bugbase-logo
0

DATA PROTECTION BILL 2022

Center's Ministry of Electronics and Information Technology (MeitY) recently tabled another version of the data protection bill called the Digital Data Protection Bill, 2022. This is the fourth instance when the Center presented a bill on data protection. This bill provides for a proper framework of rights, duties, and recourses for the data principals so that the problem of disproportionate power of the fiduciaries vis-à-vis data principles gets adequately addressed.
security
BugBase
December 17th 2022.

The Ministry of Electronics and Information Technology has been discussing different elements of digital personal data and its protection and has drafted the 'The Digital Personal Data Protection Bill, 2022'. The draught Bill's goal is to allow for the processing of digital personal data in a way that acknowledges both the right of persons to protect their personal data and the necessity to handle personal data for authorised reasons, as well as matters related to or incidental to those purposes.

A BRIEF HISTORY OF DATA PROTECTION BILL

In India, this is the fourth edition. The Justice Srikrishna Committee, established by the Ministry of Electronics and Information Technology with the goal of developing a data protection law for India, proposed the first draught of the Bill, the Personal Data Protection Bill, 2018. The government revised this draught and tabled it in the Lok Sabha in 2019 as the Personal Data Protection Bill 2019. The Lok Sabha also passed a motion on the same day to send the PDP Bill 2019 to a joint committee of both Houses of Parliament. Due to the pandemic's delays, the Joint Committee on the PDP Bill 2019 presented its report in December 2021. The report was accompanied by a new draft bill, namely, the Data Protection Bill, 2021, that incorporated the recommendations of the JPC. However, in August 2022, citing the report of the JPC and the "extensive changes" that the JPC had made to the 2019 Bill, the government withdrew the PDP Bill.

What is the scope of the present formulation of the Bill?

The DPDP Bill 2022 applies to any digitally-enabled personal data processing. This would encompass both online personal data and offline, personal data that has been digitised for processing. Non-essence, by being totally inapplicable to data processed manually, provides a little lesser level of protection than previous versions, which merely excluded data handled manually by "small companies" and not in general. Furthermore, in terms of geographical applicability, the Bill includes the processing of personal data gathered by data fiduciaries inside the territory of India and processed to supply products and services within India. Inadvertently, the current terminology appears to preclude data processing by Indian data fiduciaries who collect and handle personal data outside India on behalf of data principals who are not situated in India. This would have an impact on the legislative safeguards given to clients of Indian start-ups operating abroad, reducing their competitiveness. This view appears to be reinforced by the DPDP Bill, 2022, which exempts most of its safeguards from applicability to personal data processing of non-residents of India by data fiduciaries in India.

How well does the DPDP Bill 2022 protect data principles?

The foundation of most data protection laws is giving the data subject complete control over their personal data. This happens by demanding a thorough notification to the data principle on diverse elements of data processing based on which the data principal can offer explicit permission for such processing. While there are several exceptions for the non-consent-based processing of personal data, the data principal still has the right to access, modify, delete, and so on. Concurrently, the data fiduciary has the task of data minimisation, which is to collect only the personal data necessary to fulfil the aim of processing (collection restriction); process it only for the purposes stated and no more (purpose limitation), and to retain it in its servers only for so long as is required to fulfil the stated purpose (storage limitation).

The current draught makes no specific mention of some data protection principles, such as collection limits. This would empower a data fiduciary to acquire any personal data approved by the data principal. Making collection purely reliant on consent ignores the reality that data principals frequently lack the necessary knowledge of what type of personal data is appropriate for a certain purpose. A picture filter app, for example, may handle data about your location or contact information even if it does not need such information to perform its primary function of applying the filter. The idea of "sensitive personal data" is likewise eliminated.

Depending on the increased potential of harm that can result from the unlawful processing of certain categories of personal data, most data protection legislations classify these categories as "sensitive personal data". Illustratively, this includes biometric data, health data, genetic data etc. This personal data is afforded a higher degree of protection in terms of requiring explicit consent before processing and mandatory data protection impact assessments. By doing away with this distinction, the DPDP Bill, 2022 does away with these additional protections.

Furthermore, the Bill limits the amount of information that a data fiduciary is required to send to the data principal. While previous iterations required considerable information to be provided for the data principal in terms of the data principal's rights, grievance redressal mechanism, the retention period of information, source of information collected, and so on, the current draught limits the scope of this information to the personal data sought to be collected and the purpose of processing the data. While this may have been done in an attempt to simplify the warning and avoid information overload, data protection authorities propose various methods such as infographics, just-in-time notices, and so on to provide a complete yet understandable notice.

The DPDP Bill 2022 also adds the idea of "deemed consent". In effect, it bundled purposes of processing which were either excluded from consent-based processing or were considered "reasonable reasons" for which personal data processing may be performed under the basis of "deemed consent". However, there are significant worries about this because of the poorly phrased reasons for the processing, such as "public interest," and the elimination of further protections to protect the rights of data principals.

A significant addition to the right of data principals is that it respects the right to post-mortem privacy which was lacking from the PDP Bill, 2019 but had been recommended by the JPC.

Related Blogs
Defining scopes for bug bounty programs
The first step in creating your programme brief, which you should undertake if you’ve decided that you and your business...
security
Published by BugBase on November 21st 2022
How To Handle A Bug Bounty Program Internally
The majority of firms are not equipped to offer public bug rewards because they lack the essential protocols, have too m...
security
Published by BugBase on December 14th 2022

Let's take your security
to the next level

security
bugbase logo
+91 9811910683
New Delhi, India
The Octagon, Singapore
[email protected]

About

Programs
For Companies
For Researchers
Partner with Us
BugBase Apollo
BugBase for Startups
Contact Us

Quick Links

Setup your Bug Bounty Program
Integrations
Login
Sign Up
FAQs
Blog

PRIVACY

Privacy Policy
Terms of Service
Customer Terms
Bounty Hunter Terms

SOCIAL

Give us your Feedback!
Bugbase SOC2Bugbase ISO27001

Copyright © 2024 BugBase All Rights Reserved