There are conflicting reports about the status of the draft Digital Personal Data Protection Bill. Electronics and information technology minister Ashwini Vaishnaw said last week that the parliamentary standing committee on communications and information technology has cleared the draft Bill. The Bill is likely to be presented in the upcoming second half of the Budget Session of Parliament, the minister said last week at Nasscom’s Technology and Leadership Forum 2023. Nasscom later clarified that the minister did not say that the panel had approved the Bill. The tech industry body urged the minister to fast-track the Digital Data Protection Bill.
The Bill has its origins in the Puttaswamy judgement of the Supreme Court in 2017. The landmark judgement ruled that privacy is a fundamental right of Indian citizens. The same judgement kick-started a five-year-long process for data protection legislation in India which has now seen four versions of the Data Protection Bill.
According to the government, the Bill will help resolve future issues as the technology is getting complex with each passing day and regulating it has become a major challenge for governments. However, many are concerned about the Bill giving snooping access to the government.
The draft Digital Personal Data Protection Bill
The Digital Personal Data Protection Bill was introduced in Parliament in December 2019. The Union government had published the draft Bill in November last year and this is the latest draft of the legislation.
The Bill looks to provide a framework for the protection of personal data of individuals and establishes a data protection authority (DPA) for the same. The Bill sets ground rules for how personal data should be collected and stored. It also proposes the creation of a new regulatory agency, the DPA will monitor the implementation of the law. Members of the opposition are apprehensive of the authority’s ability to be independent as the government will pick its members and chairman which will inevitably rob the authority of its independence.
While the government has been hailing the Bill as a positive move towards personal data protection, there have been some concerns raised regarding its provisions. For one, the Bill requires certain categories of personal data to be stored only in India. This provision has been criticised by some for creating unnecessary compliance costs for businesses and limiting the free flow of data. The Bill provides for exemptions to certain data processing activities for reasons such as national security or for the performance of a legal obligation.
There is a lack of clarity on what constitutes national security and the scope of the exemptions. This could potentially be misused by the government. Opposition members argue that the government should be required to get judicial or parliamentary approval for any such exemption granted to an agency, and submit in writing the reasons for seeking such an exemption. In a country like India where citizens are dependent on government benefits, many would lose control over how the government uses their data as section 12(a)(1) of the Bill essentially takes away an individual’s right to consent when the state provides any service or benefit to the individual.
Further, the Bill provides for obtaining consent for processing personal data. However, the requirements for obtaining consent are not clearly defined, which could lead to confusion and abuse. The bill also imposes heavy penalties for non-compliance, which could potentially create a burden on small businesses. The government can levy 500 crore for the cases of data breaches. Earlier, the older version of the Bill proposed to levy penalties of 2-4% of total worldwide turnover of the firms concerned.
The legislation also fails to bring children’s safety and data privacy under its ambit. The government has given itself the power to exempt entities from complying with the Act while processing data of children. A study by HRW has earlier found that government apps such as Diksha and e-Pathshala were engaging in practices that infringed the data privacy of children.
While the analysts do not eliminate the need of such a policy framework and deem it rather necessary, the draft Bill needs fine tuning to address the concerns of stakeholders. For that, the government must first specify the powers that it will exercise on the personal data of citizens, compensation for individual data breaches and the recognition of 18 years (upper limit) as the age gate for online presence. As of now, the Bill needs cabinet approval before reaching Parliament. Hope the government will exercise utmost caution while legislating this Bill which has the potential to infringe on citizen’s right to privacy.