Chinmaya IAS Academy – Current Affairs Chinmaya IAS Academy – Current Affairs
Changes can help make the Digital Personal Data Protection Bill, 2022 ‘future-proof’ and ensure a better complaints mechanism.
India is no Europe, and this seems especially true in the face of a task such as drafting and conceptualising a data protection law for over 1.4 billion Indians. The European Union’s (EU) data protection law, i.e., the General Data Protection Regulation (GDPR), came into force in the middle of 2018 and achieved widespread popularity as arguably the most comprehensive data privacy law in the world. However, the GDPR has been saddled with challenges of implementation and risks being relegated to the status of a paper tiger. Although the EU’s challenges may be due to its unique legal structure, India must guard against the risks of enacting a law that is toothless in effect.
Issues around data use
This deliberation becomes increasingly relevant as the Indian government is likely to table India’s fresh data protection law in the ongoing monsoon session of Parliament. Late last year, the government released the Digital Personal Data Protection (DPDP) Bill, 2022 for public consultation. This is its third recent attempt at drafting a data protection law. While the draft released for public comments was not as comprehensive as its previous versions, news reports suggest that the government may present a Bill that is largely similar. Considering this, critical gaps remain in the DPDP Bill that would affect its implementation and overall success.
In its scope and definition, the DPDP Bill only protects personal data, that is any data that has the potential to directly or indirectly identify an individual. In the modern data economy, entities use various types of data, including both personal and non-personal data to target, profile, predict, and monitor users (non-personal data is typically anonymous data that does not relate to a particular individual — for example, aggregate data on products which numerous users look at between 9 p.m. and 11 p.m. on Amazon). Often, this non-personal data when combined with other datasets can help identify individuals, and in this way become personal data, impacting user privacy.
For instance, anonymous datasets about individual Uber rides in New Delhi can be combined with prayer timings to identify members who belong to a certain community, which could include their home addresses.
This process of re-identification of non-personal data poses significant risks to privacy. Such risks were accounted for in previous versions of India’s draft data protection Bill, in 2018 and 2019, but do not find a place in the latest draft. By not recognising these risks, the DPDP Bill is very limited in its scope and effect in providing meaningful privacy to Indians. A simple and effective solution — as in the earlier versions — would be to add a penal provision in the Bill that provides for financial penalties on data-processing entities for the re-identification of non-personal data into personal data.
The General Data Protection Regulation (EU)
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018, within the European Union (EU). It was designed to harmonize data protection regulations across EU member states and enhance the protection of personal data for EU citizens.
Key aspects of the GDPR include:
Scope: The regulation applies to all organizations that process personal data of EU residents, regardless of the organization’s location. It covers data controllers (those who determine the purpose and means of data processing) and data processors (entities that process data on behalf of data controllers).
Personal Data: The GDPR defines personal data broadly as any information relating to an identified or identifiable natural person. This includes not only typical identifiers like names and addresses but also IP addresses, biometric data, and online identifiers.
Lawful Basis for Processing: Organizations must have a lawful basis to process personal data, such as the data subject’s consent, contractual necessity, legal obligation, vital interests, public task, or legitimate interests of the data controller or a third party.
Consent: If an organization relies on consent as the lawful basis for processing personal data, the consent must be freely given, specific, informed, and unambiguous. Data subjects also have the right to withdraw consent at any time.
Rights of Data Subjects: The GDPR grants various rights to individuals, including the right to access their data, the right to rectification, erasure (right to be forgotten), restriction of processing, data portability, and the right to object to processing.
Data Breach Notification: Organizations must notify the relevant supervisory authority of a data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms.
Data Protection Officer (DPO): Some organizations must appoint a Data Protection Officer, whose role is to ensure compliance with the GDPR and act as a point of contact for data subjects and supervisory authorities.
Cross-Border Data Transfers: Transferring personal data outside the EU is restricted unless the destination country ensures an adequate level of data protection or appropriate safeguards are in place.
Fines and Penalties: Non-compliance with the GDPR can lead to significant fines, depending on the severity of the violation, ranging up to 4% of the company’s global annual turnover or €20 million, whichever is higher.
The GDPR has had a significant impact on how organizations handle personal data, prompting them to implement stronger data protection measures, be more transparent about data processing practices, and provide individuals with more control over their personal information.
