- GS-2: Government policies and interventions for development in various sectors and issues arising out of their design and implementation.
- GS-2: Statutory, regulatory and various quasi-judicial bodies
Personal Data Protection Bill
Context: The pandemic has forced more people to participate in the digital economy that has brought focus into the Personal Data Protection Bill drafted by Union Government.
Unfortunately, the existing data protection regime in India does not meet this standard. Current data protection regime falls short of providing effective protection to users and their personal data.
Data Protection – Issues
- Increasing Breaches: The number of personal data breaches from major digital service providers has increased. Robust data protection regimes are necessary to prevent such events and protect users’ interests.
- Misuse of Terms & Conditions: Entities could override the protections in the regime by taking users’ consent to processing personal data under broad terms and conditions. This is problematic given that users might not understand the terms and conditions or the implications of giving consent.
- Data Privacy: Frameworks emphasise data security but do not place enough emphasis on data privacy.
- Data Processing: While entities must employ technical measures to protect personal data, they have weaker obligations to respect users’ preferences in how personal data can be processed. Entities could use the data for purposes different to those that the user consented to.
- Checks on Government Collection of Data: The data protection provisions under the existing IT Act also do not apply to government agencies. This creates a large vacuum for data protection when governments are collecting and processing large amounts of personal data.
- The regime seems to have become antiquated and inadequate in addressing risks emerging from new developments in data processing technology.
How does the Personal Data Protection Bill, 2019 address above issues?
It could play a big role in providing robust protections to users and their personal data.
- Applicable to all: The Bill seeks to apply the data protection regime to both government and private entities across all sectors.
- Covers Data Privacy: The Bill seeks to emphasise data security and data privacy. While entities will have to maintain security safeguards to protect personal data, they will also have to fulfill a set of data protection obligations and transparency and accountability measures that govern how entities can process personal data to uphold users’ privacy and interests.
- Autonomy to Users: The Bill seeks to give users a set of rights over their personal data and means to exercise those rights.
- Independent Regulator: The Bill seeks to create an independent and powerful regulator known as the Data Protection Authority (DPA). The DPA will monitor and regulate data processing activities to ensure their compliance with the regime. More importantly, the DPA will give users a channel to seek redress when entities do not comply with their obligations under the regime.
Concerns with the Bill
- Several provisions in the Bill create cause for concern about the regime’s effectiveness. These provisions could contradict the objectives of the Bill by giving wide exemptions to government agencies and diluting user protection safeguards.
- Central government can exempt any government agency from complying with the Bill. Government agencies will then be able to process personal data without following any safeguard under the Bill. This could create severe privacy risks for users.
- Users could find it difficult to enforce various user protection safeguards (such as rights and remedies) in the Bill. The Bill threatens legal consequences for users who withdraw their consent for a data processing activity.
- This could discourage users from withdrawing consent for processing activities they want to opt out of.
- Additional concerns also emerge for the DPA as an independent effective regulator that can uphold users’ interests.