Evolution of Data Protection Bill
- First draft of the Data Protection Bill was presented by an expert panel headed by Justice B.N. Srikrishna in July 2018.
- It was revised, and a final Bill was tabled in Parliament in December 2019.
- Bill was referred to a joint parliamentary committee, which submitted its report in December 2021.
- The Ministry of Electronics and IT withdrew the Bill from Parliament August, 2022.
Highlights of Data Protection Bill
- Purpose: To outline the rights and duties of ‘digital nagriks’ or citizens while laying out the process and rules for data collection when it comes to companies.
- Aim: To provide for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, the need to process personal data for lawful purposes and for other incidental purposes.
Seven Principles of Data Protection Bill
- Usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals.
- Personal data must only be used for the purposes for which it was collected.
- Data Minimization: Only those items of personal data required for attaining a specific purpose must be collected.
- Accuracy of personal data: Reasonable effort is made to ensure that the personal data of the individual is accurate and kept up to date.
- Storage limitation: Personal data is not stored perpetually by default. The storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected.
- Reasonable safeguards are taken to ensure that there is no unauthorized collection or processing of personal data. This is intended to prevent personal data breach.
- Accountability: Person who decides the purpose and means of processing of personal data should be accountable for such processing.
- Data Protection Board of India: It is a new regulatory body to be set up by the government.
- Function: It can impose a penalty of up to Rs 500 crore if non-compliance is found to be significant.
- Penalties: The Bill proposes six types of penalties for non-compliance,
- Up to Rs 250 crore for failure to take reasonable security safeguards,
- Up to Rs 200 crore for failure to notify the Board and affected users in the event of a personal data breach.
- Up to Rs 200 crore for non-fulfilment of additional obligations related to children.
- Penalty of Rs 10,000 on individuals providing unverifiable or false information while applying for any document, service, proof of identity or address, or registering a false or frivolous complaint with a Data Fiduciary (who collects and processes the data) or with the Board.
Data Protection Bill Terminology
- Personal data is “any data by which or in relation to which an individual can be identified.”
- Processing means “the entire cycle of operations that can be carried out in respect of personal data.”
- Data Principal: Denote the individual whose data is being collected.
- In the case of children –defined as all users under the age of 18— their parents or lawful guardians will be considered their ‘Data Principals.’
- Data Fiduciary: Entity (can be an individual, company, firm, state etc), which decides the “purpose and means of the processing of an individual’s personal data.”
- Significant Data Fiduciaries: They deal with a high volume of personal data.
- Central government will define who is designated under this category.
- They will have to appoint a ‘Data protection officer’ who will represent them.
- They will be the point of contact for grievance redressal.
- They will also have to appoint an independent Data auditor who shall evaluate their compliance with the act.
Significance of Data Protection Bill
- It narrows down the scope of the data protection regime to personal data protection, leaving out non-personal data from its ambit
- It does away with the clause for compensation to affected Data Principals.
- It ensures that individuals should be able to “access basic information” in languages specified in the eighth schedule of the Indian Constitution.
- Individuals have the right to withdraw consent from a Data Fiduciary.
- Right to erase data, right to nominate: Data principals will have the right to demand the erasure and correction of data collected by the data fiduciary.
- They have the right to nominate an individual who will exercise these rights in the event of death or incapacity of the data principal.
- It gives consumers the right to file a complaint against a ‘Data Fiduciary’ with the Data Protection Board in case they do not get a satisfactory response from the company.
- Cross-border data transfer: The bill also allows for cross-border storage and transfer of data to “certain notified countries and territories”.
- Incentive to Start-ups: Government could exempt certain businesses from adhering to provisions of the Bill on the basis of the number of users and the volume of personal data processed by the entity.
- This has been done keeping in mind startups of the country who had complained that the previous version of the Bill was too “compliance intensive”.
Read More Current Affairs :