Science and Technology
Context: A data protection law must safeguard and balance peoples’ right to privacy and their right to information, which are fundamental rights flowing from the Constitution.
Key features of the Digital Personal Data Protection Bill:
- The Ministry of Electronics and Information Technology has drafted a Digital Personal Data Protection (DPDP) Bill.
Significance of the bill:
- The purpose of the bill is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes.
- It is India’s first attempt to domestically legislate on the issue of data protection.
The categories of Data created by the Bill are as follows:
Personal data:
- Data from which an individual can be identified like name, address etc.
- No Data Mirroring is required.
- Individual consent will suffice.
Sensitive personal data (SPD):
- Some types of personal data like as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more.
- To be stored only in India.
- It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA).
Critical personal data:
- Anything that the government at any time can deem critical, such as military or national security data.
- Critical personal data must be stored and processed in India.
Non-Personal Data:
- The Bill mandates fiduciaries to provide the government any non-personal data when demanded.
- The ‘data fiduciary’ may be a service provider who collects, stores and uses data in the course of providing such goods and services.
- Non-personal data refers to anonymised data, such as traffic patterns or demographic data.
- The previous draft did not apply to this type of data, which many companies use to fund their business model.
Impact on Social Media Companies:
- Significant Data Fiduciaries (the fiduciaries with huge volume and processing sensitive data) have to develop their own user verification mechanism.
- It will reduce the anonymity of users and decrease trolling, fake news and cyberbullying.
- Exemptions for Data Processing without consent:
- They have been provided for reasonable purposes like
- Security of the state.
- Detection of any unlawful activity or fraud.
- Whistleblowing etc
Creation of Independent Regulator:
- The Bill calls for the creation of an independent regulator Data Protection Authority, which will oversee assessments and audits and definition-making.
- Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
- The Bill proposes “Purpose limitation” and “Collection limitation” clause, which limit the collection of data to what is needed for “clear, specific, and lawful” purposes.
Control Over Data:
- It also grants individuals the right to data portability and the ability to access and transfer one’s own data.
- The right to be forgotten is also given.
- With historical roots in European Union law, General Data Protection Regulation (GDPR), this right allows an individual to remove consent for data collection and disclosure.
Penalty – The Bill stated the penalties as:
- Rs 5 crore or 2 percent of worldwide turnover for minor violations and Rs 15 crore or 4 percent of total worldwide turnover for more serious violations.
- Also, the company’s executive-in-charge can also face jail terms of up to three years.
Problems associated with the Bill:
In conflict with RTI Act:
- The Bill is criticised for seeking to dilute the provisions of the Right to Information (RTI) Act, which has empowered citizens to access information and hold governments accountable.
- The RTI Act includes a provision to protect privacy through Section 8(1)(j).
- In order to invoke this section to deny personal information, at least one of the following grounds has to be proven.
- The information sought has no relationship to any public activity or public interest or is such that it would cause unwarranted invasion of privacy and the Public Information Officer is satisfied that there is no larger public interest that justifies disclosure.
- The proposed bill seeks to amend this section to expand its purview and exempt all personal information from the ambit of the RTI Act.
In conflict with the Right to privacy:
- By empowering the executive to draft rules on a range of issues, the proposed Bill creates wide discretionary powers for the Central government and thus fails to safeguard people’s right to privacy.
No autonomy for the Data Protection Board:
- The bill does not ensure autonomy of the Data Protection Board, the institution responsible for enforcement of provisions of the law.
- Given that the government is the biggest data repository, it was imperative that the oversight body set up under the law be adequately independent to act on violations of the law by government entities.
Digital by design:
- The Bill stipulates that the Data Protection Board shall be ‘digital by design’, including receipt and disposal of complaints.
- As per the latest National Family Health Survey, only 33% of women in India have ever used the Internet.
- The Bill, therefore, effectively fails millions of people who do not have meaningful access to the Internet.
Way Forward:
Therefore the challenge lies in finding an adequate balance between the right to privacy of data principles and reasonable exceptions, especially where government processing of personal data is concerned. The DPDP Bill needs to be suitably amended and harmonised with the provisions and objectives of the RTI Act.
Given the rate at which technology evolves, an optimum data protection law design needs to be future proof — it should not be unduly detailed and centred on providing solutions to contemporary concerns while ignoring problems that may emerge going forward.
Source: The Hindu
Previous Year Question
Q.1) ‘Right to Privacy’ is protected under which Article of the constitution of India? (2021)
- Article 15
- Article 19
- Article 21
- Article 29