send mail to support@abhimanu.com mentioning your email id and mobileno registered with us! if details not recieved
Resend Opt after 60 Sec.
By Loging in you agree to Terms of Services and Privacy Policy
Claim your free MCQ
Please specify
Sorry for the inconvenience but we’re performing some maintenance at the moment. Website can be slow during this phase..
Please verify your mobile number
Login not allowed, Please logout from existing browser
Please update your name
Subscribe to Notifications
Stay updated with the latest Current affairs and other important updates regarding video Lectures, Test Schedules, live sessions etc..
Your Free user account at abhipedia has been created.
Remember, success is a journey, not a destination. Stay motivated and keep moving forward!
Refer & Earn
Enquire Now
My Abhipedia Earning
Kindly Login to view your earning
Support
Context: Recently, the Union Government has released a revised personal data protection bill, now called the Digital Personal Data Protection Bill, 2022.
The first draft of the law — the Personal Data Protection Bill, 2018, was proposed by the Justice Srikrishna Committee.
Aim: setting out a data protection law for India.
The government made revisions to this draft and introduced it as the Personal Data Protection Bill, 2019 (PDP Bill, 2019) in the Lok Sabha in 2019.
The Lok Sabha passed a motion to refer the PDP Bill, 2019 to a joint committee of both the Houses of Parliament.
Due to delays caused by the pandemic, the Joint Committee on the PDP Bill, 2019 (JPC) submitted its report on the Bill after two years in December 2021.
The report was accompanied by a new draft bill, namely, the Data Protection Bill, 2021 that incorporated the recommendations of the JPC.
However, in August 2022, citing the report of the JPC and the “extensive changes” that the JPC had made to the 2019 Bill, the government withdrew the PDP Bill.
Lawful use: The first is that “usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals.”
Purposeful dissemination: The second principle states that personal data must only be used for the purposes for which it was collected.
Data minimisation: Bare minimum and only necessary data should be collected to fulfill a purpose.
Data accuracy: At the point of collection. There should not be any duplication.
Duration of storage: The fifth principle talks of how personal data that is collected cannot be “stored perpetually by default,” and storage should be limited to a fixed duration.
Authorized collection and processing: There should be reasonable safeguards to ensure there is “no unauthorised collection or processing of personal data.”
Accountability of users: The person who decides the purpose and means of the processing of personal data should be accountable for such processing.
It focused on personal data, as compared to an earlier unwieldy draft.
It incorporates hefty penalties for non-compliance, but which are capped without any link to the turnover of the entity in question.
It has relaxed rules on cross-border data flows that could bring relief to the big tech companies, alongside a provision for easier compliance requirements for start-ups.
It covers the processing of personal data which is collected by data fiduciaries within the territory of India and which is processed to offer goods and services within India.
It provides a lower degree of protection as the earlier drafts only excluded data processed manually specifically by “small entities” and not generally.
It reduces the information that a data fiduciary is required to provide to the data principal.
It seems to suppose that a notice is only to be provided to take consent of the data principal.
A notice is also important for the data principal to exercise data protection rights such as the right to know what personal data is being processed by whom, whether that data needs correction or updation and also to request deletion of data that may not be relevant for the purpose of processing.
It introduces the concept of “deemed consent”.
In effect, it bundles purposes of processing which were either exempt from consent-based processing or were considered “reasonable purposes” for which personal data processing could be undertaken under the ground of “deemed consent”.
It recognises the right to post-mortem privacy which was missing from the PDP Bill, 2019.
It would allow the data principal to nominate another individual in case of death or incapacity.
A near blanket exemption for government agencies from complying with some of the more onerous requirements under the Bill.
A dilution of the remit of the proposed Data Protection Board, which is mandated to oversee the provisions of the proposed legislation.
It leaves the appointment of the chairperson and members of the Data Protection Board entirely to the discretion of the central government.
The new Bill has just 30 clauses compared to the more than 90 in the previous one, mainly because a lot of operational details have been left to subsequent rule-making.
The current legal framework for privacy enshrined in the Information Technology Rules, 2011 (IT Rules, 2011) is wholly inadequate to combat such harms to data principals, especially since the right to informational privacy has been upheld as a fundamental right by the Supreme Court (K.S. Puttaswamy vs Union of India [2017]).
It is inadequate on four levels:
The extant framework is premised on privacy being a statutory right rather than a fundamental right and does not apply to the processing of personal data by the government.
It has a limited understanding of the kinds of data to be protected
It places scant obligations on the data fiduciaries which, moreover, can be overridden by contract
There are only minimal consequences for the data fiduciaries for the breach of these obligations.
India like other jurisdictions has struggled to come up with an optimum formulation for several reasons. They are:
Data protection laws need to ensure that the compliances for data fiduciaries are not so onerous as to make even legitimate processing impractical.
The challenge lies in finding an adequate balance between the right to privacy of data principles and reasonable exceptions, especially where government processing of personal data is concerned.
Given the rate at which technology evolves, an optimum data protection law design needs to be future-proof.
It should not be unduly detailed and centred on providing solutions to contemporary concerns while ignoring problems that may emerge going forward.
The law needs to be designed for a framework of rights and remedies that is readily exercisable by data principals given their unequal bargaining power with respect to data fiduciaries.
An estimated 137 out of 194 countries have put in place legislation to secure the protection of data and privacy, with Africa and Asia showing 61% (33 countries out of 54) and 57% adoption respectively.
Only 48% of Least Developed Countries (22 out of 46) have data protection and privacy laws.
General Data Protection Regulation (GDPR) focuses on a comprehensive data protection law for the processing of personal data.
It has been criticised for being excessively stringent and imposing many obligations on organisations processing data.
In the EU, the right to privacy is enshrined as a fundamental right that seeks to protect an individual’s dignity and her right over the data she generates.
The European Charter of Fundamental Rights recognises the right to privacy as well as the right to protection of personal data and is backed by a comprehensive data protection framework.
There are certain exemptions such as national security, defence, public security, etc, but they are clearly defined and seen as exclusions on the periphery.
Privacy protection is largely defined as “liberty protection” focused on the protection of the individual’s personal space from the government.
It enables the collection of personal information as long as the individual is informed of such collection and use.
There is no comprehensive set of privacy rights or principles in the US that, like the EU’s GDPR, addresses the use, collection, and disclosure of data.
The approach towards data protection is different for the public and private sectors.
The activities and powers of the government vis-a-vis personal information are, however, sufficiently well-defined and addressed by broad legislation such as the Privacy Act, the Electronic Communications Privacy Act, etc.
New Chinese laws on data privacy and security were issued over the last 12 months including the Personal Information Protection Law (PIPL), which came into effect in November 2021.
It gives Chinese data principals new rights as it seeks to prevent the misuse of personal data.
It requires business data to be categorized by levels of importance and puts new restrictions on cross-border transfers.
The Union government has recently released the revised draft Bill for consultation called the Digital Personal Data Protection Bill. However, digital rights activists opine that the bill is significantly simpler but still has a lot of grey areas and require several modifications before it is practical.
By: Shubham Tiwari ProfileResourcesReport error
Access to prime resources
New Courses