By Sarosh Bana, India Correspondent.
Overriding concerns expressed by Opposition parties, the highly contentious Digital Personal Data Protection Bill, 2023, was passed by the Indian Parliament on 9 August Wednesday.
While the Ministry of Electronics and Information Technology (MeitY) claimed that the legislation would “provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes”, it is widely feared that by providing a breadth of exemptions to State entities, the enactment will bring citizens under increased government surveillance and will violate the Right to Privacy. The government besides overruled Opposition demands that the bill be sent to a parliamentary panel for further deliberations.
Introducing the Bill in Parliament, eitY Minister Ashwini Vaishnaw said the statute cites norms for data processing digitally for firms, and creates an adjudicatory mechanism for resolving disputes. It also provides for the creation of a Data Protection Board (DPB) that will ensure compliance with the provisions, and which will need to be informed of any data breach by all firms handling and processing data. The legislation covers personal data collected within India, and also applies to data processing outside India, if it is for providing services in India.
However, while the Act prescribes that personal data be used for official purposes only after securing consent of the individual, it negates such consent for specific uses such as voluntary sharing of data or processing by the State for permits, licences, benefits and services.
Also, while the enactment covers certain rights including the right to obtain information, seek correction and erasure, as well as to have grievances redressed, the government may at its own discretion exempt any of its entities from such provisions stated.
“The Bill, instead of protecting the right to privacy of Indian citizens, prioritises putting into place a regime that facilitates the processing of personal data by state and private actors,” the Internet Freedom Foundation said in a statement before its passing. “We are disappointed with the version of the Bill that may ultimately become India’s data protection legislation.”
With the government pursuing its Digital India campaign that it had launched in July 2015 “to ensure that the government’s services are made available to citizens electronically through improved online infrastructure and by increasing internet connectivity or making the country digitally empowered in the field of technology”, the risk of personal data being publicly available for misuse has been a constant concern.
For most online transactions and bookings, people are obliged to share their personal information as a matter of routine, and any exposure of such information can breach an individual’s basic right to privacy.
According to PRS Legislative Research, an independent non-profit research institute that seeks to “make the Indian legislative process better informed, more transparent and participatory”, exemptions to data processing by the State on grounds such as national security may lead to data collection, processing, and retention beyond what is necessary, and may consequently violate the fundamental right to privacy. It moreover points out that the statute neither regulates risks of harms arising from processing of personal data, nor does it grant the data principal the right to data portability and the right to be forgotten.
PRS adds that though the data protection act allows transfer of personal data outside India, except to countries notified by the government, this mechanism may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed. Also, the short two-year term of appointment of the Data Protection Board members while making them eligible for re-appointment “may affect the independent functioning of the Board”, indicates PRS.
Amar Patnaik, MP from the Biju Janata Dal, a party that supports the government, pointed out that the Act did not refer to “informational privacy”, a term he said was prominently featured in a 2017 Supreme Court judgement that had actually prompted the drafting of the data protection legislation.
S. Niranjan Reddy, MP from YSRCP, another party that provides outside support to the government, said, “The power which has been granted of exempting the government [from the Bill’s provisions]is a little sweeping.” He expressed the fear that there was potential for misuse.
It had been the Department of Personnel, Public Grievances and Pensions that had initiated discussion on the draft version of the Right to Privacy Bill of 2011. The draft had dealt with data protection as well as surveillance reform, but it saw little progress until the following year a group of experts under the Planning Commission was constituted to identify privacy issues that needed to be addressed. Headed by Justice A.P. Shah, the panel recommended a privacy act based on international and national standards.
Thereafter, MeitY formed an Expert Committee on Data Protection in 2017 to “ensure growth of the digital economy, while keeping personal data of citizens secure and protected”. The committee submitted a 176-page report to the MeitY that proposed the Personal Data Protection Bill, 2018. There were ultimately three iterations of the planned law, but it was not until 2022 that the fourth, a new draft version, was finally released for public consultation.
The need for such a law had also arisen following the Supreme Court’s 2017 judgement on the Right to Privacy. Indeed, the apex court had last September questioned the delay in framing a law to protect the data privacy of citizens, despite its declaring the right to privacy a fundamental right in 2017.
