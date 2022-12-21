In November, the Indian Ministry of Electronics and Information Technology (MeitY) released its Digital Personal Data Protection Bill, 2022. The bill had been put up by the country’s Union Minister for Communications, Electronics and Information Technology, Ashwini Vaishnaw, for public consultation till December 17, however, the deadline has recently been extended to January 2, 2023.

The Digital Personal Data Protection Bill, of 2022, is legislation, on one hand, outlines the rights and duties of the citizen and on the other hand, the obligations to use collected data lawfully of the data fiduciary.

What happened to the previous drafts?

This bill was proposed after nearly four to five years of delays and changes and will reportedly be the Indian government’s fourth attempt to present a bill on data protection. In 2017, the country’s Supreme Court declared that privacy was a fundamental right under the Indian constitution, which led to the apex court asking the government to create a set of data protection rules, in line with this decision.

Subsequently, the government set up a committee of experts headed by retired Supreme Court judge, BN Srikrishna. A year later, the committee along with its report submitted a draft of the Data Protection Bill after which the Ministry of Electronics and IT said that they would use the ideas from the Srikrishna committee and create a fresh draft.

In late 2019, a modified version of that Bill, the Personal Data Protection Bill (PDP Bill), 2019 was introduced by the government. This draft was then referred to the Joint Parliamentary Committee (JCP) which was headed by the ruling Bharatiya Janata Party (BJP) minister, Meenakshi Lekhi, at the time.

The JCP after its analysis sought an extension for presenting its report in 2021 which was later granted. Meanwhile, BJP MP, PP Chaudhary had taken over the chairpersonship of the JCP after Lekhi was appointed as the Minister of State for External Affairs and was granted another extension.

However, after the proposed and recommended changes, in August last year, Minister of State for Electronics and IT, Rajeev Chandrasekhar told the parliament, “The government has today withdrawn the Personal Data Protection Bill that was formulated in 2018 and re-written by the JCP in 2021.” He added, that new legislation by the government will be tabled in the parliament “very quickly”.

ALSO READ | New data protection bill calls for consent, privacy, penalties, to bring more accountability in digital economy



Not to mention, the PDP Bill also reportedly faced massive pushback from a range of stakeholders including big tech companies like Facebook and Google for the bill’s provision of data localisation which would prohibit them from exporting undefined personal user data and had to keep a copy of certain sensitive information within the country.

Additionally, the JCP after 78 sittings, over 184 hours, and multiple extensions, the committee proposed 81 amendments (in a 99-section bill) and 12 recommendations. Meanwhile, reports suggest that privacy and civil society activists criticised the delays in the bill since one of the highest consumers and producers of data per capita among the countries across the world did not have a basic framework to protect the privacy of internet users.

They also raised concerns about the provision which allowed the government and its agencies to access data and exempt from most of the provisions of the bill reportedly saying that the measures favoured the government as opposed to safeguarding privacy.

What about the Digital Personal Data Protection Bill, 2022?

Released on November 18, earlier this year, the bill was first proposed in Lok Sabha (lower house) in December 2019. This time around, the proposed legislation has been reduced to only 30 clauses from the over 90 in the previous draft. It is also focused on personal data and also seemingly accounts for the big tech companies’ protests against the previous draft and eased the rules on cross-border data flow.

“The purpose of this Bill is to provide for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, the need to process personal data for lawful purposes and for other incidental purposes,” said the draft bill’s explanatory note.

The proposed legislation is up for public consultation, where the government has sought comments from a range of stakeholders the deadline was which was recently extended to January 2, 2023. The move was made, “in response to the requests received from several stakeholders”, said the IT ministry in a statement.

ALSO READ | Why TikTok is a threat to national security if left unchecked



In its explanatory note, the bill says that there are 760 million active internet users in India the number for which is expected to be 1.2 billion in upcoming years. “That is why laws and rulemaking for the internet have to be around the basic foundational principles and expectations of our citizens of openness, safety, and trust and accountability,” said the government.

According to the note, the bill has been based on seven principles around the data economy. The first and second principles call for organisations to be more transparent with users’ personal data in a way that is lawful and fair to individuals as well as “purpose limitation” which is using the data for which it is collected.

Furthermore, it also calls for “data minimisation” which is collecting those items of personal data only for what is needed. The fourth principle is about the accuracy of personal data and that a “reasonable effort” is made that the individual’s personal data is “accurate and kept up to date”.

Subsequently, the fifth one calls for a “storage limitation” so that personal data is not being “stored perpetually by default”. It added, “The storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected.”

The last two principles call for “reasonable safeguards” to prevent data breaches and ensure there is no unauthorised collection or processing of personal data and the person who is in charge of such processing should be held accountable for it.

“These principles have been used as the basis for personal data protection laws in various jurisdictions,” said the explanatory note. It added, “The actual implementation of such laws has allowed the emergence of a more nuanced understanding of personal data protection wherein individual rights, public interest and ease of doing business especially for startups are balanced.”

Furthermore, companies which handle large amounts of data should appoint an independent data auditor to ensure compliance with the provisions, said the Indian government. The proposed bill also says that the government will establish a Data Protection Board which will address user complaints and ensure compliance.

New Delhi will also choose a list of countries to which the companies can transfer personal data and will only allow platforms to send user data to servers in countries on that list. The aforementioned board can also levy fines and penalties in case of failure to adhere to the laws.

Additionally, companies could be fined up to $30.6 million for not ensuring reasonable safeguards to prevent a data breach. Companies would also have to stop retaining data if it no longer serves the purpose for which it was collected.

They will also not be allowed to process personal data which might harm children or use target advertising for children. Additionally, before processing the personal data of any child the platform would have to take parental consent. The users will also have the right to correct or erase their personal data.

Concerns raised

Across the range of reports, one of the key concerns raised by experts is that the Indian government and state agencies have several exemptions from the proposed law in the interest of national security. The decision was justified by saying, “national and public interest is at times greater than the interest of an individual, a clear grounds-based description of exemptions has been incorporated in the Bill,” in the explanatory note.

Referring to Section 18 outlines the exemptions of the draft bill and talks about how the government can process personal data without the users’ consent, “in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these”, states the Section 18(2)(a).

Meanwhile, government agencies can also under certain circumstances indefinitely store personal data, said reports. Therefore, the Delhi-based, Internet Freedom Foundation said, “If the law is not applied to government instrumentalities, data collection and processing in the absence of any data protection standards could result in mass surveillance.”

(With inputs from agencies)

WATCH WION LIVE HERE