THE DATA PROTECTION LAW IN INDIA HAS TO BE IMPROVED

 

  • The General Data Protection Regulation (GDPR), the most comprehensive data privacy law in the world, was enacted by the European Union (EU) in the middle of 2018 and has since gained widespread support.

 

The Digital Personal Data Protection (DPDP) Bill, 2022 was published in India.

 

GSPREP ON THE ISSUE

The history of data privacy law

  • Got underway in 2010 when the Justice Srikrishna Committee was formed.

The Justice BN Srikrishna Committee’s report on data protection:

  • In July 2017, the union government established the Committee to consider a data protection framework.
  • In its Puttaswamy decision from 2017, the Supreme Court defined privacy to be a fundamental right.
  • Protecting state obligations without sacrificing trade and industry was a key theme of the report. • Protecting citizen interests was also emphasised.
  • A draught Personal Data Protection Bill was suggested.

 

New data protection legislation:

  • The use of the word “digital” in the bill’s title reflects India’s long-standing objective of becoming a society that is technologically advanced.
  • Bill’s two principal stakeholders are:

o Principal Data

o Fiduciary Data.

  • Data Principal: This is the person whose information is being processed.
  • Data Fiduciary: This refers to the organisation handling this data.

It is crucial when a data processor is referred to as “fiduciary.”

  • The following principles govern the two’s relationship:

o good faith, certainty, and trust.

  • Data Fiduciary: This entity is in charge of defending the rights of Data Principals.
  • Bill explains:

Regarding the Data Fiduciaries’ duties to the Data Principals

  • The latter’s obligations and rights.
  • The legal system that will be used to process data.
  • Although the Data Principals’ “duties” are listed in the Bill, they have no influence on whether or not the Bill’s rights will be realised.

 

Important features of the bill:

  • In addition to the general duties to avoid the misuse of individuals’ personal data

o The Bill defines a class of Significant Data Fiduciaries organisations, which must adhere to additional regulations to protect persons’ personal data.

o Only businesses that handle enormous volumes of data or might have an impact on the integrity and sovereignty of the nation are required to follow such strict regulations.

o These actions lower the compliance costs for newly established businesses.

  • Data localization” was left out of earlier draughts of the legislation: The government may inform nations to which data transfers may be allowed under the revised Bill.

 

Problems with data utilisation

  • The draught made available for public feedback is less thorough than earlier iterations.

o The Government might introduce a Bill that is remarkably similar.

o The DPDP Bill still has many shortcomings that could hinder its implementation and overall success.

  • The DPDP Bill only safeguards personally identifiable information, or information that might be used to directly or indirectly identify a specific person.

o In the current data economy, organisations target, profile, predict, and monitor people using a variety of data kinds, including both personal and non-personal data.

Non-personal data is often anonymous information that has no connection to a specific person.

For instance, aggregate data on products that many people on Amazon look at between 9pm and 11pm).

o Non-personal data can become personal data when joined with other datasets to identify specific people, which has an effect on user privacy.

Example: In New Delhi, anonymous datasets about individual Uber journeys can be merged with prayer times to identify community members, which may include their addresses.

o There are serious privacy hazards associated with the process of re-identification of non-personal data.

Previous draughts of India’s proposed data protection Bill took these issues into account.

The DPDP Bill’s scope and effectiveness in giving Indians meaningful privacy are severely constrained since it ignores these risks.

  • The proposed data protection board’s inability to start a case on its own.

The board is the entity tasked with enforcing the legislation in accordance with the Bill.

The board can only begin an adjudication procedure if a party who is impacted complains to it, or if the government or a court orders it to do so.

The only exception to this provision is where the board has the authority to take independent action to enforce particular obligations outlined in the Bill for users.

This is to settle disagreements between the law and users.

For instance, users have a responsibility to not file a baseless or unfounded complaint with the board and to refrain from filing complaints against data-processing firms.

 

Way ahead

  • Adding a punitive provision to the Bill that imposes financial penalties on data-processing businesses for the re-identification of non-personal data into personal data would be a straightforward and efficient approach.
  • Users have little control over and understanding of data exchanges and transfers in the data economy.

Why Users will never be able to keep up with the entities that use their data because of the complicated and constantly changing nature of data processing.

o As an illustration, a meal delivery service may violate the terms of my contract with them by taking all of my data and selling it to data brokers.

  • The Competition Commission of India, which is in charge of upholding India’s antitrust laws, has the authority to launch independent investigations (and frequently does so).

o Including a clause allowing the data protection board to start complaints on its own in the DPDP Bill would be a straightforward method to accomplish this.

  • Although the DPDP Bill has other flaws, filling them in would make it significantly easier to deal with implementation issues and create more legislation that is prepared for the future.
  • Before this Bill is introduced in Parliament, we must change the way we handle data about minors.

These actions are required to prevent the foolishness of treating equals equally and of denying minors access to the Internet.

  • Platforms should be required to do a risk assessment for children in addition to their age-verification-related duties.

 

PRACTISE

The Cyber Dome Project is what? Describe how it can be effective in reducing online crime in India. (UPSC 2019) (10 MARKERS, 200 WORDS)

Consider the reach of fundamental rights in light of the most recent Supreme Court ruling on the right to privacy. (200 WORDS, 10 MARKS) (UPSC 2017)