A Digital Personal Data Protection (DPDP) Bill has been drafted by the Ministry of Electronics and Information Technology. A data protection law must protect and balance people’s fundamental rights to privacy and information, which are derived from the Constitution. Sadly, this Bill fails on both counts.
Why do we require data security?
- Increasing internet use: India currently has over 750 million Internet users, with the number only expected to increase in the future.
- Data breaches: At the same time, India has one of the world’s highest rates of data breaches. Without a data protection law, the personal information of millions of Indians continues to be exploited, sold, and misused without their knowledge.
- Individual privacy may be jeopardised as a result of data monetization. The most sought-after datasets contain sensitive personal data about individuals, such as medical histories and financial information.
- Absence of writs against corporate action: Corporate action or misconduct, unlike state action, is not subject to writ proceedings in India. This is due to the fact that fundamental rights are generally not enforceable against private non-state entities. As a result, individuals have few options for resolving private disputes.
DPDP Bill, 2022 is based on seven principles
According to the bill’s explanatory note, it is founded on seven principles:
- The first is that “the use of personal data by organisations must be lawful, fair to the individuals concerned, and transparent to individuals.”
- Personal data must only be used for the purposes for which it was collected, according to the second principle.
- Data minimisation: Only the information required to complete a task should be collected.
- Data precision: At the time of collection. There should be no duplicates.
- Storage duration: The fifth principle states that personal data should not be “stored perpetually by default,” and that storage should be limited to a set period of time.
- Authorized collection and processing: Reasonable safeguards should be in place to ensure “no unauthorised collection or processing of personal data.”
- User accountability: The person who determines the purpose and means of processing personal data should be held accountable for such processing.
Why does the Bill need to go through a rigorous pre-legislative consultation process?
- The provisions of the Right to Information (RTI) Act are weakened: The Bill aims to weaken the provisions of the Right to Information Act, which has given citizens the ability to access information and hold governments accountable. Individual rights are most frequently violated and corruption thrives behind the veil of secrecy.
- Fails to protect people’s right to privacy: The proposed Bill gives the Central Government broad discretionary powers, failing to protect people’s right to privacy.
- For example, Section 18 empowers the Central Government to exempt any government or private sector entity from the Bill’s provisions simply by issuing a notification.
- The Bill does not ensure the Data Protection Board’s independence: Given that the government is the largest data repository, it was critical that the oversight body established by the law be sufficiently independent to act on violations of the law by government entities. The Bill does not guarantee the independence of the Data Protection Board, the institution in charge of enforcing the law’s provisions.
- Direct government control over the Data Protection Board: The Central Government has the authority to determine the Board’s strength and composition, as well as the process of selecting and removing its chairperson and other members.
- Serious apprehensions of its misuse by the executive: The Central Government is also empowered to delegate any functions under the provisions of this Act or any other law to the Board.
- Going digital by design fails those without meaningful access: The Bill requires the Data Protection Board to be “digital by design,” including the receipt and disposition of complaints. The following are the results of a survey conducted by the National Institute of Standards and Technology. As a result, the DPDP Bill effectively fails millions of people who do not have meaningful Internet access.
@the end
When this bill is signed into law, the government will have the authority to exempt not only government agencies, but any entity that collects user data, from having to comply with the provisions of this bill.
Source: https://www.thehindu.com/opinion/op-ed/the-problems-with-the-data-protection-bill/article66531928.ece