Security Issues

Monsoon Session Data Protection Bill

The Union government informed the Supreme Court that a new law, the Digital Personal Data Protection Bill, 2022, was “ready” to enforce individual privacy in online space.

Background on Data Legislation

  • The measure to protect personal data has been in the works for almost five years.
  • After a year of consultation, an expert group led by Justice B.N. Srikrishna submitted the first draught of the Bill in July 2018.

DPDP Bill, 2022 is based on seven principles

  • According to the bill’s explanatory note, it is founded on seven principles: lawful use: The first is that “the use of personal data by organisations must be lawful, fair to the individuals involved, and transparent to individuals.”
  • Personal data must only be used for the objectives for which it was collected, according to the second principle.
  • Data minimisation: Only the information required to complete a task should be gathered.
  • Data precision: At the time of gathering. There should be no duplicates.
  • Storage duration: The fifth principle states that personal data should not be “stored perpetually by default,” and that storage should be limited to a set period of time.
  • Authorized collection and processing: Reasonable controls should be in place to ensure “no unauthorised collection or processing of personal data.”
  • User accountability: The person who determines the purpose and means of processing personal data should be held accountable for such processing.

Key features of the bill

(1) Data Principal and Data Fiduciary

  • The phrase “Data Principal” is used in the bill to refer to the person whose data is being gathered.
  • The phrase “Data Fiduciary” refers to the entity (which might be a human, company, firm, state, or other body) that determines the “purpose and means of processing an individual’s personal data.”
  • The law also recognises that in the case of children – defined as all users under the age of 18 – their parents or legal guardians would be deemed their “Data Principals.”

(2) Defining personal data and its processing

  • Personal data, according to the legislation, is “any data by which or in relation to which an individual can be identified.”
  • Processing is defined as “the entire cycle of operations that can be performed on personal data.”
  • According to the statute, data processing includes everything from data collecting to data storage.

(3) Individual’s informed consent

  • The bill also specifies that individuals must provide consent before their data is processed.
  • Every individual should be aware of the types of personal data that a Data Fiduciary wishes to collect, as well as the purpose of such collection and subsequent processing.
  • Individuals may also withdraw consent from a Data Fiduciary.
  • The measure also grants consumers the opportunity to register a complaint with the Data Protection Board if they do not receive a suitable response from a “Data Fiduciary.”

(4) Language of information

  • The bill also assures that persons have “access to basic information” in the languages listed in the Indian Constitution’s eighth schedule.
  • Furthermore, the notification of data collection must be written in plain and simple language.

(5) Significant Data Fiduciaries

  • The bill also mentions “Significant Data Fiduciaries,” who deal with large amounts of personal data.
  • The Central Government will determine who falls into this group based on a variety of variables ranging from the volume of personal data collected to the possibility of harm to India’s sovereignty and integrity.

(6) Data protection officer & Data auditor

  • Such entities will be required to establish a “data protection officer” to represent them.
  • They will be the point of contact for any grievances.
  • They will also be required to employ an independent Data auditor to assess their compliance with the act.

(7) Right to erase data, right to nominate

  • Data principals will have the right to request that data gathered by the data fiduciary be erased and corrected.
  • They will also be able to choose someone to exercise these rights in the case of the data principal’s death or incapacity.

(8) Cross-border data transfer

  • The measure also permits data storage and transfer across borders to “certain notified countries and territories.”
  • However, such a notification would be preceded by an examination of relevant circumstances by the Central Government.

(9) Financial penalties

  • The proposal also suggests harsh fines for organisations that suffer data breaches or fail to notify users when breaches occur.
  • Entities that do not implement “reasonable security safeguards” to avoid personal data breaches face fines of up to Rs 250 crore.
  • According to the draft, the Data Protection Board, a new regulatory agency to be established by the government, can levy a penalty of up to 500 crore if a person’s noncompliance is deemed serious.

Some criticisms of the bill

  • Wordplay: Some objections of the law There had been the usage of ambiguous terminology such as “as needed” or “as may be prescribed.”
  • Government monopoly: The Bill does not appear to safeguard people, but rather assures that the government keeps absolute authority without any checks or balances.
  • Exemption provisions: When this measure is signed into law, the government will have the authority to exclude not only government agencies, but any entity that collects user data, from having to comply with the rules of this bill.
  • No data breach protection: The Executive in India has a history of exploiting to increase its powers. Individuals have no entitlement to compensation in the event of a data breach. They do not have the right to data portability.

@the end

  • It takes a lot of effort to craft such important legislation. It may take more trial and error to succeed.
  • Creating a thorough legal framework will undoubtedly take considerable time and thought.
And get notified everytime we publish a new blog post.