New Delhi: India’s Digital Personal Data Protection Act (DPDP), 2023 was notified in the gazette Saturday. Since it was introduced in the Lok Sabha on 3 August, it took less than two hours for the Bill to be cleared in both houses without much opposition, and 10 days to be notified. The Bill became an Act without any amendments, except for a correction in a section reference by Information Technology minister Ashwini Vaishnaw himself.
While in the Lok Sabha, the Opposition continued sloganeering during discussion, the Rajya Sabha saw Opposition walk out in protest over the Manipur issue.
The Bill — which lays down obligation for entities (data fiduciaries) to observe while processing digital personal data of users (data principals) and allows the government to exempt itself and private entities from any and all obligations of the Act, and has provisions to curb the misuse of individuals’ data by online platforms — was passed with a voice vote in both the houses so there is no data on how the members voted.
During the debate in Lok Sabha (LS) Monday, many Opposition members voiced their dissent to the Bill. Some amendments were moved and voted upon via voice vote without any discussion. After a point, members stopped giving their assent or dissent verbally and resorted to raising their hands. ThePrint watched the proceedings in both houses.
In Rajya Sabha (RS), even as members such as Dr Amar Patnaik (BJD) and S. Niranjan Reddy (YSRCP) made a litany of suggestions, they supported the Bill on behalf of their respective parties. The amendments proposed by four MPs — Dr John Brittas and V. Sivadasan of the CPI(M), Binoy Viswam of the CPI, and Dr A.D. Singh of the RJD — were not even moved because the members had already walked out earlier in the day.
“That’s the peculiarity of political times now. Other major issues, that is Manipur, have taken centre stage. That is the predicament of an MP today,” Brittas said to ThePrint on why he walked out of the House, following which, his amendments were not even considered.
“The government should have referred the Bill to a select committee. The amendments were moved in good faith and were not politically driven. The government should have considered them with an open mind,” he said.
While the Act allegedly gives “unchecked powers” to the central government, ThePrint takes a look at what the proposed amendments were and how they would’ve made for a more rights-preserving and improved DPDP Act.
Also read: IIM bill gives Modi govt power to formally intervene. It must be protested
Send it to parliamentary committee for discussion
The DPDP Bill 2023 was the fifth iteration of the Bill since 2018. The penultimate iteration, of November 2022, was discussed by the Parliamentary Standing Committee on Communications and Information Technology headed by Prataprao Jadhav (Shiv Sena). The committee adopted a report related to it on 26 July this year and tabled in LS on 1 August. However, opposition MPs on the committee alleged that their concerns had not been addressed in the report.
N.K. Premachandran (Revolutionary Socialist Party) argued in LS Monday that the Ministry of Electronics and Information Technology (MeitY) had not considered any of the recommendations made in this report while formulating the 2023 Bill.
The 2023 version, which differs significantly from the 2022 Bill, had not been seen by any of the members of the committee before it was introduced in LS on 3 August, many of them told ThePrint.
A constant refrain in the LS debate was for sending the Bill to a panel for further discussion.
CPI(M)’s Sivadasan, in his submitted amendment to the RS, proposed that the DPDP Bill, 2023, be referred to a select committee of the RS and its report be submitted by the last day of the first week of the Winter Session 2023.
Congress’s Gaurav Gogoi and Shashi Tharoor (a former chairperson of the IT Parliamentary Standing Committee), and TMC’s Saugata Roy argued that the Bill be sent to the standing committee. Congress’s Manish Tewari wanted it to be sent to a Joint Parliamentary Committee (JPC). Congress’s Adhir Ranjan Chowdhury suggested the Bill be sent to a JPC, the standing committee on communications and information technology, or to “any other place” for discussion.
An earlier version of the Bill — Personal Data Protection Bill, 2019 — was referred to a JPC in December 2019.
Powers of central government
The opposition and civil society has reportedly alleged that the Act gives sweeping powers to the government to exempt itself from any and all data protection obligations. The Act mandates the creation of a Data Protection Board (DPB) to adjudicate on any personal data breaches and impose penalties, but this board will be constituted by the central government.
The Act allows the central government to block any data fiduciary if the DPB recommends so, based on how many times the data fiduciary has incurred a monetary penalty, and if it is in the “interests of the general public” (Section 37).
This is a significant expansion of Section 69A blocking powers under the IT Act, which allow the government to block any online platform in this country for reasons of national security, sovereignty and security of the state, public order, etc. and goes beyond the reasonable restrictions on fundamental rights as prescribed under Article 19(2) of the Constitution. CPI’s Viswam proposed that this clause in the Bill be deleted.
The Act also allows the central government to demand any information from the DPB and any data fiduciary or intermediary (Section 36). Viswam’s amendment sought to curtail this power by adding two provisos: orders for such information requests be recorded in writing and transmitted to the intermediary, and power vested in the DPB be exercised in a “fair, reasonable, just and proportionate” manner to conform with an individual’s right to privacy.
Section 7 of the Act allows data fiduciaries, including the government, to process personal data without the consent of the user for certain “legitimate uses”. These uses include the government providing subsidy, benefit, service, certificate, licence or permit; for performance of state functions under any law or in the interest of national security; responding to medical emergencies; and employment purposes.
Viswam wanted a court no lower than that of the Chief Judicial Magistrate or the District Magistrate to grant authorisation for such data processing. In such cases, he wanted the data principal to be notified and in case of non-notification, he wanted the reasons to be recorded.
LS MP Premachandran sought to restrain government powers by restricting “legitimate uses” in Section 7 to only the State and wanted to exclude “any of its instrumentalities”. He proposed that data processing by the State for legitimate uses be carried out only after getting permission from a three-member committee headed by a retired Supreme Court judge. He also proposed that any data fiduciary would take permission from this committee to process data to provide medical care during an epidemic or for the purposes of employment.
The Act says that when a State or any of its instrumentalities process data, the user will not be allowed to exercise their right to correction and erasure of data (Section 17.4). Brittas proposed that even when the State is processing data, users should be allowed to exercise their right to erasure of data.
Viswam proposed that while seeking consent from the data principal/user, the data fiduciary must also mention “the list of third parties who shall have access to such data” in its request for consent. In case this list changed, he wanted the data fiduciary to seek fresh consent.
Viswam and Brittas both proposed that the scope of the section on legitimate uses, that is, processing personal data without consent, be narrowed. While Vishwam wanted the consent to be fresh and the purpose for it to be specific, Brittas suggested that a fresh consent be sought each time.
The Act also allows non-consensual processing of personal data by any data fiduciary, government or private, for providing “any service or benefit sought by” an employee. Brittas wanted this to be based on consent.
Also read: What is the ‘right to be forgotten’, included in data protection bill tabled in Lok Sabha
DPB appointment
The DPB currently consists of one chairperson and an undefined number of members that will be notified by the central government.
Viswam suggested the appointments be made by the President on the recommendation of a committee comprising the Chief Justice of India, or a Supreme Court judge nominated by the CJI, the IT minister, leaders of Opposition in both the houses and the Attorney General of India.
Brittas’s proposed selection committee consisted of the leader of the largest opposition party in Lok Sabha as the chairperson, and two members — the IT minister, and a nominated independent expert from the field of data protection, information technology, data management, data science, data security or cyber and internet laws.
Singh of the RJD recommended that the chairperson be a retired high court judge who is selected from a panel recommended by a committee consisting of the Prime Minister, the Chief Justice of India, and the leader of the largest opposition party in “the House of the People”.
TMC’s Saugata Roy recommended changing the composition of the DPB itself to include two Lok Sabha MPs and a Rajya Sabha MP, “as the central government may notify”.
The Act prescribes a cooling off period of one year for the chairperson and members of the DPB after they have served their term in DPB, except with the previous approval of the central government (Section 22(3)).
Brittas proposed that this cooling off period be unconditional — after leaving office, DPB officials cannot, for one year, be employed with any data fiduciary against whom they have initiated proceedings without disclosing such employment to the central government.
The Act says that no civil court can take up any matter that falls within the remit of the DPB. It also restrains “any court or other authority” from granting any injunctions that may have a conflict with the powers granted under the DPDP Act (Section 39). Brittas wanted this scrapped.
Preserve RTI Act
The Act amends the Right to Information (RTI) Act, 2005, to be amended so that a public information officer is restrained from giving any personal information in response to an RTI request. Viswam, Brittas, Singh and Congress’s Lok Sabha MP Benny Behanan proposed deleting this sub-clause from the Bill. Many Lok Sabha MPs specifically voiced their dissent against this amendment to the RTI Act in Lok Sabha, both on introduction of the Bill and during discussion.
Change preamble, application of Bill
During the debate in Rajya Sabha on 9 August, BJD MP Patnaik pointed out that the Bill misses the word “privacy”. Viswam wanted the preamble of the Bill to be changed to focus only on “safeguard[ing] the fundamental right to privacy by protecting personal data as an essential facet of informational privacy”.
Brittas wanted the Bill to also apply to any “profiling”, that is, data processing that analyses or predicts behaviour, attributes or interests of users in India. The European Union’s General Data Protection Regulation (GDPR) offers data principals protection from user profiling. The DPDP Bill does not.
Compensation for users, their rights & duties
Brittas proposed that if the DPB imposed a penalty on a data fiduciary or a data processor for a personal data breach, or on a consent manager for failing in its obligations towards the data principal, it must also award compensation to the latter considering the gravity of the harm, violation of their rights, severity of the data breach and other violations under the Act.
Dean Kuriakose, Congress’s Lok Sabha MP, recommended that apart from imposing a monetary penalty for breaching the provisions of the Act, the DPB could also consider imprisonment for up to six months (Section 33(1)).
Brittas also proposed that the user should have the right to transfer their personal data from one data fiduciary to another of their choice.
Viswam proposed that two duties of the data principal — not registering false or frivolous complaints with the data fiduciary or the DPB, and furnishing only verifiably authentic information while exercising the right to correction or erasure — be deleted. He proposed that the chapter on the duties must not prevent data principals from exercising their rights under this Act.
Define harm
Brittas wanted the Act to define not just “loss” and “gain” as it already does but to also define “harm”. His proposed amendment described harm as “bodily or mental injury; loss, distortion or theft of identity,” financial loss, humiliation, “discriminatory treatment; or any subjection to blackmail or extortion,” any restriction on speech or movement or “any other action arising out of fear of being observed or surveilled,” “or psychological manipulation which impairs the autonomy of the individual”.
In Rajya Sabha, Patnaik also wanted clarification on the absence of the word “harm” in the Bill.
“What happens if there is a reputation loss because of a data breach? What happens if there is a bodily breach? You may say that you can use the IPC or the CrPC to try that particular person but it has to be read with this [DPDP] Act in order to make the provisions stronger and stringent for such kind of breaches because a reputation breach for a woman is much stronger than a man and a reputational breach may even lead to suicides,” he said.
Reduce exemptions for data fiduciaries
The Act allows the central government to exempt data fiduciaries or classes of data fiduciaries, including start-ups, from multiple obligations under Section 17(3).
Both Brittas and Singh proposed that this exemption be scrapped. The Act also allows the central government to exempt any data fiduciary or classes of data fiduciary from any of its provisions for a specified period as long as such a notification is made within five years of the commencement of the DPDP Act. The MPs wanted this exemption to be scrapped as well.
The Act currently prohibits data fiduciaries from processing the personal data of children (under 18 years) or a person with disability without the consent of their parent or lawful guardian. It also prohibits any data fiduciary from tracking or monitoring the behaviour of children, or engaging in targeted advertising directed at children.
However, it allows the central government to exempt data fiduciaries from these obligations for purposes and under conditions that are yet to be prescribed. It also allows the central government to lower the age for protecting children if it finds that a data fiduciary is processing children’s data in a “verifiably safe” manner and exempts it from the aforementioned additional obligations. Brittas wanted both these exemptions to be scrapped.
Aditi Agrawal is a Delhi-based technology journalist
(Edited by Smriti Sinha)
Also read: 3 new Modi govt bills to replace IPC, CrPC prioritise justice over punishment, Amit Shah in LS