Data Protection Bill 2023 tabled in Lok Sabha, here's what govt, Oppn are saying
The data protection law started its life as the personal data protection bill as drawn up in August 2018 by a committee headed by former Supreme Court judge.
The Data Protection Bill, 2023 was introduced in the Lok Sabha on Thursday, with several Opposition parliamentarians opposing the move and asking for it to be sent to a standing committee instead, before a voice vote allowed for the legislation to be taken up, with discussions likely over the next few working days.
Also Read| Not bringing in new data protection law as money bill: govt
In the pipeline since 2017, the law is meant to give a legal framework for privacy protections after the Supreme Court held it as a fundamental right for Indian citizens. But the effort has been in knots over clauses that have had to balance privacy, ease of business, and concerns over security.
“With this version, we wanted to create a new template where digital design, digital implementation and digital enforcement can be done,” said a senior government official closely linked with the drafting of the law, asking not to be named.
Experts said the draft retained problematic provisions that give the government too wide a berth in avoiding privacy obligations, allow the state to exempt in the future any entity from the law, and dilute the Right to Information Act.
Industry representatives, on the other hand, welcomed the current shape of the draft law, saying it provided for a simplified framework for individual rights and enterprise obligations.
In the Lok Sabha, opposition MPs largely opposed its introduction.
Also Read| Experts wary as data bill set to be tabled
The data protection law started its life as the personal data protection bill as drawn up in August 2018 by a committee headed by former Supreme Court judge justice BN Srikrishna. The government then tweaked it when it brought it to Parliament in December 2019, with provisions that prompted the Opposition to push for examination by a joint parliamentary committee.
This committee submitted a report with recommendations in 2021 and the government eventually decided to scrap that version of the law, uploading a new draft for public feedback in November 2022.
The proposed legislation has since gone through a complete overhaul, but at its core, it has retained some key features: seeking specific consent for personal data will be mandatory, and people can withdraw that consent; companies have a legal obligation to keep that data safe, and not doing so will incur penalties of up to ₹250 crore.
“Some basic principles of data protection – such as purpose limitation, storage limitation, the principle of data erasure – are accepted the world over. We have covered and gone beyond that by mentioning that notice should be given in Indian languages,” said the official quoted above, identifying it as the first of three main approaches.
“Second was to have a very equitable implementation structure. People in large cities have better access to justice. We thought that we can create a digital way for people to access justice in smaller cities,” this person added.
“And, third, the digital economy is evolving rapidly. Our approach is to have a law that is technology agnostic because tomorrow, we will need to adapt to artificial intelligence and quantum computing.”
Congress MPs Adhir Ranjan Chowdhury, Manish Tewari and Shashi Tharoor moved notices opposing the introduction.
The bill cannot be introduced as a finance bill, its provisions are a complete contradiction to right to privacy, and it divides [privacy obligations] into two parts – one applicable to non-government organisations and another without such requirements for the government, said Tewari.
Others included Nationalist Congress Party (NCP) member Supriya Sule – she said the law creates excessive centralisation and weakens the RTI law --- and Trinamool Congress’s Saugata Roy who said provisions have changed from the version on which the JCP gave its report, therefore making a repeat scrutiny by a joint panel must.
Union IT minister Ashwini Vaishnaw, defending the introduction, said the government was open to a detailed debate on these issues in parliament.
Some experts concernedLegal and civil liberties experts said the clauses were problematic.
“The Supreme Court of India in Justice KS Puttaswamy vs Union of India, while stating that informational privacy is an important facet of the right to privacy under the fundamental right to life, emphasised that the Union government should examine and put into place a robust regime for data protection. We believe that the DPDPB, 2023 falls woefully short of such ideals. It fails to address many data protection concerns and instead puts in place a regime to facilitate the data processing activities of state and private actors,” said a statement by the Internet Freedom Foundation (IFF).
A reading of the draft suggests under Section 17, none of the user’s rights and prerogatives – such as retaining consent -- apply in certain scenarios, such for preventing, detecting, investigating or prosecuting a crime.
There also appears to be blanket immunity from the consent obligation if data is being sought for what the bill frames as “legitimate use”, including subsidies, services, certificates, licenses or permits from any government agency. The privacy protections will also not apply to data that is already with a central government agency.
“Retention of the government’s right to exempt data fiduciaries from complying with critical provisions under the Act including with respect to children’s data is of concern. Such delegation is excessive and untenable. Any exemption ought to be covered under the parent act,” said NS Nappinai, Supreme Court lawyer and founder of Cybersaathi.
“The very purpose of the data protection law is to protect users against indiscriminate collection of data. The draft tabled unfortunately has failed to incorporate the critical ‘opt out’ provision as apprehended, which was essential to ensure such limitation in collection. The present draft limits use but not collection,” she added.
Both IFF and Nappinai also flagged the lack of compensation for individuals, who would otherwise be liable for a ₹10,000 fine for certain duties they are obligated to, such as making sure they submit accurate data while applying for any government document.
“Penalising data principles on over broad provisions like complying with any law and even for complaints about data fiduciaries is misconceived and needs to be addressed,” Nappinai added.
The government official quoted above defended the lack of compensation, saying such a matter was in the judiciary’s domain, and said the ₹250 crore fine would act as an adequate deterrent since these can be applied per instance, potentially allowing the government to slap a fine if a large number of users are affected in one go.
‘Balanced, suited for industry’ Other experts in the industry welcomed the Bill. “We welcome the Digital Personal Data Protection Bill 2023, as it clarifies and simplifies the rights and obligations of data principles and fiduciary/data processors within an overarching framework for consent, privacy, security, and grievance redressal. It embodies the right of individuals to protect their data and the need to process personal data for lawful purposes. We firmly believe Bill will significantly support building a robust, safe, customer-centric digital lending ecosystem,” Sugandh Saxena, chief executive of Fintech Association for Consumer Empowerment (FACE).
“With introduction of detailed legitimate use exceptions to consent, categorisation of Significant Data Fiduciary, and establishment of the Data Protection Board, among others, into the current Indian data privacy framework, the law promises to be more robust and suited for current business requirements. However, there are wide powers still reserved for the Central Government to make exceptions, as under the 2022 version of the bill, raising apprehensions about the potential for unguided and arbitrary rule-making powers under this bill,” said Namita Viswanath, partner at INDUSLAW.
A third expert, too, welcomed the step towards the law coming into effect. “Enterprises will have to review the current ways of working especially for personal data of individuals such as their employees, customers, merchants, vendors, etc. to be able to honour the rights that individuals may exercise, such as right to access, update, erase their personal data etc,” said Manish Sehgal, partner at Deloitte India.