November 28, 2022
/ By Kumar Gaurav / New Delhi
The 2022 Bill only applies to “digitised” personal data and makes no mention of non-personal data
After it was forced to withdraw the Personal Data Protection Bill, 2019, which seeks to govern and safeguard the use of personal data, due to serious concerns of the Parliamentary Standing Committee on Communication and Information Technology, the Ministry of Electronics and Information Technology’s (MeitY) has refloated a revised draft in the public domain for consultations and comments which is open until December 17.
Reports indicate that the government is keen to place the bill on the table of the Parliament in the upcoming Winter Session for an early passage. But the revised version, too, has run into a stiff criticism from civil rights and privacy activists with at least one of them saying it wants the revised version, too, to be withdrawn and that the government ought to hold fully transparent consultations and take into account the concerns over the wide ranging powers that proposed bill will bestow on the government.
“We are going to ask for the recall of the Bill itself. This draft has gotten worse. The Bill has been simplified a lot. And, for simplifying the provisions, other concessions have been made which have reduced the users’ protections as a result. For example, a lot of important provisions have been left to be added or prescribed for a later date, which means that this Bill cannot be assessed completely because a lot of its provisions have not been made clear right now,” Anushka Jain, associate counsel (Transparency & Right to Information), of IFF tells Media India Group.
There have been several discussions about the need for a law to protect data privacy and privacy in a wider sense in India for several years. A landmark ruling in this matter was passed by the Supreme Court five years ago. A nine-judge bench of the Supreme Court declared in its landmark decision of K S Puttaswamy versus Union of India in 2017 that ‘‘The right to privacy is a part of fundamental rights, which can be traced to Articles 14, 19, and 21 of the Constitution of India.’’ Since the ruling, the government has been forced to take the right to privacy into consideration while drafting any bill that deals with the rights of the individual.
IFF says it has asked the government to hold transparent and deliberative public discussions in a comprehensive manner to address all the issues that are covered in the draft. The NGO has also asked the ministry to keep the drafting and review process for a draft Digital India Bill and the DPDPB in line with the Pre-Legislative Consultation Policy (“PLCP”), 2014, adopted on February 5, 2014.
Ministry of Electronics and IT (MeitY) claims that the new draft strikes a delicate balance and factors in learning from global approaches, while staying aligned to the Supreme Court’s ruling on privacy as a fundamental right, but within reasonable restrictions. The proposed draft identifies the Data Fiduciary as an entity (individual, company, firm, state, etc.) which decides the “purpose and means of the processing of an individual’s personal data.” Significant Data Fiduciaries are those who deal with a high volume of personal data.
One of the biggest concerns is about the regulation of the fiduciaries and their accountability. “Clause 5 of the last bill has been included in Clause 18 of this bill, which says that “state agencies and state instrumentalities,” as this bill says, will be exempt from the purview of this bill. However, 18(2) now also says that data fiduciaries may be exempted by the government. This means that even private entities will be exempt from the purview of the government, and how this will be decided has not been made clear. It says that this will be done on the basis of data and the volume of data. Does that mean that if the volume of data is extremely high, then the government can exempt them? That defeats the purpose of the bill itself. Because of the need for data protection, the bill must cover entities that process a large amount of data,” says Jain.
Another major lacuna in the current daft, according to the IFF, concerns the regulator and adjudicator of data privacy in India, the Data Protection Board. Clauses 19, 20, and 21 of the proposed bill prescribe several provisions under which it empowers the government to constitute a Data Protection Board as an independent body to enforce the provisions of the bill and impose penalties for non-compliance. The composition, qualifications, and experience in terms of appointment and removal, as well as the process of selection of the members of the board, are unclear and left to be decided by the government.
“The importance of the data protection board cannot be overstated because only an independent data protection board can ensure that the user’s rights and interests, which take precedence over any other interest, whether it be the government’s or private entities’, are protected. However, if the data protection board is not independent in that situation, it may end up protecting the government’s interests over the user’s interests. This, in turn, will harm the individual’s right to privacy, which contradicts the very tenet upon which this bill is based,” warns Jain.
The 2022 Bill only applies to “digitised” personal data and makes no mention of non-personal data. It eliminates the distinction between sensitive and critical personal data, as well as making provisions for non-personal data, algorithmic accountability, data portability, and a governing framework for hardware and software certification. Data localisation references have also been taken down.
“The earlier privacy bill on data protection was withdrawn due to constant lobbying by multinational companies who had been using the data of Indian users freely. The earlier bill had proposed strict conditions on the cross-border data flows. In fact, the government earlier wanted to reign in the multination companies for making data sacrosanct but later on yielded it before the pressure of the big technical giants who had been lobbying to dilute the stringent conditions and also lessening the compliances burden above them. The multinational companies also used the US pressure to easing out the conditions of the earlier bill,” Hasan Khurshid, a senior law journalist and author, tells Media India Group.
The DPDP-22 proposes harsh penalties on businesses for data breaches and if they fail to notify users when the breaches occur. It also specifies a maximum penalty of INR 5 billion in each case. The draft further says that both data processors and data fiduciaries can face fines of up to INR 2.5 billion if reasonable security safeguards to prevent the personal data preaches have to been implied. However, Clause 18 of the DPDPB-22 contains several provisions that empower the government to exempt state agencies in the interest of India’s sovereignty, integrity, and security, as well as the maintenance of public order or the prevention of incitement to any cognisable offence related to these. The exceptions are further extended to the data fiduciaries as well as the countries with which India has friendly relations.
Finding a reasonable balance between the right to privacy principles and admissible exceptions in this case presents a significant challenge, particularly when it comes to the processing of personal data by the government, say the activists.
“This is another big drawback of the latest privacy bill, as is the provision that allows the government to access and use the data if the same is required in the national or public interest. It says that national or public interest is of more importance than the interest of the individual. This will be unconditional access of any data if invoked, which may raise the question of the personal privacy of the individual, which is his sacrosanct right,’’ Khurshid adds.
‘‘The Ministry must proactively publish information on all its working groups on draft legislations, including any position papers/ white papers and internal minutes of meetings of all inter-departmental groups, in line with the public authority’s obligations under Sections 4(1)(b) and 4(1)(c) of the Right to Information Act, 2005,’’ IFF has told the ministry in a letter on the revised draft.
“One of the problems in policy-making in India has been the lack of public consultations on the policies that are made for the public. Policies are made for the public without even consulting them. Although the government has invited the public comments on the ‘Digital Personal Data Protection Bill’, I feel there has to be a better mechanism through which the public can participate in the consultation process. As per the Pre-Legislative Consultation Policy, 2014, the concerned ministry should make every endeavour to give wide publicity to the bill and the feedback and the comments should be made public,” Shipra Raj, assistant professor of Communication & Public Policy at the Delhi School of Journalism, University of Delhi tells Media India Group.
“Public deliberations are key to successful public policy-making and all those who are impacted by this policy must have the first right to participate in these deliberations. Including citizens in policy debate should be encouraged and in the age of digital media it has become even easier and a wide range of mechanisms are available that include citizen juries, polling, conferences and workshops,” she adds.
In this digitally equipped world, concerns related to data privacy and security have occupied the centre stage. An estimated 137 out of 194 countries have put in place legislation to secure the protection of data and privacy, with Africa and Asia showing 61 pc (33 countries out of 54) and 57 pc adoption respectively, according to data from the United Nations Conference on Trade and Development (UNCTAD), an intergovernmental organisation within the United Nations Secretariat. Only 48 pc of Least Developed Countries (22 out of 46) have data protection and privacy laws.
In the European Union, the right to privacy is enshrined as a fundamental right that seeks to protect an individual’s dignity and her rights over the data she generates. Concerns related to data privacy are managed by the General Data Protection Regulation (GDPR) across the European Union (EU). GDPR was approved by the European Parliament on April 14, 2016 and went into effect on May 25, 2018 by replacing the EU Data Protection Directive of 1995. GDPR is seen as the gold standard for privacy rights and has become a model legislation for many other countries around the world.
US has several limited sector-specific regulations as the approach to data protection is different for the public and private sectors. The activities and powers of the government vis-à-vis personal information are well-defined and addressed by broad legislation pieces such as the Privacy Act and the Electronic Communications Privacy Act.
The IFF says that it is still awaiting a government response to its queries, concerns and suggestions. It says that an ideal data protection law design must be future-proof; it should not be overly detailed and concentrate on offering answers to present-day problems while ignoring issues that may arise in the future, given the speed at which technology is developing.
Your email address will not be published.
November 23, 2022
November 20, 2022
November 19, 2022
October 5, 2022
August 29, 2022
November 28, 2022
November 28, 2022
Media India Group is a global platform founded in 2004, based in Europe and India, encompassing publishing, communication, consultation services and event management.
November 28, 2022
November 25, 2022
November 24, 2022
Copyright © 2022 mediaindia.eu – All rights reserved.