Date: 23/11/2022

Relevance: GS-2: Government policies and interventions for development in various sectors and issues arising out of their design and implementation.

Key Phrases: Digital Personal Data Protection Bill, 2022, Data Fiduciary, Data Principal, Data Protection Board, Consent Managers, Easing The Rules On Cross-Border Data Flows

Why in News?

• The Union government has recently released the revised version of the Personal Data Protection Bill for public comments.
• The revised Digital Personal Data Protection Bill, 2022, has been released after an earlier draft version of the Bill was withdrawn following considerable backlash over its onerous provisions.

Key highlights of the revised Bill:

• Setting up of a new Data Protection Board:
  • As per the draft, the Data Protection Board, a new regulatory body is to be set up by the government which can impose a penalty of up to ₹500 crore if non-compliance by a person is found to be significant.
• Penalties for non-compliance:
  • The Bill proposes six types of penalties for non-compliance, including up to ₹250 crore for failure to take reasonable security safeguards, up to ₹200 crore for failure to notify the Board and affected users in the event of a personal data breach, and up to ₹200 crore for non-fulfilment of additional obligations related to children.
  • The earlier version of the Bill provided for penalties of ₹15 crore, or 4% of the total worldwide turnover of any data collection or processing entity, for violating provisions.
• Removal of compensation clause:
  • The new Bill does away with the clause for compensation to affected Data Principals (that is, those whose personal data it is).
  • Additionally, it proposes to impose a penalty of ₹10,000 on individuals providing unverifiable or false information while applying for any document, service, proof of identity or address, or registering a false or frivolous complaint with a Data Fiduciary (who collects and processes the data) or with the Board.
• Introduction of Consent Managers:
  • The government has introduced the concept of ‘Consent Managers’ in the Bill.
  • A consent manager platform will enable an individual to have a comprehensive view of his interactions with Data Fiduciaries and the consent given to them.
• Consent of Data Principal:
  • The Bill requires the consent of the individual to be the basis for processing of their personal data, except in certain circumstances where seeking the consent of the Data Principal is “impracticable or inadvisable due to pressing concerns”.
  • Every request for consent will need to be presented to the Data Principal in a clear and plain language, and an option to access such a request for consent in English or any language specified in the Eighth Schedule to the Constitution of India.
  • The Data Principal shall have the right to withdraw her consent at any time.
• Itemised notice to Data Principal:
  • Data Fiduciaries collecting personal data from individuals will need to provide “itemised notice” in clear and plain language containing a description of personal data sought and the purpose of processing of such personal data.
• Exemptions to government:
  • The Bill also gives the power to the government to offer exemption from its provisions “in the interests of sovereignty and integrity of India” and to maintain public order.

Challenges with the revised Bill:

• Easing the rules on data storage and cross-border data flows:
  • The earlier version of the Bill had imposed stringent conditions on cross-border data flows.
  • Companies were mandated to store a copy of “sensitive” personal data within India, while taking out “critical” personal data from the country was barred.
  • The new draft makes a significant departure from this provision by not imposing any such requirements on firms.
  • Companies do not have to store data exclusively in India, and they can now transfer the data to countries which are listed by the government.
  • However, on what basis the government chooses a particular country is not yet clear.
  • Notwithstanding that, easing the rules on data storage will be welcomed not only by Big Tech, but also by the burgeoning start-up ecosystem in the country.
• Independence and the extent of authority vested in the proposed Data Protection Board:
  • The board’s members and its chairperson will be appointed at the government’s discretion, curtailing the board’s powers to oversee compliance with the Bill and, thus, raising concerns over its independence.
• Expansive exemptions afforded to the government and its agencies with limited safeguards:
  • Exemptions extended to government agencies from adhering to some of the provisions of the Bill.
  • By simple notifications, government agencies can be exempted from the Bill’s provisions on grounds of national security.

Conclusion:

• The new draft Bill narrows down the scope of the data protection regime to personal data protection, leaving out non-personal data from its ambit — a move welcomed by the industry.
• At a time of government overreach, these contentious provisions which will vest greater power with government as opposed to an independent statutory authority need to be reexamined.

Source: Indian Express

Mains Question:

Q. Highlight the key provisions of the revised Digital Personal Data Protection Bill, 2022. Discuss the concerns associated with the Bill. (250 words)