The new data protection bill: Five takeaways
Summary
After five years and multiple iterations, the Digital Personal Data Protection (DPDP) Bill was tabled in Parliament on Thursday. Featuring a number of changes from the 2022 draft, the bill is a mixed bag. Mint gives you the top five takeaways:
Does the bill protect our personal data?
To an extent. Firms scraping data from social media can only take data that has been posted by the user themselves. If the data is posted by a third person, however, firms will need to obtain permission for scraping this data. The bill also restricts storage and processing of personal user data, beyond what a user explicitly gave consent for. This can significantly complicate the consent-taking procedure that most companies follow right now. Hence, while it does permit personal data usage, it also limits it. However, exemptions afforded to companies to withhold personal data for law enforcement could be misused.
Are governments and firms exempted?
Yes, and this point is expected to be debated in the coming days. On companies, experts said that the DPDP bill lacks any review mechanism or appeal process for tech firms if the central government orders them, addressed as ‘significant data fiduciaries’ in the bill, to furnish the data. Section 10(1) of the bill also lists out a number of broad clauses under which it can ask companies to produce personal data, which include “risks to the rights of data principal", “impact on the sovereignty and integrity of India", “risk to electoral democracy", “security of the State", etc.
What happens in case of complaints?
The Telecom Disputes Settlement and Appellate Tribunal under a Data Protection Board will handle grievances. This has raised questions. Some question if the body has the expertise to assess and gauge the impact of breach of consent of personal data. Others cite this as a missed opportunity to set up a dedicated authority to handle grievances.
What’s the approach to data transfers?
Previous drafts had suggested a ‘whitelisting’ approach—the government could name which nations would be eligible to host Indian users’ data. The new bill proposes that the government may instead restrict personal data transfers to select nations, thereby taking a ‘blacklisting’ approach. The shift could allow the government to limit data transfer to nations based on India’s geopolitical equations. This in turn could have deeper repercussions for India’s bilateral ties with various countries.
How does the bill address child safety?
Under section 9(5), on processing personal data of children, the age at which users are determined as ‘children’ is not held constant at 18. Companies may process personal data of children if it is “done in a manner that is verifiably safe". This could be important, since the bill does take into account modern-day internet usage by children. However, the definition of “verifiably safe" data processing is up for debate—although the bill bans tracking underage internet users and advertisements targeting them.