Following the withdrawal of the draft Personal Data Protection Bill 2019 (“PDPB 2019”) in August 2022, the Ministry of Electronics and Information Technology (“MeitY”) published the draft Digital Personal Data Protection Bill, 2022 (“DPDPB”) on November 18, 2022, for public comment. Although MeitY has made major changes to the DPDPB framework compared to the PDPB 2019, MeitY has also avoided several crucial issues.
The DPDPB’s basic framework for data security and privacy is one of its most troubling shortcomings, leaving it mainly up to the Central Government to evaluate and announce additional safeguards as and when considered appropriate in the future. This not only broadens the scope of state oversight but also hinders the effective defence of fundamental rights to privacy and protection.
Presented below is a chronologically sequenced compilation of pivotal events that delineate the trajectory of Digital Data Protection
In August, 2017 Justice K. S. Puttaswamy (Retd) vs Union of India, the Supreme Court unanimously recognized the constitutionally protected right to
August 2017 — July 2018 In August 2017, the government formed a committee chaired by Justice B.N. Srikrishna, consisting of experts in data protection to address data privacy concerns. Furthermore, the committee submitted its report in July 2018, along with a draft Data Protection Bill, containing various recommendations to enhance privacy laws in India.
Introduction of the Personal Data Protection Bill, 2019 in Lok Sabha in December 2019.
In December 2019, introduction of the Personal Data Protection Bill, 2019 in Lok Sabha in 2019.
In August 2022, withdrawal of the Personal Data Protection Bill, 2019 from Parliament.
In November 2022 ,release of the Draft Digital Personal Data Protection Bill, 2022.
Regulatory authority and delegates’ legislation
The Central Government has the authority to occasionally enact regulations within the confines of the DPDPB. Each regulation should be presented to both houses of the Parliament for ratification for a total of 30 days. Although it isn’t stated explicitly in DPDPB, it appears that a considered ratification would occur after 30 days have passed since any new regulations were introduced in either house of the Parliament.
Although the need that rules created under the DPDPB be ratified by the Parliament is a positive development, the rule-making authority could still be abused. Any rule made under the DPDPB takes effect right away, even if it is later overturned by the Parliament. Nevertheless, all actions taken during the interim period in accordance with such a rule are regarded to be lawful.
Relevantly, DPDPB appears to assign numerous crucial responsibilities. Following are some crucial areas where the central government still has the power to make rules:
Situations that are considered to have consent.
Additional obligations related to handling children’s personal data.
SDF is subject to additional obligations to conduct data protection impact assessments.
Data Principal’s Right to Information from Data Fiduciary Regarding Personal Data.
Data Principal’s right to update and delete personal information.
Personal data transfer outside of India.
Legal disputes based on unduly delegated laws could come from delegation of major DPDPB functions.
The DPDP Bill, 2022 aims to set forth the duties and rights of “digital nagriks,” or citizens, as well as the procedures and guidelines for data collection with regard to entities. It has, in fact, addressed some of the industry’s needs, such as cross-border data transfers, while omitting others, such as the requirement for stakeholder participation for laws developed by the government. While the measure makes some substantial changes, it also has numerous flaws. Of particular concern are the proposed Data Protection Board’s reduced autonomy and the Center’s extensive exemptions from regulations with little to no protections. The Bill was finally made available for public discussion and consultations until December 17, 2022, and it is anticipated that the government will pay attention to the reviews and take the comments and proposals into consideration so that our nation adopts a comprehensive data protection law.