Digital Personal Data Protection Bill: Need A Pre-legislative
21, Feb 2023
Prelims level : Governance Mains level : GS-II E-Governance, Governance, Transparency & Accountability, Citizens Charters
Why in News?
- The Ministry of Electronics and Information Technology has drafted a Digital Personal Data Protection (DPDP) Bill. A data protection law must safeguard and balance peoples’ right to privacy and their right to information, which are fundamental rights flowing from the Constitution. Unfortunately, this Bill fails on both counts.
Why do we need data protection?
- Increasing internet use: India currently has over 750 million Internet users, with the number only expected to increase in the future.
- Data breaches: At the same time, India has among the highest data breaches in the world. Without a data protection law in place, the data of millions of Indians continue to be at risk of being exploited, sold, and misused without their consent.
- Individual privacy: Data monetization may happen at cost of individual privacy. The most sought-after datasets are those that contain sensitive personal data of individuals, ex. medical history, and financial data.
- Lack of writ proceedings against corporate action: Unlike state action, corporate action or misconduct is not subject to writ proceedings in India. This is because fundamental rights are, by and large, not enforceable against private non-state entities. This leaves individuals with limited remedies against private.
DPDP Bill, 2022 is based on seven principles
- According to an explanatory note for the bill, it is based on seven principles-
- Lawful use: The first is that “usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals.”
- Purposeful dissemination: The second principle states that personal data must only be used for the purposes for which it was collected.
- Data minimisation: Bare minimum and only necessary data should be collected to fulfill a purpose.
- Data accuracy: At the point of collection. There should not be any duplication.
- Duration of storage: The fifth principle talks of how personal data that is collected cannot be “stored perpetually by default,” and storage should be limited to a fixed duration.
- Authorized collection and processing: There should be reasonable safeguards to ensure there is “no unauthorised collection or processing of personal data.”
- Accountability of users: The person who decides the purpose and means of the processing of personal data should be accountable for such processing.
Why the Bill must be put through a process of rigorous pre-legislative consultation?
- Dilutes the provisions of the Right to Information (RTI) Act: The Bill seeks to dilute the provisions of the Right to Information (RTI) Act, which has empowered citizens to access information and hold governments accountable. It is behind the cloak of secrecy that the rights of individuals are most frequently abrogated, and corruption thrives.
- Fails to safeguard right to privacy: Proposed Bill creates wide discretionary powers for the Central government and thus fails to safeguard people’s right to privacy.
- For instance: Under Section 18, it empowers the Central government to exempt any government, or even private sector entities, from the provisions of the Bill by merely issuing a notification.
- The Bill does not ensure autonomy of the Data Protection Board: Given that the government is the biggest data repository, it was imperative that the oversight body set up under the law be adequately independent to act on violations of the law by government entities. The Bill does not ensure autonomy of the Data Protection Board, the institution responsible for enforcement of provisions of the law.
- Government direct control over the Data Protection Board: The Central government is empowered to determine the strength and composition of the Board and the process of selection and removal of its chairperson and other members.
- Serious apprehensions of its misuse by the executive: The Central government is also empowered to assign the Board any functions under the provisions of this Act or under any other law.
- Going digital by design fails to those who do not have meaningful access: The Bill stipulates that the Data Protection Board shall be ‘digital by design’, including receipt and disposal of complaints. As per the latest National Family Health Survey, only 33% of women in India have ever used the Internet. The DPDP Bill, therefore, effectively fails millions of people who do not have meaningful access to the Internet.
- The government has been given the power to exempt not only government agencies but any entity that is collecting user data, from having to comply with the provisions of this bill when it is signed into law.