- India’s digital economy is set to reach $1 trillion by 2026.
INSIGHTS ON THE ISSUE
Justice BN Srikrishna Committee Data Protection Report:
- The Committee was constituted by the union government in July 2017, to deliberate on a data protection framework.
- The Supreme Court in its Puttaswamy judgment, 2017: It declared privacy a fundamental right.
- Interests of citizens: The report has emphasized that interests of the citizens and the responsibilities of the state have to be protected, but not at the cost of trade and industry.
- It proposed a draft Personal Data Protection Bill.
New Data Protection Bill:
- Inclusion of the word “digital” in the Bill’s title speaks to India’s long standing goal of being a digitally forward society.
- Bill has two major stakeholders:
- Data Principal
- Data Fiduciary.
- Data Principal: It refers to the subject whose data is being processed
- Data Fiduciary: It is an entity that processes this data.
- fiduciary” whilst referring to a data processor is significant.
- The relationship between the two is guided by:
- trust, assurance and good faith.
- Data Fiduciary: It is responsible for safeguarding the interests of Data Principals.
- Bill describes:
- the obligations of the Data Fiduciaries towards Data Principals
- the rights and duties of the latter
- regulatory framework through which data will be processed.
- Bill lists the “duties” of the Data Principals: these have no bearing on the realization of the rights provided by the Bill.
Important aspects of bill:
- In addition to the general obligations to prevent the misuse of the personal data of individuals
- The Bill has outlined a category of Significant Data Fiduciaries entities: that are required to comply with additional measures to safeguard the personal data of individuals.
- Only companies that process vast amounts of data or have a potential impact on the country’s sovereignty and integrity need to take such stringent measures.
- Such measures reduce the compliance cost of companies that are at a nascent stage.
- Data localisation” in the previous versions of the Bill, have been omitted: The reworked Bill permits the government to notify countries to which data transfers may be permitted.
Issue with the Digital Personal Data Protection (DPDP) Bill 2022:
- It lacks specificity in certain clauses such as the interaction with sectoral data protection regulations.
How is the bill tackling the issue of conflicting sectoral regulations?
- Section 29: The provisions of the Bill will complement and not create exemptions from existing regulations, but in case of conflict, the Bill will take precedence.
- First part: It allows the Bill to fill in any regulatory gaps
- Second part: It raises concerns about sectoral regulations that may go beyond what the Bill provides.
- Sectoral expertise: offers a deep understanding of a particular sector, including its market dynamics, technologies, risks and business models.
- It enables regulators to engage with stakeholders and industry experts in a well-informed and productive manner.
- The global community has adopted two major approaches to regulate privacy and protect data:
- comprehensive legislation
- sector-specific regulations.
- The European Union’s General Data Protection Regulation (GDPR):
- It embodies the comprehensive approach, offering the strongest and most stringent framework to date.
- Article 9: Specific provisions for certain industries such as health care.
- It permits EU Member States to implement measures which go beyond the provisions given in the GDPR.
- For example, Germany has the Bundesdatenschutzgesetz (BDSG), which has stricter provisions compared to the GDPR.
- The European Data Protection Board (EDPB), made up of representatives from each EU member state’s data protection authority.
- It provides guidance on the implementation and interpretation of the GDPR, including sector-specific issues.
- Sectoral approach in the United States: Seen through laws such as the Health Insurance Portability and Accountability Act (HIPAA) in health care, and the Gramm-Leach-Bliley Act (GLBA) for financial institutions
Flaws in American sectoral approach:
- Inconsistent protection
- Problems in enforcement
- Overlapping and contradictory provisions
- Lack of federal regulation leaving certain sectors unprotected.
- There is no centralized authority to enforce data protection laws, leading to a lack of standardization.
- Sectoral regulations regarding data protection such as the:
- Reserve Bank of India’s directive on storage of payment data
- National Health Authority’s Health Data Management Policy.
- Neglecting these regulations and establishing a new framework would undermine the considerable effort invested in their creation.
- Any deviation from existing regulations will further require the industry to readjust their operations again at considerable cost.
- The GDPR model may not work for India as the Data Protection Board is designed as a grievance agency, and not as a regulator.
- The earlier version of the Bill with a Data Protection Authority of India may have been better suited as an independent regulator such as the EDPB
- The current draft of the Bill: It needs greater clarity and specificity regarding the interaction with sectoral regulations
- There is a need to draw from our experience to find the right balance.
- The DPDP Bill must serve as the minimum layer of protection, with sectoral regulators having the ability to build on these protections.
- This framework will be especially useful in India where not all regulators may have the same capacity.
- Data protection is a complex subject and we must create room for sectoral experts to weigh in to safeguard the interests of citizens more effectively.
- This will ensure a safer, more secure, and dynamic digital landscape in the years to come.
QUESTION FOR PRACTICE
What is the CyberDome Project? Explain how it can be useful in controlling internet crimes in India. (UPSC 2019) (200 WORDS, 10 MARKS)
Prelims: Personal Data Protection Bill, Justice B N Srikrishna, Convention on the Rights of the Child, 1989, Protection of Child Rights Act, 2005 etc
Mains GS Paper II and III: Government policies and interventions for development of various sectors and issues arising out of them etc