BY ARUN KUMAR SHRIVASTAV
The right to privacy in the time of the internet boom is difficult to enforce. But governments around the world are working to
reverse this and restore control in the hands of users. Between tech companies and governments, there is a rush to take
control of the huge amount of data being generated. It's said that data is the new gold, the new oil. It is the foundation of a
new economy. Given this, the new data protection bill being considered by the Indian government is attracting a great deal
of attention from the relevant circles.
The Ministry of Electronics & Information Technology (MEITY) has released a draft of “The Digital Personal Data
Protection Bill 2022” and has sought suggestions and comments from Indian citizens till December 17. “The Digital Personal
Data Protection Bill is a legislation that frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the
obligations to use collected data lawfully of the Data Fiduciary on the other hand,” MEITY said in a statement while
introducing the bill.
The personal data protection bill 2019 which the government withdrew in early 2022 generated a lot of interest and
conflicting viewpoints from industry stakeholders and policy experts. While withdrawing the bill, the government promised a
revised and updated bill soon.
Personal data has been a sensitive issue. Big tech companies are collecting and storing huge amounts of personal data
and leveraging it for their growth. Data principals (users whose data is being used) and the governments have not been
quite comfortable with this state of affairs. They are particularly upset with the prospect of these companies selling personal
data to third parties. In recent Indian elections, it came to notice that some political parties used foreign-based big data
analytics companies. They were able to provide caste, age, income, and gender-based analytics to be used by political
parties for electoral advantages.
What is worrisome in these cases is that the data principals do not know how their personal information is being traded
and used. For the government, it's equally embarrassing that it has no control over how personal data from the country is
getting stored in servers outside India and owned by big tech companies who make billions of dollars by trading the data.
To set the anomalies right, the government moved to enact personal data legislation through a bill in 2019 that ended
with the government withdrawing it early this year. The reason why the government withdrew the bill was the enormous
amount of changes suggested to the original bill by the joint parliamentary committee. The bill was originally mooted in 2018
and introduced in parliament in 2019. Amid protests from the opposition, it was sent to a joint parliamentary committee to
consider all the viewpoints and recommend suitable changes.
In the previous personal data protection bill, the government had brought data generated by both online and offline
methods under the ambit of the bill. The new bill excludes manual data collection from its purview. That makes The Digital
Personal Data Protection Bill 2022 deal with only digital data. It's now geared toward identifying issues related to the digital
identity of a person and addressing its safety, privacy, and control.
In the earlier attempt, the government had proposed a strict mechanism to ensure that personal and sensitive data are
stored in the servers within the country. Tech companies had protested this restriction and argued that logistically it was
unfeasible. It also sounded offbeat for Indian startups who were dealing with similar data from overseas clients. In the latest
bill, the government has eased this provision and proposed to allow a cross-border flow of data to “trusted” jurisdictions.
Companies of significant size are also required to appoint data protection officers and data auditors to ensure compliance
with the law.
For the storage of sensitive data that pertained to the country's sovereignty, security, and integrity within the country,
tech companies had practically no objections.
Another aspect of the previous bill that caused a great deal of resentment, particularly among media persons and rights
activists was the exemptions being given to government agencies. They were supposed to have free access to personal
data as a breach of protections provisions were covered by legal exemptions provided in the bill. By and large, this provision
continues in the new bill but instead of the all-powerful Data Protection Authority, the new bill allows the central government
to set up Data Protection Board. It will also have the authority to mandate government agencies to access personal data
and provide exemptions to them or a company or a friendly nation.
Data fiduciaries who breach the provisions under the digital personal data protection bill will be liable for graded punishment
ranging from Rs 50 crore to Rs 500 crore. Consumers who file false complaints can be fined up to Rs 10,000. The number
of clauses in the current bill has been brought down from 90 to 30 which promises a more simplified interpretation and
enforcement of data protection law. (IPA Service)
