The topic of data protection and privacy has sparked widespread discussions, ranging from intellectual debates to casual conversations at tea stalls. Despite growing concerns, the Government of India has been perceived as lagging in implementing robust data protection measures. While the EU’s GDPR and the USA’s ADPPA highlight global efforts, India’s increasing digital footprint underscores the need for comprehensive data protection laws. The Digital Personal Data Protection Bill, 2022, though a welcome move, has its limitations. This article examines these limitations and suggests possible solutions.
The Digital Personal Data Protection Bill, 2022, aims to address the urgent need for data protection in a rapidly digitizing India. With over 700 million internet users, the risk of cybercrimes is escalating, necessitating stringent data protection measures. This article delves into the background, critical aspects, and potential shortcomings of the Bill.
India’s journey towards data protection began with the 2011 IT Act rules, which were deemed insufficient. The landmark Supreme Court judgment in Justice K. S. Puttaswamy v. Union of India recognized privacy as a fundamental right, leading to increased demand for dedicated data protection legislation. This Bill is the fourth attempt, aiming to be more comprehensive.
The Bill focuses on three stakeholders: the data principal, the data fiduciary, and the grievance resolver. It seeks to balance data protection with reasonable access for data fiduciaries. However, several concerns need addressing:
Independence of the Data Protection Board: The Board, tasked with imposing penalties, lacks independence, being under the Centre’s control. This could lead to bias and inefficiency.
Data Localisation: The Bill relaxes previous stringent norms, raising concerns about data security.
Cross-border Data Flow: The Bill allows data transfer to notified countries but lacks provisions for deteriorating relations or data protection standards in these countries.
Non-personal Data: The Bill overlooks non-personal data, risking unregulated exploitation.
Exemptions for the Centre: The Centre’s wide-ranging exemptions from the Bill’s provisions pose risks of misuse and undermine accountability.
Penalties for Violations: The Bill’s focus on the severity of violations rather than the violation itself and the lack of criminal penalties undermine its deterrent effect.
Missing Provisions: The Bill does not specify data retention periods, destruction processes, or separate consent for data sharing.
Children’s Data: Blanket prohibitions on tracking children’s data might deprive them of useful content.
RTI Act Amendment: The Bill seeks to amend Section 8(1)(j) of the RTI Act, weakening transparency and data protection.
Leave a comment