By Arun Kumar Srivastava
The right to privacy is difficult to enforce in times of the internet boom. But governments around the world are working to reverse this and restore control to users. There is a rush between tech companies and governments to take control of the massive amount of data being generated. It is said that data is the new gold, the new oil. It is the basis of a new economy. Thus, the new data protection law being considered by the Indian government is getting a lot of attention from the concerned circles.
The Ministry of Electronics and Information Technology (MEITY) has released a draft of “The Digital Personal Data Protection Bill 2022” and has solicited suggestions and comments from Indian citizens until December 17. “The Digital Personal Data Protection Bill is a legislation that establishes the rights and obligations of the citizen (Digital Nagrik) on the one hand and the duties to lawfully use collected data from the Data Fiduciary on the other,” said MEITY in a statement announcing the bill. .
The 2019 Personal Data Protection Act, which the government repealed in early 2022, generated significant interest and conflicting views from industry stakeholders and policy experts. In withdrawing the bill, the government promised a revised and updated bill soon.
Personal data has been a sensitive issue. Large technology companies collect and store huge amounts of personal data and use it for their growth. Data principals (users whose data is used) and governments are not entirely comfortable with this state of affairs. They are particularly angry at the prospect of these companies selling personal data to third parties. In recent Indian elections, it was noticed that some political parties were using big data analytics companies based abroad. They were able to provide analysis based on caste, age, income and gender that could be used by political parties for electoral advantage.
What is concerning in these cases is that the data controllers do not know how their personal information is being traded and used. It is equally shameful for the government that it has no control over how personal data from the country is stored on servers outside India and owned by big tech companies who make billions of dollars trading the data.
To rectify the anomalies, the government introduced legislation on personal data through a bill in 2019, which ended when the government withdrew it early this year. The reason why the government withdrew the bill was the huge number of amendments proposed by the joint parliamentary committee to the original bill. The bill was originally introduced in 2018 and introduced to parliament in 2019. Amid opposition protests, it was sent to a parliamentary joint committee to consider all positions and recommend appropriate changes.
In the previous bill on the protection of personal data, the government had included both online and offline generated data within the scope of the bill. The new bill excludes manual data collection. This means that the 2022 Digital Personal Data Protection Act only concerns digital data. It is now focused on identifying issues related to a person’s digital identity and addressing its security, privacy and control.
In the earlier attempt, the government had proposed a strict mechanism to ensure that personal and sensitive data is stored on the servers in the country. Tech companies had protested this restriction, claiming it was logistically unfeasible. It also sounded unusual for Indian startups dealing with similar data from foreign clients. In the latest bill, the government relaxed this provision, proposing to allow cross-border data flow to “trusted” jurisdictions. Sizeable companies are also required to appoint data protection officers and data auditors to ensure compliance with the law.
Tech companies had virtually no objection to the storage of sensitive data related to the sovereignty, security and integrity of the country in the country.
Another aspect of the previous bill that caused much resentment, particularly among media people and human rights activists, was the exemptions granted to government agencies. They would have free access to personal data, as a breach of the protection provisions was covered by statutory exemptions in the bill. This provision is largely continued in the new bill, but instead of the all-powerful Dutch Data Protection Authority, the government can set up a Personal Data Protection Board with the new bill. It will also have the power to authorize government agencies to access personal data and grant waivers to them or a company or a friendly nation.
Data controllers who violate the provisions of the Digital Personal Data Protection Act are liable for a graduated penalty ranging from Rs 50 crore to Rs 500 crore. Consumers who make false complaints can be fined up to Rs 10,000. The number of clauses in the current bill has been reduced from 90 to 30, promising a more simplified interpretation and enforcement of data protection law. (IPA service)
The post Public authorities’ right to invade privacy remains in draft data protection law first appeared on IPA Newspack.