New Delhi: The draft data protection bill released by the Ministry of Electronics and Information Technology (MeitY) Friday has elicited varied reactions from stakeholders at this stage.
Some have lauded the government’s efforts to build a much-awaited legal framework around the storage, processing and collection of digitised personal data, while others have pointed out how sections in the proposed legislation lack specificity, especially with concessions on data storage abroad.
According to MeitY Minister of State (MoS) Rajeev Chandrasekhar, “DPDP (Digital Personal Data Protection Bill, 2022) is a modern legislation that achieves the seemingly contradictory objectives of data protection of our citizens, ease of doing business for industry and public interest of efficient governance and national security.”
Also Read: Grievance redressal board, Rs 500 cr fine, key features of new personal data protection draft bill
‘Step in the right direction’
Kazim Rizvi, founder of the tech policy think tank The Dialogue, told ThePrint: “The Digital Data Protection Bill 2022 is a step in the right direction as it has considerably narrowed the scope of the bill by removing provisions related to non-personal data, social media intermediaries, hardware like IoT (Internet of Things) etc.”
Rizvi said the “relaxation of data localisation norms” by introduction of notification of countries to which data could flow is a welcome move.
“From an individual perspective, the introduction of alternate dispute resolution for solving the grievances, as the Board deems, would aid individuals to have an agile response; it would be important to have a calibrated grievance system where individuals can evaluate their concerns accordingly for fair and appropriate redressal,” he added.
However, Rizvi also raised questions about the “structural elements of the Data Protection Board” which may lack “separation of powers” since the appointments will be made entirely by the central government.
Sources from the IT ministry have pointed out that this draft is still at its “nascent stage” and will take up different forms as and when consultations with stakeholders take place. The bill is not yet “cast in stone”, they said.
By and large, there is a positive sentiment towards the obligations of data fiduciaries envisioned in the draft bill which describes a data fiduciary as “any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data”.
“One welcome aspect is that along with the rights of the data principals prescribed within the bill, there is explicit mention of the duties that the Digital nagrik (citizen) will have to adhere to. This is likely to bring in welcome reinforcements to the onerous obligations of the data fiduciaries,” said Abhishek Malhotra, managing partner of TMT Law Practice which specialises in tech-related litigation.
‘As May Be Prescribed By Government Bill’
As is the nature of legislation that affects such a vast number of citizens, the bill has invited some criticism over the ways in which it could be used by the government to ‘exploit’ digital personal data.
According to tech lawyer Mishi Choudhary, the bill should be called “As May Be Prescribed By Government Bill” as a lot is left to the rules yet to be drafted. “Rules that the Executive in India has a track record of exploiting to expand its powers. The bill doesn’t meet the expectations of people protection but ensures that the government retains all power without any checks or balances as it makes laws about individuals and businesses,” she said.
Choudhary also highlighted that the draft bill has done away with the “right for compensation to individuals in case of a data breach” found in the earlier version that was withdrawn from the floor of Parliament in August.
“There is no right for compensation to individuals in case of a data breach. They have no right to data portability. The Board is toothless as most power is given to the Executive to prescribe through rules,” she told ThePrint.
The non-profit digital rights platform Internet Freedom Foundation, meanwhile, has spoken out about relaxed data localisation norms, among other issues it found with the bill.
“Unlike previous iterations of the bill, it does not require data fiduciaries to inform principals about the third parties with whom their data will be shared, the duration for which their data will be stored and if their data will be transferred to other countries. Thus, data fiduciaries can continue to obtain the consent of principals by providing limited information and then using their personal data in a manner principals might not have anticipated,” the IFF said in a statement issued Friday.
(Edited by Amrtansh Arora)
Also Read: In a first, Modi govt uses ‘she, her’ to refer to all genders in draft data protection bill