The Centre on November 18 released a revised draft of the Digital Personal Data Protection Bill, 20022, with an increased focus on personal data as a fundamental right, as ruled by the Supreme Court. The earlier bill was slammed by privacy experts and tech firms alike, primarily due to owing to its clauses regarding the local storage of data. The revised draft appears to be more friendly towards cross-border data flows and easier compliance for startups but at the same time imposes a heavy penalty upon non-compliance.
So, what changes has the new draft brought in? And how will it affect tech companies in the country? Let’s take a closer look.
What did the earlier Personal Data Protection Bill entail? Why was it removed?
The Personal Data Protection Bill was introduced in the Lok Sabha in December 2019. Drafted by the Justice Srikrishna Committee a year earlier, the bill proposed a set of rules that would dictate how personal data should be processed and stored, seeking to set up a Data Protection Authority in India to protect the digital privacy of individuals.
It also listed people’s rights when it came to their personal data.
After being introduced in the Lok Sabha, a draft of the bill was referred to the Joint Parliamentary Committee (JPC) in December 2021 before being tabled in the Parliament after six extensions.
The committee would then go on to recommend 81 amendments to the bill (which had 99 sections). An additional list of a dozen major recommendations was made by the JPC.
The Bill was heavily slammed by privacy experts, as it was deemed to be more beneficial to central agencies, allowing them to freely obtain data under certain conditions.
The bill also proposed the handling of non-personal data under the data law on individual privacy, which was also heavily criticised.
Furthermore, big tech firms such as Amazon, Google, and Meta raised objections to some of the bill’s provisions that would mandate local storage of data and also the processing of some sensitive information within the country. It also looked to provide exemptions to the government’s own probe agencies from the Act’s provisions, which saw a huge uproar from the opposition.
The Centre would eventually withdraw the Bill in August 2022.
What the revised Digital Personal Data Protection Bill, 2022, brings to the table
For starters, the revised draft enforces a penalty of Rs 250 crores on firms if the personal safety of user data is compromised in any way. This falls in line with India’s apex court ruling that personal data is a personal right and should be protected accordingly.
The new draft also offers a relaxed stance on data flow across borders as well as comparatively easier compliance rules for startups.
In an explanatory note, the Ministry of Electronics and Information Technology (MeitY) detailed the seven principles of data economy on which the bill is based.
Here’s what MeitY said:
” The first principle is that usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals. The second principle of purpose limitation is that the personal data is used for the purposes for which it was collected. The third principle of data minimisation is that only those items of personal data required for attaining a specific purpose must be collected. The fourth principle of accuracy of personal data is that reasonable effort is made to ensure that the personal data of the individual is accurate and kept up to date. The fifth principle of storage limitation is that personal data is not stored perpetually by default. The storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected. The sixth principle is that reasonable safeguards are taken to ensure that there is no unauthorised collection or processing of personal data. This is intended to prevent personal data breach. The seventh principle is that the person who decides the purpose and means of processing of personal data should be accountable for such processing. ” –
The ministry is inviting feedback from the public on the draft Bill. The submissions won’t be disclosed publicly. The last date to submit comments is December 17.
Submit comments here👇https://t.co/2Y2Z2aqs8B
— Ashwini Vaishnaw (@AshwiniVaishnaw) November 19, 2022
How the new Digital Personal Data Protection Bill will affect companies, state instrumentations
The Internet Freedom Foundation (IFF), which is a national advocacy body on digital rights and liberties has offered a detailed review of the new draft Bill after its ‘First Read’.
The IFF said that the new Bill still exempts “instrumentality of the State” if it falls under the interests of “sovereignty and integrity” of India. The body said that the Bill would give a free rein to State surveillance, which could result in an immense violation of the privacy of citizens.
“Any exemption sought by government agencies should be granted only if they fulfil the standards of legality, necessity, and proportionality. It is essential that government collection and processing of citizen data is regulated to prevent misuse of use,” the IFF noted.
The Bill also proposes the formation of a Data Protection Board, which will oversee all the proposed provisions. The IFF observed that this board is not independent, which might hamper the “independence needed to sufficiently protect the interests of Data Principals. As a result, the board may perpetuate the hierarchies of the government setup.”
Speaking on the non-localised data transfer proposals, the IFF said that the Bill doesn’t the standards on which the Centre can decide to which countries data transfers can be allowed. “This enables arbitrary exercise of power where countries may be selected or not selected based on considerations other than protection of personal data of Indians,” the IFF noted.
The IFF drove hard on the seeming vagueness of the Bill. It said that the phrase “as may be prescribed” has been mentioned 18 times. “This is symbolic of the vague and unchecked powers that the Union Government has retained for itself to frame rules at a later stage in the absence of legislative guidance.”
The IFF, however, did mention that there has been some positive addition as well. For starters, fiduciaries will now have to notify the Board and Data Principals whenever there is a breach of data, irrespective of its nature, bringing a sense of transparency that was earlier absent.
Additionally, the Bill has also clearly mandated that companies cannot track or monitor the behaviour of children or targeted ads directed at minors.
So, while the new draft does put a tight leash around companies in terms of transparency in handling breaches or handling data from underage users, there still remains a vacuum when it comes to Central control on the overall implementation of the Bill.