by the State on grounds such as national security may lead to data collection, processing, and retention beyond what is necessary. This may violate the fundamental right to privacy.
- The Bill does not regulate risks of harm arising from the processing of personal data.
- The Bill does not grant the right to data portability and the right to be forgotten to the data principal.
- The Bill allows the transfer of personal data outside India, except to countries notified by the central government. This mechanism may not ensure adequate evaluation of data protection standards in the countries where the transfer of personal data is allowed.
- The members of the Data Protection Board of India will be appointed for two years and will be eligible for re-appointment. The short-term scope for re-appointment may affect the independent functioning of the Board.
Need for Digital Data Protection in India
India has made significant technical strides and is on pace with other nations, but it trails behind them in having clear, strict rules that cover all the recent changes in how personal data is handled.
- Many nations, including the USA, China, and many others, have enacted new data protection legislation during the past 20 years.
- India currently has inconsistent laws. India must implement new laws in order to keep up with the trends and collaborate with other nations.
In spite of the fact that India’s existing Information Technology Act, of 2000 substantially addresses the country’s data protection challenges, it is not particularly tough since it fails to adequately enforce the laws. India today demands data protection with tight execution.
Another problem that has lately gained popularity is spam, which is when a user receives a lot of the same messages again and it clogs their inboxes.
- The USA and other European nations have rules that penalise spam senders, but India does not. Laws that address freshly discovered issues are urgently needed.
Additionally, as online transactions are now governed by RBI guidelines, they must be properly handled by applicable legislation.
- This increases the need for new data protection regulations in India.
Even before it is presented, technology is out of date, and that is still true in India today.
- Online banking, publishing regulations, cyber defamation, cyber-terrorism, cryptocurrencies, and NFTs are only a few examples of provisions that urgently need to be addressed by appropriate law in order to manage their associated problems.
One of the main causes of the breach of a significant quantity of data in India is the intersection of many regulations for various areas, which leads to uncertainty.
- In India, there isn’t yet a single codified legislation that carefully considers every element of data privacy and maintains track of the consequences that ought to be applied.
Also read: Right to be Forgotten
Important cases related to data protection
- State of Tamil Nadu v. Suhas Katti (2004): This case is significant because it encouraged citizens all around the nation to come forward and report incidents of online abuse.
- Amar Singh v. Union of India (2011): In light of Sections 69, 69A, and 69B of the IT Act, 2000, this case is significant. It was held by the court that the service provider must confirm the legitimacy of any government orders “to tap phones” when they include serious errors. In order to avoid unlawful call interception, the court further ordered the central government to establish specific directives and rules.
- Shreya Singhal v. Union of India (2015): The entire Section 66A was declared unconstitutional by the Supreme Court of India on the grounds that its intended protection against annoyance, inconvenience, danger, obstruction, insult, injury, and criminal intimidation went beyond the bounds of reasonable restrictions under Article 19(2) of the Indian Constitution.
- Justice K.S. Puttaswamy (Retd) v. Union of India (2017): This case upholds the right to privacy as a right which is protected by the Constitution of India.
- Praveen Arimbrathodiyil v. Union of India (2021): In this case, several companies, including WhatsApp, Quint, LiveLaw, and the Foundation for Independent Journalists, have contested the regulations published in 2021. The outcomes of the judgement will impact the future direction of Indian law in information technology, for which the petition is currently pending before the Supreme Court for listing.
Despite the fact that India is a member of various international bodies, such as the United Nations Commission on International Trade and the clauses in the Directive Principles of State Policies, that focus on data protection methods, a comprehensive law or mechanism is still absent.
- The general welfare of the populace is addressed in Article 38. In essence, a welfare state is tied to privacy and data protection.
- As stated in Article 51, the State shall seek to encourage conformity to treaty commitments and international law in order to foster global peace and security.
Digital personal data protection is a shared responsibility between individuals, organizations, and governments.
It aims to strike a balance between utilizing data for beneficial purposes while respecting individuals’ rights to privacy and security.
Effective data protection practices help build trust between organizations and individuals, fostering a safer and more transparent digital environment.
-Article by Swathi Satish