The Hindu Editorial Analysis- 8th August 2023 | Current Affairs & Hindu Analysis: Daily, Weekly & Monthly - UPSC PDF Download

Neither the right to privacy nor the right to information

Why in News?

The Government has tabled the Digital Personal Data Protection Bill, 2023, in the Parliament, which aims to regulate the collection, processing, storage, and transfer of personal data of individuals by various entities. The Bill is based on the recommendations of the Justice B N Srikrishna Committee, which was set up in 2017 to draft a comprehensive data protection framework for India.

Details

• The Bill defines personal data as any data that can identify an individual, such as name, address, phone number, email, biometric data, etc. It also categorises some personal data as sensitive personal data, which includes financial data, health data, sexual orientation, religious or political beliefs, etc.
• The Bill requires entities that collect and process personal data to obtain consent from the individuals and follow certain principles of data protection, such as purpose limitation, data minimisation, accuracy, storage limitation, etc.
• The Bill also establishes a Data Protection Authority (DPA) to oversee and enforce the provisions of the Bill and impose penalties for violations.

The Bill has been welcomed by some experts and stakeholders as a positive step towards ensuring the privacy and security of personal data in India. However, it has also faced criticism from various quarters for its shortcomings and loopholes.

Some of the main issues raised by the critics are:

• Critics are concerned that the bill grants the government wide-ranging exemptions from data protection obligations. The government's ability to access personal data without consent for reasons such as national security, public order, sovereignty, and integrity of India raises privacy and civil liberty concerns. The power to mandate entities to provide anonymized or non-personal data for policy-making or research purposes might also lead to potential misuse of data.

• The bill's provisions for the cross-border transfer of personal data have been criticized for lacking clear criteria and mechanisms for approval or agreement. Requiring one copy of personal data to be stored in India may pose challenges for global entities, leading to operational complexities and increased costs. The absence of well-defined guidelines for transferring data outside India raises uncertainties about data flows and compliance.

• While the bill grants individuals certain rights over their data, critics argue that these rights are subject to exceptions and limitations that could undermine their effectiveness. For example, the right to erasure is not absolute and can be denied under specific circumstances. The bill's provisions also do not offer a robust mechanism for individuals to seek compensation or redressal for harm caused by data breaches or misuse.

• Critics have pointed out that the bill may not adequately address the challenges posed by emerging technologies and practices in the digital age. Aspects like artificial intelligence, big data analytics, social media platforms, and online profiling may require specialized considerations to ensure adequate protection of personal data. Incorporating principles like privacy by design and default from the beginning stages of system and process development is seen as crucial to safeguard privacy.

What other data protection models have been adopted elsewhere?

• The GDPR is considered a gold standard for data protection, emphasizing user consent, transparency, and robust enforcement mechanisms. It empowers individuals with control over their data and holds businesses accountable for data breaches.
• While the Indian bill draws inspiration from the GDPR, it has been criticized for providing more exemptions for the government and lacking the same level of accountability for public authorities.

• The U.S. approach focuses on protecting individual liberties from government intrusion. It allows data collection as long as individuals are informed, but critics argue that it lacks comprehensive privacy principles.
• Unlike the Indian bill, the U.S. lacks a unified data protection framework and mainly relies on sector-specific regulations. This can result in fragmented and inconsistent protection.

• China's recent data protection laws, such as the Personal Information Protection Law (PIPL) and Data Security Law (DSL), grant individuals certain rights over their data and impose penalties for mishandling data.
• Similar to the Indian bill, China's laws have been criticized for giving the government extensive powers to regulate data and companies. The Indian bill's provision for government control and exemptions has raised concerns about its alignment with China's approach.

These are some of the examples of data protection models that have been adopted or proposed by different countries and regions. However, there is no one-size-fits-all solution for data protection, as each model reflects the specific context, culture, values, and objectives of its jurisdiction. Therefore, it is important to evaluate the merits and drawbacks of each model and learn from the best practices and experiences of others, while also considering the unique needs and challenges of one's own country or region.