Authored By – M. Balaji
Overview of Digital Personal Data Protection Bill, 2022
Finally, the time has come for India to have a bill for Data protection and regulation listed for introduction and passing during the upcoming Budget session of the Parliament.
We all hope that at least this bill will try to ensure and effectuate the judgment given in the K.S. Puttaswamy v. Union of India.
What is more interesting is the fact that the law is one of the drafts which had been drafted in plain or, in other words, in simple language.
This happens after several decades in the history of the Indian legislature.
This article will give a brief overview of the latest Digital Data Protection Bill, 2022, which replaces its precursor, PDPB, 2019, that was drafted soon after the landmark K.S. Puttaswamy judgment.
India’s Road towards data protection legislation:
Before looking into the provisions that have been included in the digital personal data protection bill of 2022, it is important to understand in short, the frameworks that have been brought by the Indian legislature before the drafting of the 2022 bill.
To know its importance, Let us go back to 2017 when the central government had constituted a committee under the chairmanship of Justice BN Srikrishna, which submitted its report in the year 2018.
Along with the 2018 Committee report, there was a bill called the Data Protection Bill of 2018, which was also introduced by the Justice Srikrishna Committee. After this, the Indian legislature drafted the well-known 2019 personal data protection bill.
The same was referred to the joint parliamentary committee, which submitted its report containing the data protection bill of 2021.
This 2021 bill, called the data protection bill of 2021, was drafted by the Joint Parliamentary committee for the purpose of regulating government agencies, and the government will be the sole Authority under this bill for the purpose of determining of data protection authority in India.
In August 2022, the 2019 PDP bill was withdrawn by the government, stating that the same would be replaced with a New law with world standards. Consequently, the 2022 bill was drafted, and the Overview of this bill is discussed in the following headings.
The objective behind the 2022 Bill
As per the bill of 2022, there are two main objectives that are behind the enactment of the bill by the Indian legislature.
They are first to provide a legal framework to recognize and protect the rights of individuals and, secondly, to ensure that the processing of personal data is done for lawful purposes only.
There are a few definitions that need to be clarified or we need to understand those terminologies in order to have a complete understanding of the bill.
These terminologies include digital personal data under the difference with the personal data of an individual.
The question of whether lawful purposes have been defined to include certain acts or not should also is taken into consideration.
Overview of the provisions of the bill:
Having seen the objectives of the bill of 2022, let us look into some of the key provisions that have been included as part of the same by the Indian legislature.
The bill contains total of 30 sections, and the first chapter deals with the obligations of the data fiduciary which specifies Certain important aspects, such as notice that needs to be taken by the data fiduciary before the data is collected from the data principal.
Chapter three of the bill of 2022 deals with the rights and duties of the data principle which includes the right to information about personal data and the right to the erasure of personal data.
Certain complaints mechanism has been provided under chapter 5 of the bill, which includes the constitution of the data protection board of India and the functions that need to be taken care of by the data protection board of India.
One of the important provisions under the bill of 2022 is the recognition of alternate dispute resolution mechanism.
Challenges ahead:
Let us look into some of the key challenges in the implementation of the digital personal data protection bill of 2022.
One of the main aspects that have been pointed out by the critics of the bill is the issue of the constitution of the data protection board.
The question that lies before the implementation is whether the data protection board will act as an adjudicatory or as a regulator, such as a body for the implementation of the Competition Act of 2002.
In the case of the Competition Act of 2002, the Supreme Court of India has clarified that the Competition Commission will act as a regulator of the competition regime in India.
In this manner, the union government should also clarify the same with regard to the data protection board.
The second important thing that the bill of 2022 needs to address is the non-personal data of individuals in India, as the bill is more concerned about the personal data of these individuals.
It has been observed by the professor from Delhi University that with the advent of technology and industrialization in a developing country like India,
it is essential to protect the non-personal data of the individuals within a territory.
Such importance to non-personal data is because of the big tech companies which might use this non-personal data, accumulate it and share the same with other countries worldwide.
In this aspect, the bill has to specify the question of the data sovereignty of India.
Thirdly and most importantly, the question of the independence of the data protection board has been questioned in terms of the appointment by the central government.
It is important to note that the earlier law on data protection specified that this board would be a statutory body that shall be constituted as per the law and will oversee data privacy in India.
Still, the 2022 bill has specified that the board shall be constituted by the central government as per its rules and regulations.
There have also been concerns raised in the parliament regarding the exemption given to the applicability of the act to the central agencies such as the enforcement directorate and the Central Bureau of Investigation.
These are some of the challenges that lay ahead of the bill’s implementation, and this needs to be clarified before the data protection law comes into action in India.
The main reason for the same is the right to privacy that has been enshrined under article 21 of the Indian constitution and as per the interpretation of the Supreme Court in the landmark Puttaswamy judgment in 2017.
