The new Digital Personal Data Protection Bill, 2022, which was unveiled on 18 November, puts more focus on personal data than previous cumbersome drafts. The revised version of the law provides for high penalties for violations, but these penalties are limited regardless of the turnover of the companies involved. It also eased rules on cross-border data traffic, giving big tech companies peace of mind and easing compliance requirements for start-ups.
There are two potentially serious red flags. Almost entirely exempting government agencies from complying with soindiame of the bill’s more stringent requirements, and diluting the powers of the proposed Privacy Commission, which would be responsible for overseeing provisions of the proposed law is.
Ministry of Electronics and Information Technology (MeitY) officials said the new draft remains in line with the Supreme Court’s decision on data protection as a fundamental right, but within reasonable limits, but also includes global It strikes a delicate balance and factors in learning from the approach.
Comparisons have been made with the landmark General Data Protection Regulation (GDPR) in the EU, but according to Graham Greenleaf, professor of law and information systems at the University of New South Wales, the GDPR is the law of about 160 countries. has a great impact on This is the view of the Government of India. He sees his version of data protection law as just one part of his broader policy vision for the digital economy as a whole.
This broader directive includes a comprehensive Digital India Act which will eventually replace the existing IT Act, a new Data Protection Act just presented and a new Telecommunications Act published last month. .
By contrast, the landmark GDPR, which has been in force since May 2018, is clearly privacy-focused and requires individuals to provide explicit consent before processing their data. . His two sub-laws, the Digital Services Act (DSA) and the Digital Markets Act (DMA), derive from his overarching focus on GDPR, which focuses on the rights of individuals to their data. DSA focuses on issues such as regulation of hate speech and counterfeit goods. Meanwhile, DMA has defined a new category of “dominant gatekeeper” platforms, focusing on anti-competitive practices and abuse of dominance by these actors.
Data protection laws in other geographies
Data from the United Nations Conference shows that 137 out of 194 countries have legislation on data protection and privacy, with Africa and Asia at 61% (33 out of 54) and 57% respectively in trade development ( UNCTAD) has been adopted. An intergovernmental organization within the United Nations Secretariat. Only 48% of the least developed countries (22 out of 46) have privacy and data protection laws.
EU model: GDPR focuses on comprehensive data protection laws regarding the processing of personal data. It has been criticized for being overly strict and imposing a number of obligations on organizations that process data, but it has become the template for most legislation around the world. The right to privacy is upheld as a fundamental right aimed at protecting the rights of individuals and individuals to the data they generate. The European Charter of Fundamental Rights recognizes the right to privacy and the right to the protection of personal data and is underpinned by a comprehensive data protection framework that applies to the processing of personal data and personal data processing activities by all means. . Both governmental and private institutions. There are specific exceptions such as national security, defense and public safety, but they are well defined and considered peripheral exceptions.
US Model: Privacy is broadly defined as a “protection of liberty” that focuses on protecting an individual’s personal space from the government. It is considered somewhat narrow in scope as it permits the collection of personal information so long as the individual is informed of such collection and use. The US bill was deemed inadequate in key regulatory aspects.
The United States does not have comprehensive data protection laws or principles governing data use, collection and disclosure like the GDPR. Instead, sector-specific regulation is limited. The public and private sectors approach data protection differently. However, the government’s activities and powers with respect to personal data are well defined and governed by comprehensive laws such as the Data Protection Act, the Electronic Communications Privacy Act. For the private sector, there are some region-specific standards.
China model: Among the new privacy and data security laws in China enacted in the last 12 months is the Personal Data Protection Law (PIPL), which came into effect in November 2021. Data controllers in China will be given new rights to prevent misuse of personal data. The Data Protection Law (DSL), which came into force in September 2021, will mandate the classification of business data according to its importance and introduce new restrictions on cross-border transmissions.
While these regulations have a significant impact on how businesses collect, store, use and transmit data, they essentially give governments broad powers to collect data and control how information is collected and processed. It focuses on regulating private companies.
According to EY analysis, his PIPL in China is believed to be “similar” to his EU GDPR. This is to give Chinese consumers the right to access, rectify and delete personal data collected by businesses. Analyze service or Chinese people.
The law provides for severe penalties, with fines of up to RMB 50 million or up to 5% of the company’s earnings in the previous financial year. Companies may also be asked to suspend operations until they “demonstrate compliance.” Individuals are also affected, with anyone directly and personally responsible for data protection facing fines of up to RMB 1 million.
The DSL requires business data to be classified according to its relevance to national security and public interest, and companies wishing to transfer “sensitive” data outside of China must undergo a security assessment and approval. An internal security review must be completed before you can apply for China Cyberspace Administration (CAC) and other relevant authorities.
Companies that mishandle data under DSL face stiff penalties. Her Didi, a ride-hailing giant, was fined US$1.2 billion (RMB8.026 billion) in July this year after she was accused of violating China’s cybersecurity laws. Other companies are also facing regulatory action.
India’s draft Bill and the red flags
One of the main concerns raised by experts is that the proposed Data Protection Commission has little or no assurance of independence, and that limited independence is not guaranteed. , is a sweeping exemption for the Center and its institutions. Also, the new bill contains only 30 articles, compared to over 90 articles in the previous bill, largely because many operational details were left to later rulemaking. It is also worth noting that
The central government may issue an order exempting government agencies from complying with the provisions of the bill on grounds of national security. In a memo accompanying the proposed legislation, the government justified the need for such exceptions, while arguing that “state and public interests may override individual interests.”