On 3 August, the long-awaited and much-debated Digital Personal Data Protection Bill, 2023 (DPDPB 2023) was introduced in the Lok Sabha. On 7 August, the Lok Sabha passed the bill, which aims to “provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes," according to the Ministry of Electronics and Information Technology (MeitY).
With technology now present in our lives in various ways, the risk of personal data being publicly available for misuse is a constant concern. From booking cabs to ordering groceries online, people share their personal information for several things on a daily basis, which, if not protected, can breach an individual’s basic right to privacy.
The origin of the bill can be traced back to 2011 when the Department of Personnel, Public Grievances, and Pensions initiated discussions on the draft version of the Right to Privacy Bill, 2011. The drafts of that bill dealt with data protection as well as surveillance reform till 2014, but this did not proceed further, according to the non-profit Internet Freedom Foundation.
In October 2012, a Planning Commission comprising a group of experts was set up to identify privacy issues in India that needed to be addressed. This committee, headed by Justice AP Shah, presented an important report on international and national standards and recommended a privacy act.
In 2017, an Expert Committee on Data Protection chaired by Justice BN Srikrishna was formed by MeitY to “ensure growth of the digital economy while keeping personal data of citizens secure and protected," according to the ministry's official website. The committee released a 176-page report to the MeitY and proposed the Personal Data Protection Bill, 2018 in July that year. There are at least three versions of the bill but it wasn’t until 2022 that the new draft version was finally released for public consultation.
When so much of people’s personal data is online, it becomes incredibly important to have regulations in place to ensure their safety. The primary objective of the Data Protection Bill, 2023 was said to be implementing a privacy framework to protect people’s personal data. However, how it plans to do that is still unclear.
The personal data collected within India, both online and offline as well as data that has been digitised, is covered by the bill. The bill also states that personal data can be used only for a lawful purpose after getting the consent of the individual. However, consent may not be required for specific uses such as voluntary sharing of data or processing by the State for permits, licenses, benefits, and services, according to PRS Legislative Research, a non-profit organisation working towards making the Indian legislative process more transparent and participatory.
The bill also covers certain rights including the right to obtain information, seek correction and erasure, and grievance redressal. However, the central government may exempt government agencies from the provisions stated in the bill if it is connected with matters such as security of the state, public order, and prevention of offences, according to PRS Legislative Research. Moreover, it states that a Data Protection Board (DPB) will be established to ensure compliance with the provisions. The bill requires all firms handling and processing data to inform the DPB and users if and when there is a data breach. This bill also applies to data processing outside India, if it is for providing services in India.
Companies also have to appoint a data protection officer and give their name and information to users.
On 3 August, the Internet Freedom Foundation (IFF) released a statement that the new bill was extremely disappointing. It briefly stated some of the main issues with the bill. One, it can grant exemptions to government agencies, which could enable an increase in state surveillance. Two, there is a lack of clarity in wording. For instance, it uses terms such as allowing the government to assume consent for “certain legitimate uses.” There is no specificity regarding what these uses would be.
The bill will also impose duties and penalties on data principles—standards based on which data services are designed and changes to existing ones are made to promote public trust—which can go up to Rs 250 crore. It is also unclear how much executive control will be there over the Data Protection Board.
Finally, the bill weakens one of the most important laws, the Right to Information Act, 2005, “by removing public interest consideration to the disclosure of personal information,” according to the IFF. The RTI currently includes the disclosure of personal information such as government officials' salaries. The bill would disallow this by imposing a blanket exemption, which is problematic as it hinders public monitoring in a democracy.
Furthermore, exemptions to data processing of data by the State—which could give it free reign over people's personal data—on grounds such as national security may lead to data collection, processing and retention beyond what is necessary, as pointed out by PRS Legislative Research.
The bill, intended to protect data and build public trust, has raised concerns about the opposite: breach of data and lack of clarity regarding citizens' fundamental rights.
Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.