New Delhi: The controversial Digital Personal Data Protection Bill (DPDPB), 2023 — which seeks to provide a framework for the processing of Indians’ digital personal data — was passed in the Lok Sabha Monday by a voice vote.
The bill, which has been in the making for six years, was passed in the lower house after a discussion lasting just about 50 minutes, involving the participation of eight MPs. Meanwhile, the majority of the Opposition members — including the Congress, which has been critical of the bill — continued their protests over the Manipur situation in the well.
On average, each of the MPs got under three minutes to speak on the bill.
Of the members who participated, two were from the ruling BJP and one from its ally Shiv Sena. Another three were from parties that support the BJP in parliament — the YSR Congress, the Biju Janata Dal (BJD), and the Telugu Desam Party (TDP).
The remaining two were from the All India Majlis-e-Ittehadul Muslimeen (AIMIM) and the Bahujan Samaj Party (BSP).
Even the parties that supported the bill including the BJD, TDP and YSR Congress were critical of some of the provisions in the bill, while the BSP didn’t make its stand clear.
The bill will now be taken up in the Rajya Sabha. Once cleared in the Upper House and approved by the President, it will become law.
While the Modi government says the law will ensure the personal data of 140 crore Indians is protected, it has drawn criticism from Opposition MPs over provisions that are seen to grant “unchecked powers” to the central government by way of exemptions, besides one that allegedly dilutes the Right To Information (RTI) Act.
The quick passage of the bill in the Lok Sabha Monday was described as a matter of concern by some subject experts, who said the Opposition had raised important concerns.
Taking up the bill for discussion in Parliament, Union Minister for Electronics & IT and Railways Ashwini Vaishnaw said “it would have been good if the Opposition had discussed this bill”.
“But no member of the Opposition has any concern for citizens rights. Hence, they are just raising slogans,” he added.
During the ensuing discussion, while Opposition MPs raised their concerns — including over the definition of a child as anyone aged below 18 — Vaishnaw sought to assuage their concerns.
Regarding the exemptions given to the Centre, he said it was only to expedite relief work and criminal investigations.
Also Read: New data bill carries one disappointment from previous versions—exempting govt agencies
What the law says
The DPDPB largely seeks to streamline how data of “data principals (people to whom the data belongs)” is processed by “data fiduciaries (entities that collect and process data, including start-ups)”.
It emphasises consent and, among other things, calls on data fiduciaries to build safeguards against potential data breaches.
The bill proposes to create a ‘Data Protection Board’ to monitor the law’s implementation and impose penalties, which run into tens of crores for violations such as failure to take up adequate security measures.
Its controversial aspects include the fact that the bill seeks to provide the board, its chairperson and any member or employee from “suit, prosecution or other legal proceedings” for anything that is done or “intended to be done in good faith”.
It also proposes to exempt the government from its provisions “in the interests of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offence”.
It further seeks to give the Centre the power to exempt data fiduciaries from certain clauses of the legislation.
Among other things, the bill includes a provision to amend the Right to Information (RTI) Act 2005, with respect to its Clause (j) of sub-section (1) of Section 8, which relates to exemptions.
The clause exempts from disclosure “information which relates to personal information” unless “the central public information officer or the state public information officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information”.
The DPDPB seeks to remove the proviso.
Trying to assuage the concerns over the exemptions given to the Centre, Vaishnaw said, “…If there is a natural disaster, should, at that time, data form, consent, notice be taken care of or should the people be protected first? If police are going to catch any offender, should there be forms filled or they should take action?”
He said that Europe’s General Data Protection Regulation (GDPR) gives 16 exemptions, while the DPDPB only has four. “Another accusation was that the RTI is being diluted… the three principles given in the Puttaswamy judgement (in which the Supreme Court held that right to privacy is fundamental), have been included in this bill. The harmonisation needed between RTI and this bill has been done,” he added.
The discussion
Participating in the debate, BSP MP Ritesh Pandey said “we can see through the bill, all data-related powers have been restricted by the government to itself”.
“The government stores the maximum data throughout the country. Thus the biggest fiduciary is the Indian government. In view of that, in Section 37, as per Data Protection Board and as per the government’s wish, any content can be blocked at any point of time. This needs to be seen with suspicion.”
He then sought an explanation on the use of “as may be prescribed” by the government through the bill.
“This phrase is used 26 times in the 20-page bill… This means that all laws will be made later and the government will make them behind closed doors,” he said.
Responding to this, Vaishnaw said, “Rule-making power is not absolute. If Parliament has decided boundaries of any law, rules will be made within that boundary. Rules also have to be presented in Parliament. This is a time-tested arrangement for the past 70 years.”
Referring to Section 7 of the bill, Krishna Devarayalu Lavu of the YSRCP said the provision for personal data to be used without consent for purposes of providing benefits, services, licences etc will actually allow “data to be used by state government to profile the voters as per their needs”.
He also flagged the definition of “child” in the bill.
“We (our laws) are giving permission for a person who is above 14 to work. When we can do that, why can’t we do the same here?”
Ashwini Vaishnaw said the bill makes “very clear provisions… as to which apps can be used by children and which they can’t, in a graded way”.
“Parents’ consent can be taken through platforms like Digilocker,” he added.
The issue of exemption was also raised by the BJD’s Sarmistha Kumari Sethi. “The Union government can exempt any government or even a private-sector entity from the provisions of the law by merely issuing a notification, potentially resulting in immense violation of a citizen’s privacy,” she said.
According to her, the bill also violates “the spirit of federalism” as the powers granted to the board mean state governments will be “disempowered in controlling their own data”.
Jayadeva Galla of the TDP said the provisions related to the formation of the Data Protection Board were “overly tilted” towards the central government.
“Clause 18 to clause 26. For example, the Government of India will establish the board, decide where its headquarters will be. Decide its chairpersons and members,” he added.
To this and similar questions, the minister said, “independence (of data board) comes from law”.
“Independence comes from the fact that members’ terms and conditions remain unchanged. Provisions for the same have been clearly made in the bill. Section 28 clearly states that the board will be an independent body,” he said.
What experts say
Kamesh Shekar, Programme Manager-Privacy & Data Governance, at The Dialogue, said the exemption given to the government for data processing “may give unchecked powers to the State and may undermine the principles of necessity and proportionality as envisaged in the Puttaswamy judgment”.
“In addition to providing an exemption to any court, tribunal, or other body, DPDPB 2023 also provides an exemption to regulators and supervisory authorities. However, blanket exemption without providing directions in terms of safeguards might cause concerns,” he added.
He also expressed concern about the dilution of rights under the RTI on account of the DPDPB.
“Rather than diluting the power, there is a need for stricter interpretation and application of the section. Removing such a provision would severely restrict the RTI Act’s scope and adversely impact people’s ability to access information.”
Referring to Vaishnaw’s response on using DigiLocker — the online portal to store all documents, from licences to Aadhaar — for age-gating and collecting parental consent, Aparajita Bharti, founding partner at TQH Consulting, said it was against “data minimisation principles”.
Data minimisation means data controllers should only collect information necessary for the specified purpose.
“It could also potentially impact free speech. If personal IDs are used for age-gating, then every platform would require KYC by default for all data principals to first determine whether they are a child,” she added.
In other jurisdictions, she added, hard age-determination requirements are only being considered for high-risk platforms such as adult content websites.
“The requirement for ‘verifiable parental consent’ could potentially have a chilling effect on freedom of speech and expression on the internet, in case the government notifies personal-ID-led KYC requirements in rules, once the Bill is passed,” she said.
She said it was unfortunate that the bill was discussed for a very short while in the Lok Sabha. “Some important points were made by Opposition members, including the lack of independence of the Data Protection Board, the need to relook the RTI amendment and age of consent for children,” she added. “One hopes there is a more substantive discussion on the bill in the Rajya Sabha.”
(Edited by Sunanda Ranjan)
Also Read: What is the ‘right to be forgotten’, included in data protection bill tabled in Lok Sabha