The Ministry of Electronics and Information Technology’s Digital Personal Data Protection Bill 2022 was eagerly awaited. According to MeitY, the purpose of the bill was to provide a framework for the processing of digital data in a manner that recognises both the right of individuals to protect their personal data and the need to process it for lawful purposes, and for matters connected to it.
The new bill is better focused on personal data as compared to the earlier draft. It specifies hefty penalties for non-compliance and relaxes rules on cross-border data flows—this is critical for Big Tech and much needed for India to maintain its leadership in technology. It will impact how giants such as Facebook and Google process and transfer data in India. With the new bill, companies can transfer the personal data of users only to countries specified by the government. So, if the US is one of the ‘whitelisted’ countries, tech companies could transfer user data there and manage their operations better. By removing the requirement for mandatory data localisation, the bill ensures parity between players in the market and significantly reduces compliance costs.
The bill also makes compliance a lot easier for start-ups, which is crucial for ease of business.
Overall, the new Bill strikes the balance between the needs of the time and the Supreme Court’s ruling on privacy as a fundamental right.
India relies heavily on digital technology, from government operations and public goods to the private sector’s functioning and financial service delivery. The Data Bill, therefore, was critical in a market that expects a 45% growth of active internet users over the next 5 years, reaching about 900 million in 2025 from around 622 million in 2020, according to the IAMAI-Kantar ICUBE 2020 Report.
Freedom of speech and the right to privacy are both synonymous with digital rights. Considering the extensive digital framework that exists in India, the protection of such rights is imperative. Unfortunately, it has been a difficult journey for data protection laws. Until now, there was no separate or specific legislation that spoke about digital rights or data privacy. The new bill hopes to change that. The operative word here is ‘hopes.’ Will this bill succeed in making a significant and positive change to the current scenario of digital rights?
The fact that the government is taking the initiative to protect digital rights is a step forward. Moreover, the bill itself is simple and straightforward, with no real complications. The penalties for failing to adhere to the provisions have been significantly increased. According to the Software Freedom Law Center, “The penalty imposed in the failure of adopting reasonable security practices in preventing or mitigating a breach of personal data has been increased fifty-fold from Rs 5 crore (as proposed in the 2019 draft Bill) to Rs 250 crore.” Lastly, the bill has now removed the provision for criminal liability, which is in line with global practices. Thus, we can say that the bill has been drafted with good intentions.
Shortcomings of the Data Bill 2022
The success of the bill will lie in its execution. That’s why perhaps it needed to do better on distinguishing between personal data and ‘sensitive’ personal data. Instead, it simply identifies personal data as ‘any data about an individual who is identifiable by or in relation to such data.’ This is a drawback, considering that some types of data require a stricter and more stringent type of protection.
There are many who would also be concerned about the powers it gives the government when it comes to surveillance, intercepting, monitoring, and decrypting any information. Among the red flags, there is a near-total exemption for government agencies from complying with many of the requirements and a watering down of the mandate of the proposed Data Protection Board, which will oversee the provisions of the new legislation.
There could have been some limits to the level of surveillance before judicial permission needs to kick in. Handing such sweeping powers to the bureaucracy is full of pitfalls.
If these shortcomings are addressed, the bill makes a strong case for itself.
That is why key industry stakeholders, such as NASSCOM, have asserted that the bill will bolster India’s position as a trusted global partner for all those invested in digital transformation. Wisely, this version is devoid of past proposals, which were not related to personal data protection, such as non-personal data, or which could have posed significant concerns to the ease of doing business.
Other key features of the bill are a technology-neutral design, which prevents an unfair advantage to existing technologies and allows organizations to choose the most appropriate technology for their needs. Another feature is the enabling of consent management, which is a system that informs users about how an organization intends to use and govern their data.
Data is central to every country and industry and it is a positive sign that India has recognised that. It paves the way for industry and the government to work together to further strengthen the law from a privacy and innovation perspective.
India was in dire need of a robust framework that supported digital rights in an ethical manner. This bill virtually covers every base.