What is the Digital Personal Data Protection Bill, 2022? Why is it important to the common man?

The bill – which is at the consultation stage currently, after the last version was pulled down in August – aims at ensuring the safety of data of millions of Indian mobile phone customers. By suggesting a consent-based data collection regime, the government wants the over 70 crore Indian smartphone users to have transparency about how their data is being collected, and for what purpose it is being processed. The government is also suggesting easier cross-border data transfer, but only to ‘trusted’ locations.

Why has the Data Protection Bill gone through so many iterations?

On August 3 this year, the government sprung a surprise by withdrawing the much-debated Data Protection Bill from Parliament. It then promised to introduce a new legislation “very soon, but without any dilution to the broader privacy aspects of the original bill, and without any compromise to the Right to Privacy” as provided by the Supreme Court. The original Bill was the culmination of work that had begun around five years back, after the formation of the Justice Srikrishna Committee.

Decoding the Latest Data Protection Bill 2022
Watch this video to know details about the recent Data Protection Bill 2022.

The government wanted to come up with a comprehensive legal framework to regulate the online space, including separate legislation on data privacy, the Internet ecosystem, cybersecurity, telecom regulations, and harnessing non-personal data to boost innovation in the country. It also faced a push-back from several stakeholders, including tech companies and privacy activists.

How has the Draft Bill addressed thorny issues? What are the areas in which the draft falls short?

The draft bill aims to provide consent-based data collection technique, while stipulating penalties of up to Rs 500 crore (which may go up manifold in future) for data breaches and violations.

Showing leniency on the critical issue of cross-border transfer of data, the draft Bill says the Centre may allow the movement to such countries or territories outside India to which a Data Fiduciary (consumer Internet and social-media companies) may transfer personal data, in accordance with such terms and conditions as may be specified.

One of the thorny issues is also that the Bill proposes to exempt government notified data fiduciaries from sharing details of data processing with the data owners under the “Right to Information about personal data”. It has exempted certain entities notified as Data Fiduciaries by the government from various compliances, including sharing details for the purpose of data collection.

What are the positives in the Draft bill?

It gives powers in the hands of the ordinary citizens, on how and what data is collected, and how it will be processed. The draft Bill requires the setting up of a government-appointed ‘Data Protection Board’ – unlike the Data Protection Authority in the previous bill -- to ensure compliance. The board will also hear user complaints.

What next? Will this Draft be passed in its current form or will there be further modifications?

There will be deliberations and the government wants the stakeholders’ views on the subject, before it finalises a Bill that will be tabled in Parliament. The government expects to complete the process over the next few months.