The reworked version of the data protection Bill, released three months after the Govt withdrew an earlier draft, eases cross-border data flows and increases penalties for breaches. But it gives the Centre wide-ranging powers and prescribes very few safeguards.

The new Digital Personal Data Protection Bill, 2022 released on Friday (November 18) is focused on personal data, as compared to an earlier unwieldy draft. The reworked version of the legislation incorporates hefty penalties for non-compliance, but which are capped without any link to the turnover of the entity in question. It has also relaxed rules on cross-border data flows that could bring relief to the big tech companies, alongside a provision for easier compliance requirements for start-ups.

There could be two potentially significant red flags: a near blanket exemption for government agencies from complying with some of the more onerous requirements under the Bill, and a dilution of the remit of the proposed Data Protection Board, which is mandated to oversee the provisions of the proposed legislation.

Officials at the Ministry of Electronics and IT (MeitY) have said the new draft strikes a delicate balance and factors in learning from global approaches, while staying aligned to the Supreme Court’s ruling on privacy as a fundamental right, but within reasonable restrictions.

While comparisons have been drawn with the EU’s landmark General Data Protection Regulation or GDPR — which, according to Graham Greenleaf, professor of Law & Information Systems at the University of New South Wales, has substantially influenced legislation in nearly 160 countries — the Government of India’s view sees its version of the Data Protection Bill as only one of the pieces that form part of its larger policy vision for the entire digital economy.

This larger policy includes a comprehensive digital India Act that would eventually replace the existing IT Act, the new data protection Bill that has just been unveiled, and the new telecom Bill that was put in the public domain last month.

In contrast, the landmark GDPR, in force since May 2018, is clearly focused on privacy and requires individuals to give explicit consent before their data can be processed. A pair of sub-legislation — the Digital Services Act (DSA) and the Digital Markets Act (DMA) — take off from the GDPR’s overarching focus on the individual’s right over her data. The DSA focuses on issues such as regulating hate speech, counterfeit goods etc. while the DMA defines a new category of “dominant gatekeeper” platforms, and is focused on uncompetitive practices and the abuse of dominance by these players.

Data protection laws in other geographies

An estimated 137 out of 194 countries have put in place legislation to secure the protection of data and privacy, with Africa and Asia showing 61% (33 countries out of 54) and 57% adoption respectively, according to data from the United Nations Conference on Trade and Development (UNCTAD), an intergovernmental organisation within the United Nations Secretariat. Only 48% of Least Developed Countries (22 out of 46) have data protection and privacy laws.

EU MODEL: The GDPR focuses on a comprehensive data protection law for processing of personal data. It has been criticised for being excessively stringent, and imposing many obligations on organisations processing data, but it is the template for most of the legislation drafted around the world.

In the EU, the right to privacy is enshrined as a fundamental right that seeks to protect an individual’s dignity and her right over the data she generates. The European Charter of Fundamental Rights recognises the right to privacy as well as the right to protection of personal data, and is backed by a comprehensive data protection framework, which applies to processing of personal data by any means, and to processing activities carried out by both the government and private entities. There are certain exemptions such as national security, defence, public security, etc, but they are clearly defined and seen as exclusions on the periphery.

US MODEL: Privacy protection is largely defined as “liberty protection” focused on the protection of the individual’s personal space from the government. It is viewed as being somewhat narrow in focus because it enables collection of personal information as long as the individual is informed of such collection and use. The US template has been viewed as inadequate in key respects of regulation.

There is no comprehensive set of privacy rights or principles in the US that, like the EU’s GDPR, addresses the use, collection, and disclosure of data. Instead, there is limited sector-specific regulation. The approach towards data protection is different for the public and private sectors. The activities and powers of the government vis-a-vis personal information are, however, sufficiently well-defined and addressed by broad legislation such as the Privacy Act, the Electronic Communications Privacy Act, etc. For the private sector, there are some sector-specific norms.

CHINA MODEL: New Chinese laws on data privacy and security issued over the last 12 months include the Personal Information Protection Law (PIPL), which came into effect in November 2021. It gives Chinese data principals new rights as it seeks to prevent the misuse of personal data. The Data Security Law (DSL), which came into force in September 2021, requires business data to be categorized by levels of importance, and puts new restrictions on cross-border transfers.

These regulations will have a significant impact on how companies collect, store, use and transfer data, but are essentially focused on giving the government overreaching powers to collect data as well as to regulate private companies that collect and process information.

According to an EY analysis, China’s PIPL is deemed to be “similar” to the EU’s GDPR in that it gives Chinese consumers the right to access, correct, and delete their personal data gathered by businesses, but credibly impacts offshore data processors that deliver goods and services or analyse individuals in China.

The law includes stringent penalties, with fines as high as RMB 50 million, or up to 5% of a company’s turnover in the previous financial year. Businesses may also be required to suspend operations until they “demonstrate compliance”. There are also impacts on individuals, with anyone directly responsible for data protection personally facing fines of up to RMB 1 million.

he DSL requires that business data be classified according to its relevance to national security and the public interest, and companies looking to transfer “important” data outside China must perform an internal security review before applying for a security assessment and approval from the Cyberspace Administration of China (CAC) and other relevant authorities.

Companies that mishandle data under the DSL face severe penalties: the ride-hailing giant Didi faced a $1.2 billion (RMB 8.026 billion) fine in July this year for allegedly breaking China’s cyber security laws. Other companies have also been facing regulatory action.

India’s draft Bill and the red flags

Wide-ranging exemptions to the Centre and its agencies with little to no safeguards, and reduced independence of the proposed Data Protection Board are among the key concerns flagged by experts. It is also worth noting that the new Bill has just 30 clauses compared to the more than 90 in the previous one, mainly because a lot of operational details have been left to subsequent rule-making.

The central government can issue notifications to exempt its agencies from adhering to provisions of the draft law for national security reasons. In an explanatory note accompanying the proposed legislation, the government argued that “national and public interest is at times greater than the interest of an individual”, while justifying the need for such exemptions.

The draft law leaves the appointment of the chairperson and members of the Data Protection Board entirely to the discretion of the central government. “While the Data Protection Authority was earlier envisaged to be a statutory authority (under the 2019 Bill), the Data Protection Board is now a central government set up board. The government continues to have a say in the composition of the board, terms of service, etc.,” said Nehaa Chaudhari, partner at Delhi-based Ikigai Law.

Minister of State for Electronics and IT Rajeev Chandrasekhar has said the new draft puts India in a position where the entire digital economy can be viewed through the prism of “trust and protection”, and will help the government “move towards more data-led governance where we can create analytical models to figure out where the gaps are and then plug them”. “We have clearly stated in the Bill that the Data Protection Board will be very independent… The board will have a purely adjudicatory mechanism to decide on the issue of data breaches. It carries the same rank as a civil court and its decisions will be appealable to a High Court. This…is enough of an incentive or disincentive for the board to work transparently. Simply saying that it would be appointed by a third party will not guarantee its adequate performance,” Chandrasekhar told The Indian Express. “The objective of this government is that the board adjudicates on disputes fairly and transparently because it can otherwise be legally challenged. I believe the system’s structure is efficient and cost-effective. Anyone who insists that the board is not independent enough is missing the point that the board will have to establish its credibility through its own performance,” he said.


Source: IndianExpress

[Editorial comment: further opinion from US to Indian Privacy Bill here at mint]