Ministry of Electronics and Information Technology (MEITY) on Friday released the draft data protection bill titled ‘The Digital Personal Data Protection Bill 2022’ for public feedback.
The Digital Personal Data Protection Bill is a legislation that frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand.
Object of Data Protection Framework
The purpose of the draft Bill is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto.
The Digital Personal Data Protection Bill frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand.
The Bill will establish the comprehensive legal framework governing digital personal data protection in India.
The Bill provides for the processing of digital personal data in a manner that recognizes the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purposes.
The Ministry has invited feedback from the public on the draft Bill. The submissions will not be disclosed and held in fiduciary capacity, to enable persons submitting feedback to provide the same freely. No public disclosure of the submissions will be made.
Significance of Data Protection Bill
Digital India has caused digitization of the Indian economy and transformed the lives of Indian citizens in particular and governance in general.
Presently, there are over 76 crore (760 million) active internet users (Digital Nagriks) and over the next coming years this is expected to touch 120 crore (1.2 billion).
India is the largest connected democracy in the world and is amongst the highest consumers and producers of data per capita amongst the countries.
It has become clear over the last few years that while the internet and technology is a force for good and connectivity, it is also a place where user harm and misuse can exist if these rules and laws are not prescribed.
That is why laws and rulemaking for the internet has to be around the basic foundational principles and expectations of our citizens of openness, safety & trust and accountability.
Principles of Data Protection Bill
The bill is based on the following principles around the Data Economy:
Lawful and Fair Usage of Personal Data
The first principle is that usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals.
Purposive use of Personal Data
The second principle of purpose limitation is that the personal data is used for the purposes for which it was collected.
Data Minimisation and Specificity of Purpose
The third principle of data minimisation is that only those items of personal data required for attaining a specific purpose must be collected.
Accuracy and Revision of Personal Data
The fourth principle of accuracy of personal data is that reasonable effort is made to ensure that the personal data of the individual is accurate and kept up to date.
Limitations on Storage of Personal Data
The fifth principle of storage limitation is that personal data is not stored perpetually by default. The storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected.
Reasonable Safeguards to Prevent Unauthorised Collection of Data
The sixth principle is that reasonable safeguards are taken to ensure that there is no unauthorised collection or processing of personal data. This is intended to prevent personal data breach.
Accountability of the Processor of Personal Data
The seventh principle is that the person who decides the purpose and means of processing of personal data should be accountable for such processing.
These principles have been used as the basis for personal data protection laws in various jurisdictions.
The actual implementation of such laws has allowed the emergence of a more nuanced understanding of personal data protection wherein individual rights, public interest and ease of doing business especially for startups are balanced.
