Today's Headlines - 08 August 2023
Personal Data Protection Bill, 2023 cleared
GS Paper - 2 (Polity)
The Lok Sabha on 7 August 2023 passed the Digital Personal Data Protection Bill, 2023, a first-ever legislation dedicated for digital privacy amid concerns of MPs regarding the removal of the data localisation mandate and increased government control.
More about the Bill
The Bill was passed with an amendment to a minor drafting error. Once the Bill comes into effect, all digital platforms will be required to obtain unconditional, free, specific, and informed consent from users for processing their data.
They will also need to issue a notice explaining the purpose of data processing and the rights of the users.
The government will appoint a data protection board, an independent body that will examine personal data breaches and impose penalties.
The latest version of the Bill does not mandate local storage of personal data, providing a major relief to big tech firms like Google, Meta, and Amazon.
The government may, however, notify a list of countries in future, where data cannot be transferred.
The Bill prescribes penalties of up to Rs 250 crore for each instance of a data breach arising from a lack of reasonable safeguards on platforms.
The government may block the operations of entities not complying with the law even after two instances of penalties. The draft Bill of the final version was released for public consultation in November 2022.
Models for data protection laws
The EU model:
The GDPR focuses on a comprehensive data protection law for the processing of personal data.
It has been criticised for being excessively stringent, and imposing many obligations on organisations processing data, but is the template for most of the legislation drafted around the world.
In the EU, the right to privacy is enshrined as a fundamental right that seeks to protect an individual’s dignity and her right over the data that she generates.
The US model:
Privacy protection is largely defined as a “liberty protection” — focused on the protection of the individual’s personal space from the government, and, therefore, is viewed as being somewhat narrow in focus by virtue of enabling the collection of personal information as long as the individual is informed of such collection and use. The US template has been viewed as inadequate in key respects of regulation.
Unlike the EU’s GDPR, there is no comprehensive set of privacy rights or principles that collectively address the use, collection and disclosure of data in the US. Instead, there is limited sector-specific regulation. The approach towards data protection in the US is different for the public and private sectors.
The China model:
New Chinese laws issued over the last 15 months on data privacy and security includes the Personal Information Protection Law (PIPL), which came into effect in November 2021. It gives Chinese data principal’s new rights as it seeks to prevent the misuse of personal data.
The Data Security Law (DSL), which came into force in September 2021, requires business data to be categorised by different levels of importance and puts new restrictions on cross-border transfers.
These regulations will have a significant impact on how companies collect, store, use and transfer data, but are essentially focused on giving the government overreaching powers to both collect data and regulate private companies that collect and process information.
#upsc #news #headline #personaldata #protection #bill #polity #digital #EU #GDPR #personal #information #data #transfer #crossborder #business #collect #store #power #DSL #PIPL
Personal Data Protection Bill, 2023 cleared
GS Paper - 2 (Polity)
The Lok Sabha on 7 August 2023 passed the Digital Personal Data Protection Bill, 2023, a first-ever legislation dedicated for digital privacy amid concerns of MPs regarding the removal of the data localisation mandate and increased government control.
More about the Bill
The Bill was passed with an amendment to a minor drafting error. Once the Bill comes into effect, all digital platforms will be required to obtain unconditional, free, specific, and informed consent from users for processing their data.
They will also need to issue a notice explaining the purpose of data processing and the rights of the users.
The government will appoint a data protection board, an independent body that will examine personal data breaches and impose penalties.
The latest version of the Bill does not mandate local storage of personal data, providing a major relief to big tech firms like Google, Meta, and Amazon.
The government may, however, notify a list of countries in future, where data cannot be transferred.
The Bill prescribes penalties of up to Rs 250 crore for each instance of a data breach arising from a lack of reasonable safeguards on platforms.
The government may block the operations of entities not complying with the law even after two instances of penalties. The draft Bill of the final version was released for public consultation in November 2022.
Models for data protection laws
The EU model:
The GDPR focuses on a comprehensive data protection law for the processing of personal data.
It has been criticised for being excessively stringent, and imposing many obligations on organisations processing data, but is the template for most of the legislation drafted around the world.
In the EU, the right to privacy is enshrined as a fundamental right that seeks to protect an individual’s dignity and her right over the data that she generates.
The US model:
Privacy protection is largely defined as a “liberty protection” — focused on the protection of the individual’s personal space from the government, and, therefore, is viewed as being somewhat narrow in focus by virtue of enabling the collection of personal information as long as the individual is informed of such collection and use. The US template has been viewed as inadequate in key respects of regulation.
Unlike the EU’s GDPR, there is no comprehensive set of privacy rights or principles that collectively address the use, collection and disclosure of data in the US. Instead, there is limited sector-specific regulation. The approach towards data protection in the US is different for the public and private sectors.
The China model:
New Chinese laws issued over the last 15 months on data privacy and security includes the Personal Information Protection Law (PIPL), which came into effect in November 2021. It gives Chinese data principal’s new rights as it seeks to prevent the misuse of personal data.
The Data Security Law (DSL), which came into force in September 2021, requires business data to be categorised by different levels of importance and puts new restrictions on cross-border transfers.
These regulations will have a significant impact on how companies collect, store, use and transfer data, but are essentially focused on giving the government overreaching powers to both collect data and regulate private companies that collect and process information.
#upsc #news #headline #personaldata #protection #bill #polity #digital #EU #GDPR #personal #information #data #transfer #crossborder #business #collect #store #power #DSL #PIPL
Today's Headlines - 06 September 2023
Your personal data online
GS Paper - 3 (ITC)
Recently, India notified its personal data protection framework as a law, signalling the beginning of a new era of privacy legislation in the country. Provisions of the Digital Personal Data Protection Act, 2023 will come in force in a few months, after the Centre has allowed enough transition time to the industry, with users of these platforms — you — experiencing several new notices and rights, as prescribed in the law.
When can an entity process your personal data?
There are broadly two circumstances under which entities — both government and private — can process an individual’s personal data: (i) There has to be clear consent for such processing; and (ii) for certain “legitimate uses”.
When an entity is processing your personal data for which you have consented, it has to be accompanied by a notice, which is to be made available in all 22 languages of Schedule 8 of the Constitution.
You can directly consent to businesses, and the government can process your personal data, or alternatively use a consent manager.
What happens to your personal data that was collected before this law came into existence?
Any entity that has collected a person’s personal data before the Act came into being should give her a notice about the personal data in its possession “as soon as it is reasonably practicable”.
The notice should include:
The personal data an entity is processing and the purpose for such processing;
The way in which a user can withdraw their consent;
The means of grievance redressal
However, the contents of this notice have been significantly diluted from previous iterations of the many data protection Bill drafts in the last five years.
For instance, the Act doesn’t require companies to state the duration for which they will store personal data, if it will be shared with third-parties, and if it will be sent to a foreign jurisdiction.
There are exemptions to consent requirements as well:
The Act says that the government can exempt itself and its instrumentalities from adhering to any and all provisions of the law that relate to processing of personal data.
Will your rights be restricted in any way?
Broadly, there are three major roadblocks that impose restrictions, or limit the rights prescribed in the provisions of the law from applying to individuals. These are as follows:
Government exemptions: In the interest of national security, friendly relations with other governments and public order among others, many of the provisions of the Act, including rights afforded to citizens will no longer be applicable.
The way we have prepared the law, it has adequate safeguards for citizens. A lot of the fear against the government’s power comes from citizens’ experience with previous governments. But that is not the case today. People have a lot of trust in our government, IT Minister Ashwini Vaishnaw said.
Processing of data for legitimate uses: Neither the government nor private companies need to seek informed consent from citizens for certain legitimate uses.
For the government, this includes processing personal data for offering subsidies and certificates, responding to a medical emergency, for national security, and during natural disasters.
Private entities can assume consent when an individual has not expressly denied her consent.
#upsc #news #headline #personaldata #online #ITC #protection #industry #rights #legitimateuses #Constitution #grievance #redressal #duration #instrumentalities #roadblocks #ITMinister #AshwiniVaishnaw #subsidies #medicalemergency #disasters #safeguards #online
Your personal data online
GS Paper - 3 (ITC)
Recently, India notified its personal data protection framework as a law, signalling the beginning of a new era of privacy legislation in the country. Provisions of the Digital Personal Data Protection Act, 2023 will come in force in a few months, after the Centre has allowed enough transition time to the industry, with users of these platforms — you — experiencing several new notices and rights, as prescribed in the law.
When can an entity process your personal data?
There are broadly two circumstances under which entities — both government and private — can process an individual’s personal data: (i) There has to be clear consent for such processing; and (ii) for certain “legitimate uses”.
When an entity is processing your personal data for which you have consented, it has to be accompanied by a notice, which is to be made available in all 22 languages of Schedule 8 of the Constitution.
You can directly consent to businesses, and the government can process your personal data, or alternatively use a consent manager.
What happens to your personal data that was collected before this law came into existence?
Any entity that has collected a person’s personal data before the Act came into being should give her a notice about the personal data in its possession “as soon as it is reasonably practicable”.
The notice should include:
The personal data an entity is processing and the purpose for such processing;
The way in which a user can withdraw their consent;
The means of grievance redressal
However, the contents of this notice have been significantly diluted from previous iterations of the many data protection Bill drafts in the last five years.
For instance, the Act doesn’t require companies to state the duration for which they will store personal data, if it will be shared with third-parties, and if it will be sent to a foreign jurisdiction.
There are exemptions to consent requirements as well:
The Act says that the government can exempt itself and its instrumentalities from adhering to any and all provisions of the law that relate to processing of personal data.
Will your rights be restricted in any way?
Broadly, there are three major roadblocks that impose restrictions, or limit the rights prescribed in the provisions of the law from applying to individuals. These are as follows:
Government exemptions: In the interest of national security, friendly relations with other governments and public order among others, many of the provisions of the Act, including rights afforded to citizens will no longer be applicable.
The way we have prepared the law, it has adequate safeguards for citizens. A lot of the fear against the government’s power comes from citizens’ experience with previous governments. But that is not the case today. People have a lot of trust in our government, IT Minister Ashwini Vaishnaw said.
Processing of data for legitimate uses: Neither the government nor private companies need to seek informed consent from citizens for certain legitimate uses.
For the government, this includes processing personal data for offering subsidies and certificates, responding to a medical emergency, for national security, and during natural disasters.
Private entities can assume consent when an individual has not expressly denied her consent.
#upsc #news #headline #personaldata #online #ITC #protection #industry #rights #legitimateuses #Constitution #grievance #redressal #duration #instrumentalities #roadblocks #ITMinister #AshwiniVaishnaw #subsidies #medicalemergency #disasters #safeguards #online