16 December 2022

Table of Content

New data protection bill: A step closer to protecting privacy rights

GS-2: Indian Constitution—Historical Underpinnings, Evolution, Features, Amendments, Significant Provisions and Basic Structure.

Recently, the Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022) was made open for public comments. The purpose of this Act is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes. It outlines the rights and duties of citizens and lays down rules for data collection for companies.

Background

• In 2010, with the constitution of the Justice Sri Krishna Committee, the journey for a comprehensive data privacy law began in India. 

• The committee submitted report in 2017. 

• Meanwhile, the Supreme Court of India has also declared ‘Right to Privacy’ as a fundamental right under Art-21 of the Constitution in K.S. Puttaswamy Case, 2017.
• Consequently, the Government has released a string of data privacy bills in 2018, 2019 and 2021, each of which presented itself as a slightly modified version of its predecessor based on Justice Sri Krishna Committee report.
• On November 18, the fourth iteration of the data privacy legislation was released by Ministry of Electronics and Information Technology (MeitY).

Key features 

• The bill is derived from the best practices of Europe and Australia but tailor-made to Indian requirements.
• It has two major stakeholders — the Data Principal and Data Fiduciary. 

• Data Principal: The individual whose data is being collected.
• Data Fiduciary: The entity (can be an individual, company, firm, state etc), which decides the “purpose and means of the processing of an individual’s personal data.”
• Thus, the bill mandated that the Data Fiduciary is responsible for safeguarding the interests of Data Principals.

• In case of children (all users under the age of 18), their parents will be their Data Principles.
• Data Fiduciaries will have to appoint a ‘Data protection officer’ to represent them and will be the point of contact for grievance redressal.

• They will have to appoint an independent Data auditor who shall evaluate their compliance with the act.

• Regulatory Framework: It has provision to set up a Data Protection Board of India (DPB).

• However, the scope of DPB is limited and the Central government has been provided with rule making power in around 14 clauses out of 22 clauses in the DPDP Bill.
• Concerns:

• Government is the largest data fiduciaries in the country and becoming rule making agency will jeopardize interest of the data principals.
• It is subjected to conflict of interest. 
• Example, the government has the power to specify “fair and reasonable” purposes for which it can process personal data without consent.
• The government can make rules on data protection obligations of data breach, data protection impact assessments, data audits, information that can be requested from a data fiduciary which the government will itself be subject to in its capacity as a data fiduciary. 

• The Central government will have greater control over the DPB such as–

• It will appoint members of the DPB
• Set out the terms and conditions of appointment
• Lay out the functions that the DPB will perform, etc.

• Right of Data Principals:

• Access of basic information: Individuals should be able to access basic information in languages specified in the eighth schedule of the Indian Constitution.
• Consent: Individual needs to give consent before their data is processed and they have the right to withdraw consent from a Data Fiduciary.
• Right to demand the erasure and correction of data collected by the data fiduciary.
• Right to nominate: Individuals have the right to nominate an individual who will exercise these rights in the event of death of the data principal.
• Right to file complaint: Against a ‘Data Fiduciary’ with the Data Protection Board.

• Exemptions granted to Centre: limited and in line with past judicial verdicts and Article 19(2) of the Constitution.

• The Union government has the power to specify “fair and reasonable” purposes for which it can process personal data without consent.
• A complete exemption can be provided for when personal data is being processed in the interests of – 

• Sovereignty and integrity of India
• Security of the State
• Friendly relations with foreign States
• Maintenance of public order 
• Preventing incitement to any cognizable offence

• The Union government can notify exemption to certain data fiduciaries based on just the “volume and nature of personal data” processed, irrespective of the purpose for which it is being processed. 
• Storage limitation does not apply to government agencies and there is no legal requirement to store the data.

• Cross-border data transfer: The bill allows for cross-border storage and transfer of data to certain notified countries.

• However, the bill fails to provide any criteria for the consideration of the Union government while making this notification and left the matter on discretion of the Union government.
• Previous version of the bill mandated Data localization i.e. companies have to store user data only within India.

• Financial penalties: Imposed on a person guilty of non-compliance in matters related to detail focusing the nature and gravity of the violation and does not consider the financial ranking of a company before imposing penalties.

• Cap on Penalties being placed at ₹500 crore.
• The data principals cannot seek compensation from data fiduciaries for harms they have suffered due to unlawful processing. 

• Moreover, it imposes penalties up to ₹10,000 on data principals, if they are non-compliant.

• To not to drive companies into economic loss due to fines, penalties must be in accordance with the total turnover of companies as envisaged under the European Union’s General Data Protection Regulation (GDPR).

Some of the data protection rights that the Bill is missing

• Right of data portability: Empowers data principals to choose between different platforms and enhanced competition between data fiduciaries to increase consumer welfare.

• Example, if the data principal want to shift to another social media platform, he could request existing social media platform for porting of his data to another social media platform and avail of its services without having to provide all their personal data again. 

• Right to be forgotten: Allows the data principal to ask the data fiduciary to stop the continuing disclosure of their personal data.

• The bill subsumes this right under the right to erasure.

Significant shift in the manner of drafting legislation

• This Bill marks a transition from legalese to legal simplification.
• Historically, in India, A law is comprehended in a manner that only legal practitioners, policy professionals and some politicians are able to understand and interpret. 
• This bill ensures that all legislations that have a significant impact on citizens must be made accessible to all individuals irrespective of their professional or educational standing.

[Ref- IE]

What is the law on acid attacks in India?

GS-2: Welfare schemes for vulnerable sections of the population by the Centre and States and the performance of these schemes; mechanisms, laws, institutions and Bodies constituted for the protection and betterment of these vulnerable sections.

Recently, a 17-year-old girl was attacked with an acid-like substance in Delhi, which has once again brought focus on the heinous crime against women and other vulnerable groups of the society. It also led to question on the easy availability of corrosive substances and availability and accessibility of laws and other preventive and curative mechanisms to the acid victims.

Statistics of Acid Attacks

• According to National Crime Records Bureau (NCRB), there were 150 such cases recorded in 2019, 105 in 2020 and 102 in 2021.
• Highest: West Bengal and UP accounts for nearly 50% of all cases in the country year on year.

Laws on acid attacks

• Until 2013, acid attacks were not treated as separate crimes.
• By virtue of Criminal Law (Amendment Act) 2013, Section 326A and 326B were inserted in the Indian Penal Code (IPC) providing punishment for acid attack and attempted acid attack.
• Under section 326A of the IPC, acid attacks were made punishable with a minimum imprisonment of 10 years which is extendable to life along with fine.

• It has also provisions for punishment for denial of treatment to victims (Up to 1 year) or police officers refusing to register an FIR or record any piece of evidence (Up to 2 years).

The law on the regulation of acid sales

• In 2013, the Supreme Court banned over-the-counter acid sales in India and laid down the guidelines making license mandatory for selling acid, after the landmark judgement in Laxmi Agarwal case, 2013. 
• Based on the order, the MHA issued an advisory to all states on how to regulate acid sales and framed the Model Poisons Possession and Sale Rules, 2013 under The Poisons Act, 1919.

• As the matter is under state list, it asked states to frame their own rules based on model rules.
• It requires that shops need to be registered under the Poison Act 1919. 
• Over-the-counter sale of acid was permitted only if the seller maintains a logbook/register recording the sale of acid and specify the reason for procuring acid by the person (only above 18 years of age).
• For violating any rules, they are force to pay penalties up to Rs. 50,000.

• Separate rules were made for educational institutions, research laboratories, hospitals, government departments and the departments of Public Sector Undertakings, which are required to keep and store acid.

• They are also asked to maintain a register of usage of acid and file the same with the concerned Sub-Divisional Magistrate (SDM). 

Victim compensation and care

• Compensation: At least Rs.3 lakhs by the concerned State Government as the aftercare and rehabilitation cost.

• Out of this, Rs.1 lakh is to be paid to the victim within 15 days of the occurrence of such an incident and remaining is to be paid within 2 months thereafter.

• Care: Free of cost treatment by the state governments in any public or private hospital. 

• MHA also suggested the state government to extend social integration programs to the victims for which NGOs could be funded to exclusively look after their rehabilitative requirements.

Challenges in prevention of acid attacks

• The implementation of the regulations is not very strict.
• Acid is still easily available in many places. 
• In majority of the cases, the accused is not aware of the consequences.

 [Ref- IE]

Fact Files