Decoding The New PDP Bill

Source: The post is based on an article “Decoding The New PDP Bill” published in The Times of India on 21st November 2022.

Syllabus: GS 2 – Governance

Relevance: provisions of the new draft Digital Personal Data Protection Bill

News: The draft of the Digital Personal Data Protection (PDP) bill has been recently released. This article discusses the provision of the draft bill.

What are the provisions under the daft bill?
  1. a) It focuses on personal data and excludes non personal data, b) It eliminates the categorisation of personal data into sensitive and critical c) It has restricted cross-border data flows which was not present in the previous data protection bill d) It provides for the setting up a new regulatory board.
What is the new regulatory board?

Data Protection Board: The bill provides for setting up a Data Protection Board with roles limited to enforcement and penalties. The earlier regulator, the Data Protection Authority had a wider role than the current regulator.

Appointment: The government will appoint members, prescribe terms and conditions of appointment, and decide other functions of the regulator which were earlier done either by a statute or an expert committee.

Although the draft says that the regulator will be independent but government now has greater control.

The Board can accept a voluntary undertaking from the person facing action. This undertaking can be later modified and no further action can be taken for the contents, depending on the consent between the Board and person.

What are the details provided for localisation of data and cross border data transfers?

The preDecoding The New PDP Billsent draft does not require localisation of data like the previous bill. However, it also does not allow free flows of data across borders. It says –

Businesses can only transfer data to countries that are notified by the Indian government.

It allows the government to discuss digital trade and allow the flow of data only with those countries that are whitelisted by the government. It does not provide for alternate mechanisms like contracts or certifications to transfer data out of the country.

This means that data can only be transferred if the country is notified by the government else the data will be localized. However, the mechanism of notifying the countries is not mentioned in the daft.

What penalties are proposed by the draft bill and what are the guidelines for individuals?

It imposes penalties upto Rs 500 crore for violations of the guidelines but these penalties cannot be claimed by individuals for the harm they suffer.

The bill also provides the duty an individual has to follow such as they should not register irrelevant complaints and must provide authentic information when seeking correction of their data. The bill imposes a fine upto Rs 10,000 on individuals failing to abide by the duties.

Further, it does not allow individuals to port their data across platforms. They also do not enjoy the same rights and safeguards over their data against the state as they do against private companies.

Who is exempted from the law?

State bodies are exempted from the application of the law in the interests of India’s sovereignty and integrity, security, foreign relations, public order and others. There is also no bar on the time period of keeping data by the government agencies.

The previous bill contained “just, fair, reasonable and proportionate” procedure for the exemption but this is missing in the current bill. However, states are expected to follow the fundamental right to privacy while dealing with data.

Print Friendly and PDF