“Far from its previous version, the bill skips mentioning the basic right to privacy in its preamble and narrows the scope of the law from data protection to digital personal data protection except for non-personal data, which is somewhat desirable. In doing so, the bill removes the classification of Personal data, especially sensitive personal data, thus painting all personal data with the same organizational brush.”
The Preamble to the Personal Data Protection Bill 2018 states that the “right to privacy” is a “fundamental right and imperative to protect personal data as a fundamental aspect of information privacy.”
“The Bill provides wide scope and unfettered powers to the government to impose on crucial issues at a later date. Such powers, if not used carefully and judicially, can do more harm than good,” CUTS International, Secretary General, Pradeep Mehta said. Allowing the transfer of personal data outside India appears to be a step forward, CUTS said, but the bill provides an unreasonably high discretion for the central government to notify trusted countries of such transfer, without the necessary procedural principles or safeguards.
“It also enables the central government to exclude state organs from its provisions without adequate checks and balances, and to disregard the principles of legality, necessity and proportionality, as laid down in the Buttaswamy ruling,” CUTS said.
Discover the stories that matter to you
The government has opposed declaring the “right to privacy” as a fundamental right whereas the judgment in the Puttaswamy case declared that “the right to privacy is a fundamental right” which “protects the domestic sphere of the individual from interference by both state, non-state actors and allows individuals to make independent life choices.” “.
CUTS estimates the evolution of important data custodians from just the number of registered users as in the moderator rules to include factors such as the volume and sensitivity of the personal data processed, the risk of harm to the data principle, and the risks to electoral democracy and public order among others.
The Internet Freedom Foundation said there has been a significant easing of the regulator, and now a proposed Data Protection Board.
It lacks autonomy and independence, and will be established and appointed on such terms, ‘as they may be determined’. Could such a board reasonably enforce compliance from public authorities,’ said the IFF.
Cyril Amarchand Mangaldas, TMT Partner and President, Arun Prabhu said the latest version of the Personal Data Protection Act appeared to be designed to be a shorter and simpler document, which could aid in harmonization and speedy adoption.
“However, while this simplification may have benefits, many of the concepts proposed by the current bill, and some of the open language, may need improvement before the bill can be adopted,” Prabhu said.
He said that the exception for journalistic purposes under the previous draft, which was the 2018 PDP draft, did not find its way into the consent provisions considered.
While the draft DPDP did exempt a government reporting data agency – an entity that collects and processes personal data, from many of the burdens of compliance, but like the 2018 draft PDP, it did not exempt data collection and processing for journalistic purposes with some limitations such as preserving the privacy of the data owner, and prevent misuse and unauthorized access or disclosure of the data owner.
Rupinder Malik, partner J Sagar Associates, said the 2022 DPDP law simplified the proposed data protection regime and eliminated some controversial provisions that had held the industry back in previous versions.
In particular, data mirroring, data localization requirements, and general compliance appear to be limited compared to the previous bill. The legislative intent appears to be business-friendly and IT-focused, focused on facilitating the flow of data across borders. Some aspects that have been mitigated may reduce protection Comprehensive granting of individual privacy rights.