Why in News?

• The Lok Sabha allowed the introduction of the long-awaited Digital Personal Data Protection Bill, 2023, amid demands from opposition parties that the proposed law be referred to a Parliamentary committee.
• The Bill seeks to provide for the protection of personal data and the privacy of individuals. 

What’s in Today’s Article?

• Digital Personal Data Protection Bill (Need, Key Provisions, Significance, Criticism, etc.)
• How Digital Data is Protected in Other Countries?
• Conclusion

Need for Digital Personal Data Protection Bill, 2023:

• Personal data is defined as any data about an individual who is identifiable by or in relation to such data.
• Ministry of Electronics and Information Technology has drafted the Bill to provide guidance and best practice rules for organisations and the government to follow on how to use personal data including – regulating the processing of personal data.

Key Features of Digital Personal Data Protection Bill, 2023:

• Applicability –
  • The Bill will apply to the processing of digital personal data within India.
  • It will also apply to the processing of personal data outside India, if it is for offering goods or services or profiling individuals in India.
• Consent –
  • Personal data may be processed only for a lawful purpose for which an individual has given consent. A notice must be given before seeking consent. 
  • Notice should contain details about the personal data to be collected and the purpose of processing. Consent may be withdrawn at any point in time.
  • For individuals below 18 years of age, consent will be provided by the legal guardian.
• Rights and Duties of Data Principal –
  • An individual, whose data is being processed (data principal), will have the right to
    • obtain information about processing,
    • seek correction and erasure of personal data,
    • nominate another person to exercise rights in the event of death or incapacity
• Transfer of Personal Data outside India –
• The central government will notify countries where a data fiduciary may transfer personal data.
• Transfers will be subject to prescribed terms and conditions.
• Exemptions –
  • Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases. These include
    • prevention and investigation of offences, and
    • enforcement of legal rights or claims.
  • The central government may, by notification, exempt certain activities from the application of the Bill. These include
    • processing by government entities in the interest of the security of the state and public order, and
    • research, archiving, or statistical purposes.
• Data Protection Board of India –
  • The central government will establish the Data Protection Board of India.
  • Key functions of the Board include
    • monitoring compliance and imposing penalties,
    • directing data fiduciaries to take necessary measures in the event of a data breach, and
    • hearing grievances made by affected persons.
• Penalties –
  • Rs 200 crore for non-fulfilment of obligations for children, and
  • Rs 250 crore for failure to take security measures to prevent data breaches.

Significance of the Bill:

• The Bill frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand.
• The Bill will keep the personal data of a user safe, and give them more liberty on how to port their personal data.
• The bill aims to make entities like internet companies, mobile apps, and business houses more accountable and answerable about collection, storage and processing of the data of citizens as part of "Right to Privacy".

What are the Concerns w.r.t. the Bill?

• Some of the most contentious issues include –
  • Wide-ranging exemptions to the government and its agencies,
  • Dilution of powers of the data protection board,
  • Amendment to the Right to Information Act, 2005.
• The concerns around diluting the RTI Act emanate from the fact that the Bill has a provision to amend the Act that would prohibit sharing of details linked to personal information of government officials.
  • Currently, the exemption only applies when such information does not serve larger public interest.
  • However, the Bill proposes to remove the public interest caveat.
• Also, the Bill overrides Section 43A of the Information Technology Act, 2000 which requires companies which mishandle user data to compensate users.
  • Government sources said this was because “compensation is a judicial process”.

How do Other Countries Regulate Data Privacy?

• About 70% of countries worldwide have some form of legislation for data protection, according to the United Nations trade agency UNCTAD.
• The EU's General Data Protection Regulation, which came into effect in 2018, is claimed to be the "toughest privacy and security law in the world," and seen as the global benchmark.
• Several nations including China and Vietnam have recently tightened laws governing the transfer of personal data overseas.
• Australia in 2018 passed a bill that gave police access to encrypted data.

Conclusion:

• The Bill provides for a legislative backing to the Supreme Court’s landmark judgement in Justice K. S. Puttaswamy (Retd) Vs Union of India Case (2017).
  • A nine-judge bench of the Supreme Court unanimously held that Indians have a constitutionally protected fundamental right to privacy that is an intrinsic part of life and liberty under Article 21.
• By addressing above mentioned concerns, the proposed law can extend substantial rights to individuals and provides them with better visibility, awareness, decisional autonomy and control over their data.