Digital Personal Data Protection Law

Syllabus: GS2/ Government Policies & Interventions

In Context

• Recently the Lok Sabha has passed the Digital Personal Data Protection Bill, 2023.

Need of Strong Data Protection Regime

• Data a new oil to Industry: As India’s data economy grows, it finds itself grappling with regulation in order to catch up with the rich data that Indians are sharing every day, as they log onto hundreds of platforms—whether to bank electronically or to purchase groceries or to stay connected on social media.
• Threats posed to Digital Economy: Risk exposure to the digital economy has increased manifolds amidst the pandemic. For example, Ransomware, the data breach at Mobikwik.
• Internet Crime: Protection from several instances of internet crimes like cybercrime, cyberbullying and harassment.
• National Security Concern: Data of security agencies could be at risk compromising national security and many private entities are against data localisation.
• Surveillance state: Inadequate data protection legislation & unlimited government access can lead to a totalitarian regime (Aadhar Act).
  • Currently, Personal data was regulated by IT Act, 2000. However, this Act was applicable only to foreign companies & corporates working in India.
• Puttaswamy v India (2017): Supreme Court has declared Data Privacy as a Fundamental Right under Article 21.

Key Provisions of the Bill

• Applicability: The Bill applies to the processing of digital personal data within India where such data is: (i) collected online, or (ii) collected offline and is digitised.  It will also apply to the processing of personal data outside India if it is for offering goods or services in India. 
• Consent:  Personal data may be processed only for a lawful purpose after obtaining the consent of the individual. A notice must be given before seeking consent.  
  • The notice should contain details about the personal data to be collected and the purpose of processing. 
• Lower age of consent: The Bill gives powers to the central government to prescribe a lower age of consent than 18 years for accessing Internet services without parental consent if the platform they are using can process their data in a “verifiably safe manner”. 
  • This would essentially mean a white-listing approach for companies in the edtech sector, and for medical purposes, among other things.
• Ease of cross-border data flows: The Centre has proposed to significantly ease cross-border data flows to international jurisdictions – by moving away from a whitelisting approach to a blacklisting mechanism. 
  • Earlier, the government had said that it would issue a list of countries where data flows would be allowed. 
• Impact on Social Media Companies: Significant Data Fiduciaries (the fiduciaries with huge volume and processing sensitive data) have to develop their own user verification mechanism.
  • It will reduce the anonymity of users and decrease trolling, fake news and cyberbullying.
• Exemptions: Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases.  
  • These include: (i) prevention and investigation of offences, and (ii) enforcement of legal rights or claims.  
  • The central government may, by notification, exempt certain activities from the application of the Bill.  
  • These include: (i) processing by government entities in the interest of the security of the state and public order, and (ii) research, archiving, or statistical purposes.
• Data Protection Board of India: The central government will establish the Data Protection Board of India.  Key functions of the Board include: (i) monitoring compliance and imposing penalties, (ii) directing data fiduciaries to take necessary measures in the event of a data breach, and (iii) hearing grievances made by affected persons.  
  • Board members will be appointed for two years and will be eligible for re-appointment. 
• Penalties: The schedule to the Bill specifies penalties for various offences such as up to: (i) Rs 200 crore for non-fulfilment of obligations for children, and (ii) Rs 250 crore for failure to take security measures to prevent data breaches.  
  • Penalties will be imposed by the Board after conducting an inquiry.

Significance

• Law Enforcement: Data localisation can help law-enforcement agencies access data for investigations and enforcement.
  • Cross-border data transfer of data  through individual bilateral “mutual legal assistance treaties” is a cumbersome process.
• Cyber Security: Recently, many WhatsApp accounts were hacked by an Israeli software called Pegasus.
• Curbing Fake News: Many instances like lynching, national security threats, etc can now be prevented in time.
• Data Sovereignty: Data localisation will also increase the ability of the Indian government to tax Internet giants.

Concerns/ Challenges

• Exemptions to the State may have adverse implications for privacy:
  • Personal data processing by the State has been given several exemptions under the Bill.  
  • As per Article 12 of the Constitution, the State includes: central government, state government, local bodies, and authorities and companies set up by the government.  
  • There may be certain issues with such exemptions.
• In conflict with the Right to privacy:
  • By empowering the executive to draft rules on a range of issues, the proposed Bill creates wide discretionary powers for the Central government and thus fails to safeguard people’s right to privacy. 
  • For instance, under Section 18, it empowers the Central government to exempt any government, or even private sector entities, from the provisions of the Bill by merely issuing a notification.
• Overriding consent of an individual: 
  • The Bill overrides consent of an individual where the State processes personal data for provision of benefit, service, license, permit, or certificate.  
  • It specifically allows use of data processed for one of these purposes for another. It also allows use of personal data already available with the State for any of these purposes.
• Bo regulation of risks:
  • The Bill does not regulate risks of harms arising out of processing of personal data.
• No right for data portability:
  • The Bill does not grant the right to data portability and the right to be forgotten to the data principal.
• Transfer of personal data outside India:
  • The Bill allows transfer of personal data outside India, except to countries notified by the central government.  
  • This mechanism may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed.
• Issues with the Data Protection Board:
  • The members of the Data Protection Board of India will be appointed for two years and will be eligible for re-appointment.  
  • The short term with scope for re-appointment may affect the independent functioning of the Board.

Way Ahead

• Responding to concerns raised on various accounts, IT Minister stated that exemptions to the Centre were needed to deal with cases like,
  • A natural disaster, wherein the government should not wither time to seek consent for processing their data as it has to act quickly to ensure safety. 
  • If the police are conducting an investigation to catch an offender, should their consent be taken.
• He also added that the European Union’s General Data Protection Regulation (GDPR) has 16 exemptions, but India’s Bill has four exemptions.