Cross-border data flow will be made easier, penalties for data breaches and non-compliance will be increased, and state agencies will be exempt from the law in the interest of national security, according to the revised draft protection bill that was released by the Ministry of Electronics and IT (MeitY). The new draft was released three months after the government withdrew an earlier one that had received criticism from Big Tech and some sectors of civil society. The updated draft, now known as the Digital Personal Data Protection Bill, 2022, includes clauses on “purpose limitations” for In order to carry out the Bill’s provisions, data collection, specific grounds for collecting and processing personal data, fines of between Rs 50 crore and Rs 500 crore, and a Data Protection Board serving as the adjudicating body were all involved.
The draft is available for public comment until December 17; the final version is anticipated to be introduced during Parliament’s budget session the following year. While the previous Bill had more than 90 provisions, the new Bill only had 30. However, the revised Bill has left several essential details regarding its provisions to be added in later rules.
In contrast to the contentious necessity of local storage of data inside India’s geography in the previous Bill, the current draft makes major allowances for cross-border data transfers. The Center will warn areas where Indians’ data may be transmitted, according to the revised data. According to sources, the criteria for choosing such places would be based on their data security environment and if the government could access Indians’ data there. on August 14, it was reported that the new Bill would loosen the restrictions on data localization and permit data flow to reliable regions.
Businesses were required to keep a copy of some “sensitive personal data” of Indian individuals, such as financial and health information, in India under the previous Bill, and exporting vaguely defined “important” personal data was forbidden. It was one of the most important complaints raised by tech businesses, with companies like Meta stating that it would affect its services in India.
“Based on some predefined assessments, the Bill takes a relatively lax stance on the requirement for data localization and permits data transfer to particular international locations. Manish Sehgal, a partner at Deloitte India, believes that this will likely encourage international trade agreements and make it simpler for multinational corporations to operate and process data with their current setup rather than having to build out significant infrastructure for the storage and processing of personal data in India.
Additionally, the bill suggests creating a data protection board to monitor adherence to the legislation. The proposal said that the board would be “digital by design,” but it omitted information regarding its may keep. Users will have the right to correct and erase the personal data that businesses hold about them, and companies will be required to stop keeping user data if it no longer serves the business purpose for which it was collected. According to the draft, organizations of “significant” size should appoint a Data Protection Officer and an impartial data auditor to assess compliance with legal requirements based on factors like the amount of data they process. Companies should not process
children’s personal information that is “likely to cause harm” to them, and they should not target them with advertisements.
Similar to the previous 2019 version, national security-related exemptions have been preserved. In the interest of maintaining India’s sovereignty and integrity, the security of the nation, good relations with other nations, maintaining public order, or preventing incitement to any cognizable offense, the Centre has been given the authority to exempt its agencies from adhering to Bill’s provisions.
Based on the number of users and the volume of personal data processed by the entity, the government may also exempt certain businesses from adhering to Bill’s provisions. The country’s startup ecosystem, which had complained that the previous version of the Bill was too “compliance intensive,” has been taken into consideration when doing this.
The research also indicates that corporations who breach users’ privacy rights or fail to alert clients when such violations take place should face severe penalties. Organizations who fail to put in place “reasonable security protections” to prevent breaches of personal data may be subject to fines of up to Rs 250 crore. A company might be fined up to Rs 200 crore if it fails to alert users and the Data Protection Board about a data breach.
If organizations don’t protect children’s privacy, they’ll face similar punishment. A cap of Rs 500 crore has been placed on the maximum penalty that can be imposed on an entity for each violation. It’s noteworthy that the Bill also imposes penalties on users. It states that a user may be fined up to Rs 10,000 if they submit false documentation when registering for an online service or file baseless grievances.
What is the data digital privacy legislation in Indian states and how it stacks up against other data protection laws?
In contrast to a previous cumbersome data, the new Digital Personal Data Protection Bill, 2022 which was published on Friday (November 18) is more data-centric. The statute has been revised to include stiff penalties for non-compliance; however, these fines are limited and have no relation to the turnover of the offending business. Along with a provision for simpler start-up compliance requirements, it has also loosened regulations on international data flows that may provide relief for the major tech companies.
A near-universal exemption from some of the more onerous requirements under the Bill for government agencies and a narrowing of the purview of the proposed Data Protection Board, which is tasked with monitoring the provisions of the proposed legislation, could both be significant red flags. According to representatives of the Ministry of Electronics and IT (MeitY), the new draft strikes a delicate balance, takes into account lessons from other countries policies, and adheres to the Supreme Court’s decision that privacy is a fundamental right subject to reasonable limitations.
Although similarities to the EU’s General Data Protection Regulation, or GDPR, have been created, according to Graham Greenleaf, professor of law and information systems at the University of New South Wales, the Government of India views its version of the Data Protection Bill as only one of the components that make up its transformative effects vision for the entire digital economy. This broader policy encompasses the recently unveiled new data protection Bill, the new telecom Bill that was recently made public, and a comprehensive digital India Act that would eventually replace the current IT Act.
The historic GDPR, which has been in effect since May 2018, is privacy-focused and necessitates individuals’ express consent before their data may be handled. The Digital Markets Act (DMA) and the Digital Services Act (DSA) branch out from the GDPR’s main emphasis on the individual’s right to her data. While the DMA creates a new category of “dominant gatekeeper” platforms and is focused on anti-competitive practises and the abuse of power by these companies, the DSA focuses on concerns like regulating hate speech, counterfeit goods, etc.
Data protection legislation in other countries
According to data from UNCTAD, an intergovernmental organisation housed within the United Nations Secretariat, 137 out of 194 countries have passed laws ensuring the protection of data and privacy, with Africa and Asia showing the highest adoption rates at 61% (33 out of 54 countries) and 57%, respectively. Data protection and privacy legislation are only present in 22 of the 46 Least Developed Countries (LDCs), or 48% of LDCs.
The GDPR is focused on creating a comprehensive data protection framework for processing personal data. Although it has received criticism for being unduly rigorous and imposing a number of regulations on businesses that process data, it nevertheless serves as the standard for most international legislation.
The protection of an individual’s self-respect and control over the data they generate is the goal of the right to privacy, which is acknowledged in the EU as a fundamental right.
Both the right to privacy and the right to the protection of personal data is recognized by the European Charter of Fundamental Rights, which is supported by a thorough data protection framework that applies to all forms of processing of personal data, including processing activities, carried out by both public and private entities. There are some exceptions, such as those related to national security, the military, public safety, etc., but they are well-defined and are only included on the outskirts.
A large definition of privacy protection is “liberty protection,” which focuses on shielding one’s private life from the state. Because it permits the collection of personal information as long as the subject is aware of such collection and use, it is perceived as having a somewhat narrow focus. The US model has been deemed insufficient in important regulatory areas.
In contrast to the GDPR in the EU, the US does not have a comprehensive set of privacy rights or principles that apply to the use, acquisition, and disclosure of data. Rather, there is just a little industry-specific regulation. The public and private sectors take different approaches to data protection. However, comprehensive laws like the Privacy Act, the Electronic Communications Privacy Act, etc. sufficiently define and address the activities and powers of the government concerning personal information. There are some sector-specific norms for the private sector.
One of the latest pieces of data privacy and security legislation to be issued in China during the past 12 months is the Personal Information Protection Law (PIPL), which took effect in November 2021. It extends more authority to Chinese data principals in order to prevent the misuse of personal data. Under the Data Security Law (DSL), which took effect in September 2021 and imposes new restrictions on cross-border transfers, business data must be organised according to importance levels.
These rules will significantly alter how businesses gather, store, use, and transfer data, but they primarily aim to give the government excessive data collection authority and control the activities of private information gathering and processing companies.
The EU’s GDPR and China’s PIPL are considered to be “similar” in that both give Chinese consumers the right to access, correct, and delete the personal information that businesses have collected about them. However, China’s PIPL also legitimately affects foreign data processors that conduct individual analysis or offer goods and services in China.
The law imposes severe penalties, with fines reaching RMB 50 million, or up to 5% of the previous fiscal year’s revenue of a company. Additionally, companies might be forced to stop operating until they “demonstrate compliance”. There are personal repercussions as well; anyone directly in charge of data protection may be subject to fines of up to RMB 1 million.
Before asking the Cyberspace Administration of China (CAC) and other pertinent authorities for a security assessment and approval, businesses looking to transfer “important” data outside of China must conduct an internal security review. The DSL requires that business data be categorised in accordance with its importance to public safety and national security.
Companies that violate the DSL are subject to harsh penalties. Didi, the world’s largest ride-hailing company, was fined $1.2 billion (RMB 8.026 billion) in July for allegedly violating China’s cyber security regulations. Regulatory action has also been taken against other businesses.
Red flags and India’s proposed legislation
The main issues raised by experts include reduced independence of the proposed Data Protection Board and broad exemptions granted to the Centre and its agencies with few to no safeguards. The fact that the new Bill has only 30 clauses as opposed to the more than 90 in the previous one is also noteworthy, primarily because many operational specifics have been delegated to future rule-making.
For reasons of national security, the central government may issue notifications exempting its agencies from the data law’s requirements. The government justified the need for such exemptions by stating in an explanation note that “national and public interest is at times greater than the interest of an individual.”
The federal government is solely responsible for appointing the chairman and members of the Data Protection Board in accordance with the data legislation. The Data Protection Board is presently a board formed by the central government, but the Data Protection Authority was initially meant to be a legislative authority. The government “continues to have a say in the makeup of the board, terms of service, etc.,” claims Neha Chaudhari, a partner at Delhi-based Ikigai Law.
The government will move “towards a more data-led governance where we can create analytical models to figure out where the gaps are and then insert them,” according to Rajeev Chandrasekhar, the minister of state for electronics and information technology, who claims that the new draft puts India in a position where the the whole digital economy can be seen as through the spectra of “trust and protection.”
“As we stated in the Bill, the Data Protection Board would be extremely autonomous.” The board’s decision-making procedure for dealing with data breaches will be completely adjudicatory. It has the same standing as a civil court, and its judgements can be appealed to the High Court.
This is sufficient to motivate or dissuade the board from operating freely. The government wants the board to make judgments in an equitable and open manner, as doing so might lead to legal challenges. I believe the system’s design is both useful and cost-effective. The board’s credibility will be demonstrated through its performance, he added, and anyone who claims it isn’t independent enough is missing the point.