Need for a robust Personal Data Protection Bill

Synopsis: Some concerns in the draft Personal Data Protection Bill, 2019 needs to be addressed to make it more effective.

Background
  • After the Pandemic, many people are participating in the digital economy. For example, online purchase of groceries, telemedicine, e-education, etc.,
  • During the same period, the number of personal data breaches from major digital service providers has increased. For example, The recent alleged data breach at MobiKwik (data of 9.9 crore users at risk).
  • Hence, robust data protection regulations are necessary to prevent such events and the existing data protection regulations in India have become inadequate.
  • The K.S. Puttaswamy (Retd) v. Union of India case, established the right to privacy as a fundamental right. Thus, a more robust data protection legislation is desirable.
  • Currently, a revised version of The Personal Data Protection Bill, 2019, is under scrutiny by a Joint Parliamentary Committee. It can provide adequate protection to users and their personal data.
What are the issues in the existing data protection regulations?

In India, at present, data protection is governed by the Information Technology Act, 2000, and various other sectoral regulations. However, they are inadequate because of the following reasons,

  1. First, by obtaining users’ consent to processing personal data, entities are able to override the data protection rules.
    • This is problematic because users might not understand the terms and conditions or the implications of giving consent.
  2. Second, the current framework while emphasizes data security it does not give importance to data privacy. For example, the provision on users’ preferences on how his personal data can be processed is unclear. As a result, entities could use the data for purposes different to those that the user consented to.
  3. Third, the data protection provisions under the IT Act does not apply to government agencies. This limits the efficacy of data protection framework since governments are collecting and processing large amounts of personal data.
  4. Fourth, the current regime has become inadequate in addressing risks emerging from new developments in data processing technology.

How the Personal Data Protection Bill, 2019 can be more effective than the current regulations in place?

  1. First, the Bill seeks to apply the data protection regime to both government and private entities across all sectors.
  2. Second, the Bill emphasizes data security and data privacy equally. For example, to protect personal data the entities will have to maintain security safeguards. Similarly, to protect the data privacy of its users, the entities will have to fulfill a set of data protection obligations and transparency and accountability measures that govern how entities can process personal data.
  3. Third, the Bill gives users a set of rights over their personal data and means to exercise those rights. For instance, a user will be able to obtain information about the different kinds of personal data that an entity has about them and how the entity is processing that data.
  4. Fourth, the Bill seeks to create an independent regulator known as the Data Protection Authority (DPA) to monitor and regulate data processing activities. The DPA will grievance redressal authority when entities do not comply with their obligations under the regime.
Concerns regarding Personal Data Protection Bill, 2019

However, there are few concerns regarding the draft bill that needs to be addressed.

  1. One, it gives wide exemptions to government agencies, and thereby it dilutes user protection safeguards.
    • For example, under clause 35, the Central government can exempt any government agency from complying with the Bill. This allows Government agencies to process personal data without following any safeguard under the Bill. This could create severe privacy risks for users.
  2. Two, enforcement of various user protection safeguards such as rights and remedies could be difficult for users. For instance, the Bill threatens legal consequences for users who withdraw their consent for a data processing activity. In practice, this could discourage users from withdrawing consent for processing activities that they want to opt-out.

The above-mentioned concerns should be addressed to bring a stronger and more effective data protection regime in India.

Source: The Hindu

Print Friendly and PDF