New Delhi: The long-awaited Digital Personal Data Protection Bill, 2023, was introduced in the Lok Sabha Thursday, with the aim of “protecting the rights of all citizens”. However, the bill has been met with concerns that it would grant “unchecked powers” to the central government by way of exemptions as well as powers to block content.
The bill proposes, among other things, to ease cross-border data flows and introduces penalties of up to Rs 250 crore on entities misusing or failing to protect digital data.
The bill — which has been in the works for about six years now — was introduced in the House by Union Minister for IT, Telecom and Railways Ashwini Vaishnaw amid demands from the opposition to refer it to a parliamentary standing committee.
The minister clarified that the Data Protection Bill was being introduced as a “general bill”, and not a money bill. In case of a money bill, Rajya Sabha cannot amend or reject the legislation.
Minister of State for Electronics and IT Rajeev Chandrasekhar in a video posted on X, formerly Twitter, said the Bill would protect the rights of all citizens.
“This new Bill, after it is passed by Parliament, will protect the rights of ALL citizens, allow the innovation economy to expand, and permit Govt’s lawful n legitimate access in national security and emergencies like pandemics and earthquakes, etc., (sic)” he stated.
What is the Digital Personal Data Protection Bill ?
➡️ #DPDPBill introduced in #Parliament is a very significant milestone in PM @narendramodi ji's vision of Global Standard Cyber Laws for India's $1T #DigitalEconomy & #IndiaTechade
➡️ @GoI_MeitY has developed this bill after… pic.twitter.com/a8tHXJl537
— Rajeev Chandrasekhar 🇮🇳 (@Rajeev_GoI) August 3, 2023
The bill notes that it seeks to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data, as well as the need to process such personal data for lawful purposes.
The provisions of the Bill will be applicable to processing of digital personal data within the territory of India and also outside the territory of India, if such processing is related to offering of goods or services to ‘data principals’ (the natural person/individual to whom the personal data relates) within India, it states.
The provisions will not apply to data processed for personal or domestic purpose and in case it is made publicly available by the data principal himself or herself, it adds.
The bill further proposes to exempt the government from its provisions “in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognisable offence”.
However, some experts have raised concerns about the bill, including over the powers its provisions accord to the government.
“There is no dilution in the provisions related to the exemptions given to the government for processing data,” said Kamesh Shekar, programme manager at The Dialogue, a public policy think tank, speaking to ThePrint.
“This may give unchecked powers to the State and may undermine the principles of necessity and proportionality as envisaged in the Puttaswamy judgment (in which the Supreme Court held that right to privacy was fundamental),” he added.
This is the government’s second attempt to get the Bill passed in Parliament.
The legislation was first tabled in Parliament in December 2019. However, it was soon referred to a joint parliamentary committee, which submitted its report in December 2021.
The IT ministry withdrew the bill from Parliament in August last year and stated that a new one would be presented. Subsequently, another draft of the bill — which narrowed the scope of the data protection regime to personal data protection — was put out for public consultation in November 2022, and then cleared by the Union Cabinet last month.
Also Read: Grievance redressal board, Rs 500 cr fine, key features of new personal data protection draft bill
Provisions and criticism
According to the Bill, the Centre can notify and exempt ‘data fiduciaries’ (entities which collect and process data), including start-ups, from certain clauses of the legislation.
While proposing to create a Data Protection Board, the bill provides protection to the board, its chairperson, and any member or employee from “suit, prosecution or other legal proceedings” for anything which is done or “intended to be done in good faith”.
Software Freedom Law Center (SFLC), India, a not-for-profit legal services provider, said in a statement Thursday: “The government has been given a lot of powers under the bill and there is no sufficient legislative guidance provided regarding these.”
It also pointed out that the bill does not provide for compensation to data principals whose privacy has been violated and who have suffered a loss.
Additionally, the provision for “deemed consent” — which had provoked concerns over possible misuse — has been reworded but “principally remains the same”, it added.
Shekar, from The Dialogue, said: “The premise and terminology of ‘deemed consent’ has changed in the Digital Personal Data Protection Bill 2023, and has been coined as ‘certain legitimate use cases”. Rather than broadly mentioning that deemed consent will apply to all the reasonably expected scenarios, the wording of the provision has been narrowed.”
He explained that the bill now states that if the data principal voluntarily provides a data fiduciary with personal data and requests the data fiduciary for a particular service, it is deemed that the data principal has provided consent for the “specified purposes”.
“Application of deemed consent for the performance of activities by the State actors (government) has significantly evolved in the 2023 draft Bill,” Shekar said, adding that “for example, the scope of activities has been enhanced to include subsidy, benefit, and services”.
On cross-border data flows, the bill states: “The central government may, by notification, restrict the transfer of personal data by a data fiduciary for processing to such country or territory outside India as may be so notified.”
This means that the bill allows cross-border data transfers to any country outside India for processing data unless the government restricts such flows to a country by way of notification.
“The data fiduciaries transfer data offshore for data processing and storage purposes. However, there is less clarity in terms of whether the data can be transferred offshore for storage purposes, as the bill only discusses the transfer of personal data by a data fiduciary for processing purposes,” Shekar said.
The bill also allows for powers to block access to “any information generated, transmitted, received, stored or hosted, in any computer resource” of a data fiduciary that enables it to offer goods or services to data principals within the territory of India, after giving an opportunity to that data fiduciary of being heard “in the interests of the general public”.
This, SFLC stated, was a “problematic provision” which could be used for blocking websites and applications.
“Although the consultation process took a long time, the government does not seem to have considered the inputs received from stakeholders and recommendations from the JPC (joint parliamentary committee),” it added.
Shruti Shreya, programme manager at The Dialogue, pointed out that the bill provides that the Data Protection Board can advise the government to block access to any information that is hosted on any “computer resource” by a data fiduciary that has been penalised on two or more occasions for a data breach.
“Content blocking powers with appropriate procedural safeguards may be important for grave national security issues. However, the Information Technology Act 2000 read alongside the Blocking Rules of 2009 already delineates detailed powers and procedures in this regard,” she told ThePrint.
“Accordingly, creating a parallel framework for this under a data protection law is not just beyond its statement of objects but is also unnecessary as it can lead to jurisdictional overlaps,” she added.
(Edited by Nida Fatima Siddiqui)
Also Read: Age clause in data protection bill — excessive control or keeping kids safe?