Data Privacy Bill In India

DATA PRIVACY BILL INDIA 2022

 

On 18 November 2022, the Government of India released the long awaited fourth draft of India’s proposed privacy law, now renamed as the Digital Personal Data Protection Bill (‘Bill’).

In November, the Indian Ministry of Electronics and Information Technology (MeitY) released its Digital Personal Data Protection Bill, 2022. The bill had been put up by the country’s Union Minister for Communications, Electronics and Information Technology, Ashwini Vaishnaw, for public consultation till December 17, however, the deadline has recently been extended to January 2, 2023.

What about the Digital Personal Data Protection Bill, 2022?

The measure, which was published on November 18 of this year, was initially introduced in the Lok Sabha (lower house) in December 2019. The number of clauses in the proposed legislation has been cut from over 90 in the previous draught to just 30 this time. Additionally, it appears to explain why the major tech corporations protested the previous draft’s easing of the laws governing cross-border data flow and its focus on personal data.

“The purpose of this Bill is to provide for the processing of digital personal data in a manner that recognizes the right of individuals to protect their personal data, the need to process personal data for lawful purposes and for other incidental purposes,” said the draft bill’s explanatory note.

The proposed regulation is up for public consultation, where the Government has looked for comments from a scope of partners the deadline was which was recently extended to January 2, 2023. The move was made, “in light of the solicitations got from several stakeholders”, said the IT ministry an explanation.

In a first for the Indian government and the legislative history of the country, the pronouns “she” and “her” have been used to refer to individuals irrespective of gender in the Digital Personal Data Protection Bill, 2022.

What happened to the previous drafts?

Not to mention, the PDP Bill also reportedly faced massive pushback from a range of stakeholders including big tech companies like Facebook and Google for the bill’s provision of data localization which would prohibit them from exporting undefined personal user data and had to keep a copy of certain sensitive information within the country.

Moreover, the JCP following 78 sittings, over 184 hours, and numerous expansions, the council proposed 81 changes (in a 99-section bill) and 12 suggestions. In the meantime, reports propose that security and common society activists criticized the postpones in the bill since quite possibly of the highest consumer and producers of data per capita among the nations across the world didn’t have an essential framework to safeguard the protection of internet users.

Seven Principles of the Digital Personal Data Protection Bill, 2022?

According to the note, the bill has been based on seven principles around the data economy. The first and second principles call for associations to be more straightforward with clients’ very own information in a manner that is legitimate and reasonable for people as well as “purpose limitation” which is involving the information for which it is gathered.

Furthermore, it also calls for “data minimization” which is collecting those items of personal data only for what is needed. The fourth principle is about the accuracy of personal data and that a “reasonable effort” is made that the individual’s personal data is “accurate and kept up to date”.

Subsequently, the fifth one calls for a “storage limitation” so that personal data is not being “stored perpetually by default”. It added, “The storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected.”

The last two principles call for “reasonable safeguards” to prevent data breaches and ensure there is no unauthorized collection or processing of personal data and the person who is in charge of such processing should be held accountable for it.

“These principles have been used as the basis for personal data protection laws in various jurisdictions,” said the explanatory note. It added, “The actual implementation of such laws has allowed the emergence of a more nuanced understanding of personal data protection wherein individual rights, public interest and ease of doing business especially for startups are balanced.”

Moreover, organizations which handle a lot of information ought to choose a free information reviewer to guarantee consistence with the arrangements, said the Indian government. The proposed bill likewise says that the public authority will lay out Data Protection Board which will address client grumblings and guarantee consistence.

Additionally, companies could be fined up to $30.6 million for not ensuring reasonable safeguards to prevent a data breach. Companies would also have to stop retaining data if it no longer serves the purpose for which it was collected.

They will also not be allowed to process personal data which might harm children or use target advertising for children. Additionally, before processing the personal data of any child the platform would have to take parental consent. The users will also have the right to correct or erase their personal data. 

 

 

Blog By: Priyanka Rana