What India’s draught digital privacy law says and how it relates to other countries’ data protection laws

What India’s draught digital privacy law says and how it relates to other countries’ data protection laws

The revised data protection Bill, unveiled three months after the government withdrew an earlier draught, eases cross-border data transfers and strengthens penalties for violations. However, it grants the Centre broad authority while imposing little safeguards. In contrast to an earlier convoluted draught, the new Digital Personal Data Protection Bill, 2022, announced on Friday (November 18), focuses on personal data.
The modified version of the legislation has significant fines for noncompliance, but they are capped without regard to the organisation in question’s turnover.

It has also relaxed regulations on cross-border data flows, which may provide relief to large IT firms, as well as a provision for easier compliance requirements for start-ups.

There could be two major warning flags: a near-universal exemption for government agencies from some of the more onerous obligations in the Bill, and a narrowing of the remit of the proposed Data Protection Board, which is tasked with overseeing the terms of the proposed Act.

According to officials at the Ministry of Electronics and IT (MeitY), the new draught strikes a difficult balance and takes into account worldwide approaches, while remaining consistent with the Supreme Court’s verdict on privacy as a basic right, but within reasonable limits.

While comparisons have been made to the EU’s landmark General Data Protection Regulation, or GDPR, which, according to Graham Greenleaf, professor of Law & Information Systems at the University of New South Wales, has significantly influenced legislation in nearly 160 countries, the Government of India sees its version of the Data Protection Bill as only one piece of a larger policy vision for the entire digital economy.

This broader policy comprises a comprehensive digital India Act that will eventually replace the present IT Act, the newly disclosed data protection Bill, and the new telecom Bill, which was made public last month.

In contrast, the historic GDPR, which has been in effect since May 2018, is clearly centred on privacy and requires individuals to provide explicit consent before their data may be handled. The Digital Services Act (DSA) and the Digital Markets Act (DMA) branch out from the GDPR’s overarching focus on the individual’s control over her data.

THE DSA-

The DSA is concerned with concerns such as controlling hate speech and counterfeit goods, but the DMA introduces a new category of “dominant gatekeeper” platforms and is concerned with uncompetitive practises and abuse of dominance by these companies.

Other countries’ data protection legislation

According to data from the United Nations Conference on Trade and Development (UNCTAD), an intergovernmental organisation within the United Nations Secretariat, an estimated 137 out of 194 countries have put in place legislation to secure data and privacy protection, with Africa and Asia showing 61% (33 countries out of 54) and 57% adoption, respectively.

Only 48% (22 out of 46) of Least Developed Countries have data protection and privacy laws. EU MODEL: The GDPR focuses on a comprehensive data protection law for personal data processing. It has been criticised for being overly stringent and imposing several requirements on organisations that collect data, but it serves as the model for the majority of legislation written around the world.

Data Protection USA :- USA is very very serious for the safety of its Citizen and their data.

The right to privacy is enshrined as a basic right in the EU, with the goal of protecting an individual’s dignity and control over the data she generates. The European Charter of Fundamental Rights recognises the right to privacy as well as the right to personal data protection, and is supported by a comprehensive data protection framework that applies to personal data processing by any means, as well as processing activities carried out by both government and private entities.
There are some exceptions, such as national security, defence, public security, and so on, but they are clearly specified and viewed as exceptions on the outskirts.

US MODEL:

Privacy protection is broadly characterised as “liberty protection,” with an emphasis on defending an individual’s personal space from the government. It is seen as having a fairly restricted emphasis because it allows for the gathering and use of personal information as long as the individual is notified of such collection and use. The US model has been deemed deficient in key regulatory areas.

In the United States, there is no comprehensive set of privacy rights or principles that, like the EU’s GDPR, cover the use, collection, and disclosure of data. Instead, there is little industry-specific regulation.
The public and commercial sectors take diverse approaches to data protection. However, the government’s activities and powers in relation to personal information are sufficiently well-defined and addressed by wide legislation such as the Privacy Act, the Electronic Communications Privacy Act, and so on. There are several sector-specific norms for the private sector.

CHINA MODEL: Among the new Chinese data privacy and security legislation passed in the last year is the Personal Information Protection Law (PIPL), which goes into effect in November 2021. It grants new rights to Chinese data principals in order to avoid the exploitation of personal data.

The Data Security Law (DSL), which takes effect in September 2021, requires business data to be classified by relevance level and imposes new restrictions on cross-border transfers.

These regulations will have a substantial impact on how firms gather, keep, use, and transmit data, but they are primarily concerned with granting the government broad powers to collect data and control private companies that collect and process information.

According to an EY analysis, China’s PIPL is “similar” to the EU’s GDPR in that it gives Chinese consumers the right to access, correct, and delete personal data collected by businesses, but it has a legitimate impact on offshore data processors that deliver goods and services or analyse individuals in China.

Why was SP leader Azam Khan’s name removed from the voter list?
The law imposes severe penalties, including fines of up to RMB 50 million, or 5% of a company’s preceding fiscal year’s revenue.

Businesses may be forced to halt operations until they “show compliance.” Individuals are also affected, with anyone directly responsible for data protection facing fines of up to RMB 1 million.

The DSL requires that business data be classified based on its importance to national security and the public interest, and companies wishing to transfer “important” data outside of China must first conduct an internal security audit before requesting a security assessment and approval from the Cyberspace Administration of China (CAC) and other relevant authorities.

Companies that mishandle data under the DSL face significant penalties: in July this year, the ride-hailing company Didi was fined $1.2 billion (RMB 8.026 billion) for allegedly violating China’s cyber security regulations. Other businesses have also faced regulatory action.

The red flags and India’s draught Bill

Experts are concerned about broad exemptions for the Centre and its agencies with little to no controls, as well as the planned Data Protection Board’s diminished independence.

It is also worth noting that the new Bill has only 30 provisions compared to the previous one’s more than 90, owing to the fact that many operational aspects have been left to eventual rule-making.

For national security considerations, the central government may issue notifications exempting its agencies from the draught law’s provisions. The administration said in an explanatory note accompanying the proposed legislation that “national and public interest is at times stronger than the interest of an individual,” supporting the need for such exclusions.

The draught law leaves the selection of the Data Protection Board’s head and members solely to the discretion of the federal government. “Whereas the Data Protection Authority was originally intended to be a statutory authority (under the 2019 Bill), the Data Protection Board is now a central government-established board.” “The government still has a say in the board’s membership, terms of service, and so on,” said Nehaa Chaudhari, a partner at Delhi-based Ikigai Law.

According to Rajeev Chandrasekhar, Minister of State for Electronics and IT, the new draught places India in a position where the entire digital economy can be viewed through the lens of “trust and protection,” and will help the government “move towards more data-led governance where we can create analytical models to figure out where the gaps are and then plug them.”

“We have said clearly in the Bill that the Data Protection Board will be extremely autonomous… To resolve the issue of data breaches, the board will use a solely adjudicatory approach. It has the same status as a civil court, and its decisions can be appealed to the Supreme Court.

This is sufficient motivation or disincentive for the board to work transparently. “Just because it is selected by a third party does not ensure adequate performance,” Chandrasekhar told The Indian Express.

“The government’s goal is for the board to rule fairly and transparently because else it can be legally challenged.” The system’s structure, in my opinion, is efficient and cost-effective.

“Anyone who claims that the board is not sufficiently independent misses the fact that the board must build its credibility via its own performance,” he said.