India’s New Data Protection Bill
The Indian Supreme Court declared privacy a fundamental right in the year 2017. In 2018, an expert committee formed by the Ministry of Electronics and Information Technology drafted the Personal Data Protection Bill. This bill was introduced in 2019 as the Personal Data Protection Bill (PDP Bill) and was referred to a Joint Parliamentary Committee.
After dozens of modifications and recommendations, the ministry withdrew the PDP Bill in 2021, affirming the introduction of a more complete and expansive legislative framework.
On 18th November, 2022 the Ministry floated “The Digital Personal Data Protection Bill, 2022” for public consultation. The bill proposes more transparency and responsibility in persuasion of national and international data transactions. It is focussed on personal data and excludes non-personal data, which was a demand by the industry and civil society alike.
The draft Digital Personal Data Protection Bill 2022, issued on Friday, appears to be a simplified version of the PDP Bill 2019, but is significantly diluted in many parts, and gives the government the ultimate power of decision-making.
In the journey from 2017 to 2022, instead of a strong personal data protection law being implemented, we have on the table a weak draft that lacks focus.
India had a minimalist data protection law under Section 43A IT Act, but with some support from a more robust Sensitive Personal Data Rules. All of the data principles built into the rules stand diluted in this draft.
The PDP Bill, 2022, applies to all digitally processed personal data. This would include data collected online and personal data collected offline that’s digitized for processing. The draft of the bill states that consent is required before collecting personal data, and it proposes stiff penalties of as much as 5 billion rupees (US$61.2 million) on persons and companies that fail to prevent data breaches including accidentally disclosing, sharing, altering or destroying personal data.
Companies are allowed to store the collected data for specified periods. The government will “notify such countries or territories outside India to which a data fiduciary may transfer personal data,” according to the draft Digital Personal Data Protection Bill unveiled on Friday for public feedback. In the previous version of the bill, the parliamentary panel recommended changes including treating social media platforms like Meta as publishers and setting up a watchdog to oversee them.
The draft of the Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022) — is now made open for public comments and the government is expected to introduce the Bill in Parliament in the budget session of 2023. The meandering ways and delays, one has to hope that this would not be a draft that will see its way into Parliament.
The exemptions read with deemed consent provisions in effect take away any protection that Indians have even as on date, and substantially gives the government a free pass.
The Ministry of Electronics and Information Technology (MeitY) has invited feedback from the public on the draft Bill by December 17, 2022. The feedback may be submitted on the MyGov website. We can do our part!
#law #data #digital #privacy #privacylaw #dataprotection #informationtechnology