Cabinet gives nod to Data Protection Bill
Context:
Activists have expressed worries about an amendment to the RTI Act, 2005, which would forbid government departments from sharing personal information, and the Digital Personal Data Protection Bill legislation would be submitted in Parliament during the Monsoon Session; it defines standards for the management of personal data of Indian people.
What is Digital Personal Data Protection Bill all about?
- To secure personal data and control how it is processed, the Digital Personal Data Protection Bill, 2022 is a piece of legislation that India is considering.
- The Information Technology Act, of 2000 will eventually be replaced with a comprehensive “Digital India Act,” according to the Indian government, which sees this measure as an essential step towards realising its vision of a Digital India.
What are the principles of the Digital Personal Data Protection Bill?
- Lawful, Fair and Transparent Use:
-
-
- Personal data must be used in a way that is lawful, fair, and transparent to the individuals concerned.
- Organisations are responsible for making sure that how they use data complies with all applicable laws and rules.
-
- Limitation of Use:
-
-
- Personal information should only be used for the purposes for which it was initially gathered.
- Organisations shouldn’t utilise personal data for irrelevant or incompatible purposes without further consent.
-
- Data minimization:
-
-
- The focus is on merely gathering a minimal quantity of personal data.
- Organisations should only gather personal information that is directly related to and required for the stated purpose.
-
- Data Accuracy:
-
-
- It is the responsibility of organisations to make sure that the personal data they gather is accurate.
- Personal data should be accurate, comprehensive, and current by taking reasonable precautions.
-
- Storage Restrictions:
-
- Collected personal information shouldn’t be kept on file indefinitely.
- Organisations should specify a set timeframe for the storage of personal data and make sure that it does not exceed that timeframe.
-
- Security and Accountability:
- Businesses are required to put adequate security measures in place to guard against unauthorised access, disclosure, alteration, or destruction of personal data.
- They are responsible for making sure that the personal data they gather and process is secure.
- Security and Accountability:
- Accountability of Data Fiduciaries:
-
- Whoever chooses the reason for and how personal data is processed should be held responsible for those decisions.
- Data Fiduciaries must abide by data protection laws and make sure that people’s rights are upheld.
What are the key features of the bill?
- Data Principal and Data Fiduciary:
-
-
- The individual whose data is being gathered is referred to as the “Data Principal” in the bill.
- The term “Data Fiduciary” designates the entity (person, business, etc.) that chooses the reason for and methods of processing personal data.
- Significant Data Fiduciary:
- Organisations that handle a lot of personal information are referred to as Significant Data Fiduciaries.
- To ensure adherence to the provisions of the bill, they must select a Data Protection Officer and an impartial Data Auditor.
-
- Individuals’ Rights:
-
-
- Access to Information: According to the Indian Constitution’s eighth schedule, people have the right to basic information about how their data is processed in the languages of their choice.
- Right to Consent: Before their data is handled, individuals must express their consent. They should also be made aware of the reasons behind the collecting and processing of their data.
- Data Principals have the right to ask for the erasure and correction of any of the personal information that Data Fiduciaries have gathered about them.
- Right to Nominate: In the event of their demise or incapacity, Data Principals may designate another person to exercise their data protection rights.
- Data Protection Board:
- The bill suggests creating a Data Protection Board to monitor adherence to the requirements of the bill.
- If a Data Fiduciary responds in an unsatisfactory manner, people may complain to the board.
-
- Transfer of Data Across Borders:
-
- The measure permits the storage and transfer of data across borders to a few designated nations and territories.
- Such transfers are allowed if the countries of destination have an adequate data security environment and if the Indian government has access to the data of Indian citizens stored there.
What was the path towards this bill?
- Recognition of Right to Privacy: In the 2017 case of Justice K. S. Puttaswamy (Retd) v. Union of India, the Supreme Court of India decided that the right to privacy is a basic right protected by Article 21 of the Indian Constitution.
- Report of the B.N. Srikrishna Committee on the Data Protection Bill:
-
-
- A committee led by Justice B.N. Srikrishna was established by the Indian government in August 2017 to look into data privacy problems and make suggestions.
- In July 2018, the committee turned in a report that contained a draught Data Protection Bill.
- The committee’s proposals included measures including limitations on data processing and gathering, the creation of a Data Protection Authority, the right to be forgotten, and data localization requirements to tighten India’s privacy laws.
-
- Digital media ethics code and information technology intermediary guidelines rule 2021:
a.)The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules were introduced by the Indian government in February 2021.
b) OTT platforms, digital news outlets, and social media sites are all subject to the guidelines.
c.)The regulations call for these intermediaries to monitor and remove offensive content from their platforms with greater care.
d.)In addition, the regulations require the designation of grievance officers and adherence to particular requirements for user privacy and data protection.
- Personal Data Protection Bill 2019:
-
- The Personal Data Protection Bill was presented to the Indian Parliament in December 2019.
- The B.N. Srikrishna Committee Report’s recommendations are significantly included in the law.
- The law aspires to give India a thorough legal foundation for the protection of personal data.
- It consists of clauses including those requiring the localisation of data, individual consent for data processing, the creation of a Data Protection Authority, and sanctions for data breaches.
-
What are the bills taken into consideration along with this bill?
The draft Telecommunication Bill, 2022 was also passed by the cabinet for the monsoon session.
What are the features of this bill?
- Updating outdated legislation: Acts like the Indian Telegraph Act (1885), Indian Wireless Telegraphy Act (1933), and Telegraph Wires (Unlawful) Possession Act (1950) are antiquated, and the draught Indian Telecommunication Bill attempts to modernise the present regulatory framework.
- Inclusion of OTT communication services: Over-the-top (OTT) communication services are now included in the definition of “telecommunication services” as a result of the draught Bill. The same licencing requirements would apply to OTT services like WhatsApp, Telegram, Signal, and others as they do to traditional telecom service providers (TSPs).
- Licensing Requirments for OTT services: OTT communication services may be required to get licences akin to those held by TSPs if the drafting Bill is passed into law. This would bind companies to several requirements, including upholding user data (such as “know your customer” details), abiding by encryption laws, and granting the government legal access to their systems and networks.
- Protection of consumers: The proposed Bill has provisions to do just that. It suggests that all users of OTT communication services, including those, who should have access to the identity of the person communicating through telecommunications services. This implies that in addition to the phone number, the name of the communicator would also be displayed.
- Impact on the Telecom Regulatory Authority of India (TRAI): TRAI, which is currently an independent regulator for the telecom sector, has less authority as a result of the draught Bill. Before issuing licences, the government would no longer be compelled to request recommendations from TRAI. Additionally, the government would no longer be able to compel TRAI to obtain the data or documents it needs to make recommendations.
- Provision for shutdown: A special provision allowing the government to command the suspension of internet services is introduced in the draught Bill. However, the absence of safeguards like judicial monitoring for internet shutdowns has drawn criticism from civil society.