Why in News?

• The Ministry of Electronics and Information Technology has extended the last date for receiving public comments on the Digital Personal Data Protection Bill, 2022, till January 2, 2023.

About the new draft:

• The Bill seeks to establish a comprehensive legal framework governing digital personal data protection in India, recognizing both the –
• Rights of citizens (Digital Nagrik), societal rights to protect their personal data – a strict user-consent regime for data processing.
• Duties/obligations of the Data Fiduciary (consumer internet and social-media companies) to process and use collected data lawfully.

Background:

• The revamped draft was released after the government withdrew an earlier version – the Personal Data Protection Bill, 2019, that sparked outrage from Big Tech and civil society.
• The 2019 Bill was prepared by former Supreme Court judge B N Srikrishna, to guarantee the protection of persons’ personal data and to establish a Data Protection Authority.
• The government has decided to come up with a fresh bill that fits into the comprehensive suggestions made by the Joint Committee of Parliament (JCP) on the 2019 Bill.
• The JPC had submitted many recommendations (such as broad data protection in line with KS Puttaswamy judgement of 2017) to the 2019 Bill in 2021.

Key provisions of the Digital Personal Data Protection Bill, 2022:

• Data Protection Board: It will act as the adjudicating body to enforce the provisions of the Bill.
• Data Protection Officer and independent data auditor: They will be appointed by businesses of “significant” size (based on the volume of data they process), to evaluate compliance with provisions of the law.
• Easing cross-border data flows:

• The new Bill relaxes data localisation rules and permits data to flow to certain global destinations, based on their data security landscape.
• The previous Bill mandated enterprises to keep a copy of sensitive personal data within India and prohibited the transfer of critical personal data from the country, the most important concern expressed by IT firms.

• Right to correction/eraser: Users will have the right to have their personal data in the custody of enterprises corrected and erased.
• Duties of companies:

• Companies will not be obligated to keep user data that no longer serves a business purpose.
• Companies should not process personal data that could harm minors (less than 18 years of age).

• Promoting start-up ecosystem: The government may also exclude certain enterprises from Bill’s restrictions based on the volume of users and personal data handling.
• Exemptions: The Central government has been empowered to exempt its agencies from adhering to provisions of the Bill in the interest of –

• Sovereignty and integrity of India,
• Security of the state,
• Friendly relations with foreign states,
• Maintenance of public order or preventing incitement to any cognisable offence.

• Penalties: Focus is more on financial penalties than a criminal conviction.
• For companies: Between Rs 50 – 500 crore for data breaches and noncompliance.
• For users: A consumer who submits false documents for an online service or makes bogus grievance complaints may face a Rs 10,000 fine.

Significance:

• Based on global best practices: The government says that it has reviewed the Personal Data Protection laws of Singapore, Australia, the European Union and the US.
• Economic benefits: The bill draft also considers the country’s 1 trillion-dollar Digital Economy goals and the rapidly growing innovation and startup ecosystem.

Concerns:

• State agencies are granted broad-vague exemptions. This may not meet the ‘necessity’ and ‘proportionality’ tests outlined in the landmark right to privacy judgement (KS Puttaswamy case) of 2017.
• The independence of a proposed regulator – the Data Protection Board, has been reduced. Unlike the Data Protection Authority, which is envisioned as a statutory body under the 2019 Bill, the appointment of the chairperson and members of the Board is entirely up to the discretion of the central government.
• Relaxing data localisation requirements will make it difficult to detect and investigate non-compliance and breaches.