The draft data protection Bill is scheduled to be presented before the Union Cabinet today, and upon approval, it is expected to be introduced in the upcoming Monsoon session of Parliament, according to reports.
The initial draft of the Bill was introduced in November of the previous year and underwent several rounds of public consultation. Taking into account the feedback received during these consultations, a second draft was prepared and subsequently underwent inter-ministerial discussions.
An anonymous senior government official told Indian Express, “The Cabinet is expected to take up the Digital Personal Data Protection Bill, 2022 on Wednesday, and once it receives approval, the Bill will be presented in the upcoming Parliament session.”
This Bill is a crucial component of the broader framework of technology regulations being developed by the government, which also includes the Digital India Bill (the proposed successor to the Information Technology Act, 2000), the Indian Telecommunication Bill, 2022, and a policy governing non-personal data.
Digital Personal Data Protection Bill, 2022
The Bill will have jurisdiction over the processing of digital personal data in India. This includes data collected online or offline and later digitized. The Bill will also apply to the processing of data outside of India if it involves offering goods or services or profiling individuals in India.
Under the Bill, personal data can only be processed for lawful purposes with the individual’s consent. In certain cases, consent may be implied. Data fiduciaries are required to ensure the accuracy and security of the data and delete it once its purpose has been fulfilled.
The Bill grants individuals certain rights, including the right to access information, request corrections and deletions, and seek redressal for grievances, according to PRS India.
The government may exempt its agencies from certain provisions of the Bill based on specified grounds such as national security or public order.
To enforce compliance with the Bill, the government will establish the Data Protection Board of India. However, exemptions granted to the government for data processing on grounds like national security raise concerns about the potential violation of the right to privacy.
The Bill treats private and government entities differently regarding consent and storage limitations, which may violate the right to equality.
The composition and functioning of the Data Protection Board of India will be determined by the central government, raising questions about its independence.
The Bill does not provide for the right to data portability or the right to be forgotten.
Data fiduciaries must obtain verifiable consent from the legal guardian before processing a child’s personal data. This requirement may have implications for anonymity in the digital realm.
Key Features
Scope of Application: The Bill will be applicable to the processing of digital personal data in India, whether collected online or offline and digitized. It will also apply to the processing of personal data outside of India if it involves offering goods or services or profiling individuals in India. Personal data refers to any data that can identify an individual, and processing includes activities such as collection, storage, use, and sharing, according to PRS India.
Consent: Personal data can only be processed for lawful purposes with the individual’s consent. Consent must be obtained through a notice that provides details about the data to be collected and the purpose of processing. Individuals have the right to withdraw consent at any time. Consent is deemed given in certain cases where processing is necessary for functions under the law, provision of services or benefits by the State, medical emergencies, employment purposes, and specified public interest purposes like national security and fraud prevention. For individuals below 18 years of age, consent will be provided by their legal guardian.
Rights and Duties of Data Principals: Data principals (individuals whose data is being processed) have the right to access information about processing, request correction and erasure of their personal data, nominate another person to exercise their rights in case of death or incapacity, and seek grievance redressal. Data principals also have certain duties, including not registering false or frivolous complaints and providing accurate information. Violation of these duties may result in penalties.
Obligations of Data Fiduciaries: Data fiduciaries, the entities determining the purpose and means of processing, must make efforts to ensure data accuracy and security. They must implement reasonable security safeguards to prevent data breaches and inform the Data Protection Board of India and affected individuals in case of a breach. Personal data should be deleted once the purpose of processing has been fulfilled, except when retention is necessary for legal or business purposes. The storage limitation requirement does not apply to government entities.
Transfer of Personal Data outside India: The central government will notify countries where data fiduciaries can transfer personal data. Such transfers will be subject to prescribed terms and conditions.
Exemptions: Certain rights of data principals and obligations of data fiduciaries, except for data security, may not apply in specific cases such as prevention and investigation of offences and enforcement of legal rights. The central government can exempt certain activities through notification, including processing by government entities in the interest of state security and public order, as well as research, archiving, or statistical purposes.
Data Protection Board of India: The central government will establish the Data Protection Board of India, which will monitor compliance, impose penalties, direct data fiduciaries in case of data breaches, and address grievances. The government will determine the composition, selection process, terms and conditions of appointment, and removal procedure for the Board.
Penalties: The Bill specifies penalties for various offences, ranging from up to Rs 150 crore for non-fulfillment of obligations concerning children’s data to up to Rs 250 crore for failure to implement security measures to prevent data breaches. The Board will impose penalties after conducting an inquiry.
Comments
0 comment