Over the past few years, India has made significant progress in developing its data governance policies to keep up with the rapid growth of digital technologies.
One of the key developments in data governance in India is the proposed Digital Personal Data Protection Bill 2022. This bill seeks to establish a comprehensive framework for the protection of personal data in India, with provisions for the classification of personal data, data localization requirements, and the establishment of a Data Protection Authority to oversee compliance with the law.
This bill was introduced after the Personal Data Protection Bill, 2019 was withdrawn in August 2022. With the introduction of the Digital data protection bill, 2022 along with other comprehensive frameworks such as Data Empowerment and Protection Architecture (DEPA), India is trying to shape its data governance trajectory.
With the G20 presidency, India got a chance to highlight its progress in the digital arena, especially regarding data infrastructure and governance.
The Relevant News:
The editorial in the newspaper expressed the opinion that India has made significant progress in its digital strategies and data governance in recent years, with a particular focus on promoting economic growth and improving the lives of its citizens.
One key area of progress has been in the promotion of digital financial inclusion. The government has made significant efforts to increase access to bank accounts and digital transactions through initiatives such as the Unified Payments Interface (UPI), which has facilitated easy and secure mobile payments. In addition, the government’s Jan Dhan Yojana scheme has aimed to provide universal access to financial services, including bank accounts, to all Indian citizens.
However, India must also ensure that its digital strategies and data governance are inclusive, transparent, secure, and conducive to sustainable development. This means addressing challenges such as data privacy and protection, cybersecurity, and ensuring equitable access to digital technologies across different segments of society. International cooperation and collaboration, as recognized by the G-20, will also be critical in addressing these challenges, opportunities, and risks posed by the rapid growth of data and digital technologies.
It also talked about DEPA, India’s Data Empowerment and Protection Architecture. DEPA is a technology framework that aims to empower individuals with control over their personal data while ensuring its protection. It enables the secure flow of personal data between individuals and businesses in a privacy-preserving manner. DEPA aims to enable citizens to access their data from various sources, such as financial institutions, telecom companies, and government bodies, and share it with third-party applications and service providers of their choice. This is expected to enable the development of new innovative services while ensuring the privacy and security of personal data.
It has the potential to improve data protection and privacy for citizens by giving them greater control over their personal information. However, there are also risks associated with DEPA, particularly regarding security and privacy. The implementation of DEPA may also be inconsistent across different sectors and jurisdictions, undermining its effectiveness and creating confusion among citizens.
To realize the potential benefits of DEPA and minimize the risks, the tool must be implemented in a transparent, consistent, and secure manner. This will require close collaboration between the government, the private sector, civil society, and other stakeholders, and the development of clear and effective regulations and standards.
There are concerns about the use of digital technologies in the health and agriculture sectors, including issues related to security, privacy, infrastructure, connectivity, availability of skilled human resources, the potential misuse of data and information, and ownership and governance of data generated and collected in these sectors.
To address these concerns, robust data protection regulations, ethical and responsible data governance practices, and effective and accountable oversight mechanisms are needed. The state has a key role in addressing and resolving these issues, while also balancing the interests of all stakeholders.
It also mentioned Data sovereignty. It is indeed an important issue in the digital age, and India’s establishment of the India Data Management Office (IDMO) is a step in the right direction toward responsible data governance. However, there is a need to strike a balance between restrictive data sovereignty and limitless data flow and to ensure that sensitive personal and financial information is not shared in a manner that harms individuals and society as a whole.
To achieve this balance, India must develop clear, transparent, and accountable data governance policies and regulations that protect the privacy and balance the interests of all stakeholders. It is also important to invest in the necessary digital infrastructure and skills to ensure that data is collected, stored, and used responsibly, securely, and accountably.
Furthermore, as India implements its data governance regime, it must align with the country’s broader development strategies, so that the data governance supports, rather than undermines, the development of a more secure, egalitarian, and trustworthy digital future for all.
If India is successful in developing and implementing a responsible and effective data governance regime, it could become a model for other countries to follow.
Indian Laws on Data Governance:
- Over the years, India has framed various policies on the same and it was given further direction by Judicial interpretation as well.
- Indian government attempted to bring new legislation on the same, The personal data protection bill, 2019, but it was withdrawn later on.
- Niti aayog has framed DEPA to govern the data regime in India.
- The digital personal data protection bill, 2022 is new proposed legislation in India, for data governance.
How the present-day law has evolved:
Data governance in India has seen years of developmental stages, and with the introduction of The Digital Personal Data Protection Bill, 2022, Data Governance is taking a new shape:
- 2000: The Information Technology (IT) Act, 2000 is passed by the Indian Parliament to provide a legal framework for electronic governance and to facilitate e-commerce transactions.
- 2008: The IT Act, 2000 is amended to include provisions for data protection and privacy, and provision for compensation to be paid in case of negligence in implementing and maintaining reasonable security practices and procedures concerning sensitive personal data.
- 2011: The National Identification Authority of India (UIDAI) is established to implement the Aadhaar scheme, which provides a 12-digit unique identification number to all Indian residents based on their biometric and demographic information.
- 2017: In August, the Supreme Court in the landmark case of Justice K. S. Puttaswamy (Retd) vs Union of India unanimously held that Indians have a constitutionally protected fundamental right to privacy that is an intrinsic part of life and liberty under Article 21.
- 2017: The Government of India appointed a committee of experts for Data Protection under the chairmanship of Justice B N Srikrishna in August 2017, which submitted its report in July 2018 along with a draft Data Protection Bill.
- 2019: The Personal Data Protection Bill, 2019 was introduced in Parliament.
- 2020: Niti aayog drafted the DEPA framework.
- 2021: The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 were introduced by the Indian government in February 2021. These rules require social media intermediaries to exercise greater diligence concerning the content on their platforms and take steps to ensure that illegal and objectionable content is removed promptly.
- 2022: Introduction of Digital personal data protection law, 2022.
Present-day relevance of the Digital Personal Data Protection bill, 2022:
The Indian government has introduced a new bill for personal data protection, called the Digital Personal Data Protection Bill, 2022, after withdrawing the previous Personal Data Protection Bill, 2019. The new bill has seven principles that govern the use of personal data by organizations, including lawful and fair usage, limited storage duration, and reasonable safeguards to prevent unauthorized collection or processing.
The Seven Principles of the Digital Personal Data Protection Bill, 2022:
- Lawful, fair, and transparent processing of personal data by organizations.
- Personal data must be used only for the purpose for which it was collected.
- Data minimization, which means only collecting and processing the necessary amount of personal data.
- Ensuring data accuracy during collection.
- Personal data cannot be stored perpetually by default, and storage should be limited to a fixed duration.
- Reasonable safeguards to prevent unauthorized collection and processing of personal data.
- The person who decides the purpose and means of the processing of personal data should be accountable for such processing.
The bill also introduces the concepts of Data Principal, Data Fiduciary, and Significant Data Fiduciary, and guarantees certain rights to individuals, such as access to information, the right to consent, the right to erase, and the right to nominate.
Data Principal and Data Fiduciary, the former refers to the individual whose data is being collected, and the latter is the entity that decides the purpose and means of the processing of an individual’s data. Personal data is defined as any data by which an individual can be identified, and processing refers to the entire cycle of operations that can be carried out in respect of personal data.
The bill proposes the establishment of a Data Protection Board to ensure compliance and imposes financial penalties on businesses that fail to comply with the provisions of the bill.
Significance of the Bill:
The revised Bill shows a change in approach regarding cross-border data transfers compared to the previous version, which had controversial provisions requiring data to be stored locally within India’s borders. The new Bill allows for more flexibility in data localization requirements and allows for certain countries to be designated as acceptable destinations for data transfer, which could potentially facilitate international trade agreements.
Additionally, the Bill now includes the provision for a data principal’s right to post-mortem privacy, which was not present in the earlier Personal Data Protection Bill, 2019 but was recommended by the Joint Parliamentary Committee (JPC).
Other country laws on Data Governance:
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that was introduced by the European Union in May 2018. The GDPR aims to protect the privacy and personal data of individuals within the EU and regulates the processing of such data by organizations both within and outside the EU. The GDPR enshrines the right to privacy as a fundamental right for individuals and seeks to protect their dignity and control their personal data. It provides individuals with various rights, such as the right to access their personal data, the right to have their data deleted, and the right to object to the processing of their data. The GDPR also imposes strict obligations on organizations that process personal data, including requirements for obtaining valid consent, implementing appropriate technical and organizational measures, and reporting data breaches.
GDPR has a stronger emphasis on data security, requiring organizations to implement appropriate technical and organizational measures to protect personal data, while Indian laws do not specify security measures in detail.
In the United States, there is no comprehensive federal data protection law that applies to all sectors and industries. Instead, data protection is governed by federal and state laws that address specific areas such as financial data, health data, children’s data, and data breaches.
Some of them include:
- The Children’s Online Privacy Protection Act (COPPA): This law imposes requirements on operators of websites or online services that collect personal information from children under 13 years of age.
- The California Consumer Privacy Act (CCPA): This state law, which came into effect in 2020, gives California residents the right to know what personal information businesses collect about them, the right to request deletion of that information, and the right to opt-out of the sale of their information.
In addition to these laws, other federal laws protect personal information in specific contexts, such as the Electronic Communications Privacy Act (ECPA).
Data governance is a critical issue in today’s digital age. While many countries have enacted data protection laws and regulations, there is still a lot of variation in the approaches taken and the level of protection provided to individuals.
In India, the Digital personal data protection bill, 2022, seeks to create a comprehensive legal framework for the protection of personal data, but it is still in the process of being enacted.
In contrast, the EU’s General Data Protection Regulation (GDPR) provides a comprehensive set of privacy rights and principles for processing personal data. The GDPR is considered a global standard for data protection, and many countries are adopting similar laws to align with its principles.
India needs to establish policies and regulations that govern the collection, storage, and use of data in a transparent, accountable, and enforceable manner. Additionally, India needs to balance the interests of governments, businesses, and citizens to ensure sustainable development and benefit all stakeholders. Open-source solutions can be promoted to ensure digital technologies are accessible and affordable to all. India should also ensure its data governance regime aligns with its broader development strategies and values, creating a secure, egalitarian, and trustworthy digital future for all.
Overall, data governance is a complex and evolving issue, and governments need to strike a balance between protecting individuals’ privacy and enabling the responsible use of data for societal and economic benefits.