The Ministry of Electronics and Information Technology on18 November came out with the Digital Personal Data Protection Bill, 2022. The bill primarily focuses on the keen aspects of data privacy and protection for the Indian netizen. The predecessor of the bill was withdrawn in the month of August earlier this year on account of making some essential changes and amendments to the same. The previous bill focused on the aspects of data privacy and usage of data by corporations and platforms, by defining the role of a data fiduciary and data principle, which is seen in the new bill as well. The new bill is a revamp of the older one but with new issues addressed and mentioned. This bill will be essential in creating a safe cyberspace for the Indian netizen.
Data Privacy in India
India is a nation of diversity and culture and so the interpretation of data privacy and protection differs in different parts of the country. People in metropolitan cities showcase high awareness of data privacy and issues related to it however it is completely contrary among the rural population, here lies the massive problem, the population in tier 3 cities and villages are seen to be the large faction of the victims of cyber crimes. The main reason for the same is unawareness and ignorance of technology. Since privacy is still considered more of a physical action, the majority of people still fail to understand that technology is not the cybercriminal, it’s a medium used by cybercriminals. Despite an exponential rise in internet penetration the population still remains vulnerable to such threats.
Essential Aspects of the Bill
The bill highlights the following keen aspects-
- Data Fiduciary- The entity (can be an individual, company, firm, state, etc), which decides the purpose and means of the processing of an individual’s personal data.
- Data Principle- The individual to whom personal data is related.
- Processing- The entire cycle of operations that can be carried out in respect of personal data.
- Gender Neutrality- For the first time in India’s legislative history, “her” and “she” have been used to refer to individuals irrespective of gender.
- Right to Erase data- Data principals will have the right to demand the erasure and correction of data collected by the data fiduciary
- Cross-border data transfer- The bill allows cross-border data after an assessment of relevant factors by the Central Government.
- Children’s Rights- The bill guarantees the right to digital privacy under the protection of parents/guardians.
- Heavy Penalties- The bill enforces heavy penalties for non-compliance with the provisions, which are not to exceed Rs 500 crore.
Data Protection Board
The bill lays down provisions for setting up a Data Protection Board. This board will be an independent body acting solely on the factors of data privacy and protection of the data principles and maintaining compliance by data fiduciaries. The board will be headed by a chairperson of essential and relevant qualifications and he/she shall be assisted by members and various other officials under the board. The board will serve grievance redressal to the data principles and has the power to conduct investigation, inquiry, proceeding, and pass orders equivalent to that of a Civil court. The proceeding will be undertaken on the principle of natural justice and the aggrieved can file an appeal to the High Court of appropriate jurisdiction.
Keen principles of the Bill
The bill aims to tackle the issues of data protection from a new perspective and is based on the following fundamental seven principles-
- First Principle (Usage)
- The usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned, and transparent to individuals.
- Second Principle (Purpose of Limitation)
- Personal data must only be used for the purposes for which it was collected.
- Third Principle (Data Minimisation)
- Only those items of personal data required for attaining a specific purpose must be collected.
- Fourth Principle (Principle of accuracy)
- Reasonable effort is made to ensure that the personal data of the individual is accurate and kept up to date.
- Fifth Principle (Storage Limitation)
- Personal data is not stored perpetually by default. The storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected.
- Sixth Principle (Reasonable safeguards)
- There should be no unauthorized collection or processing of personal data.
- Seventh Principle (Accountability)
- The person who decides the purpose and means of the processing of personal data should be accountable for such processing.
The bill has come out following a series of legislation revamps of the Information Technology spectrum as the Intermediary Rules were enacted recently and the new telecommunication bill was also introduced. This bill will surely contribute massively towards safeguarding the netizen and creating a wholesome secured cyberspace. Although the penalties in the bill seem steep for data fiduciaries, these will result in efficient and effective compliance with the law, thus opening various avenues for the platforms as well as the users.