The first week of August marked a significant change with regard to the Data Protection Legislation as the Digital Personal Protection Data Bill was passed by the Rajya Sabha on August 9, 2023.
Personal Data is information that relates to a specific person, and often such data is used by businesses and government entities to deliver goods and services. This data can often be misused in various ways, leading to the important issue of having strong legislation on data protection.
India so far has no law on data protection, and until now, data protection was legalized under the Information Technology Act passed in 2000.
It was back in 2017 that data protection was seen as a serious issue, and a reaffirmation of the right to privacy was brought to light, which further led to the formation of a committee to examine these issues. In 2018, the first report of this committee was submitted followed by the Personal Data Protection Bill being introduced in parliament in 2019. Later, this bill was withdrawn from Parliament in August 2022 for reasons being 81 amendments to be made in the bill to have a comprehensive legal framework and difficulty in compliance of this Bill by startups. Further, a draft bill of DPDP was released in November, 2022 for public consultation and finally, the most awaited Digital Personal Data Protection Bill was introduced in Lok Sabha on 3rd August 2023.
What is the DPDP bill all about?
The DPDP bill focuses on the processing of personal data that is available online or offline in digitized format only for lawful purposes with the consent of the individual. Consent is a voluntary action taken by an individual only when required by states for data usage for licenses, permits, benefits and services. This consent can be withdrawn at any time.
This bill seeks to provide certain rights to individuals in terms of obtaining information about processing, correction and erasure of data and grievance redressal.
There are certain obligations on the part of the government which will be performed by a data fiduciary. It refers to an entity responsible for determining the purpose and means used for processing. It becomes the duty of data fiduciaries to maintain the accuracy of data, keeping data secure and deleting it once the purpose has been fulfilled.
There are certain exemptions provided under this bill for government entities whereby the rights of individuals and duty of data fiduciary will not be applicable especially when it comes to specific areas like the security of the state, public order and prevention of offences.
Along with this, a Data Protection Board of India will be established to adjudicate on matters related to non-compliance with the provisions of the bill.
Which rights have been affected by this bill?
The enactment of the DPDP bill in 2023 is an outcome of debate around the right to privacy. Although the bill appears to protect our right to privacy, it is just a way of legalizing the processing of data for government and private entities.
The Right to Information Act (2005), which seeks to make the government more transparent to us by providing access to government actions and decisions, is being undermined by this bill because, under this bill, it proposes to change Section 8 of this RTI act and exempt the disclosure of all personal information on part of the government. It means that the government can deny sharing personal data even if it relates to public activities or any public welfare schemes.
Moving on to the Right to privacy, which focuses on protecting individuals from government and private entities, shall be affected in situations where states and government agencies are exempted from provisions of this bill leading to data collection, processing, and not deleting the data even after the purpose has been met.
This bill has sought to make the government less transparent to us and individuals more transparent to the government and other private interest groups.
What are the shortcomings of this bill?
The Bill does not regulate any risks of harm arising from the processing of personal data.
The right to data portability, which allows the transfer of data from data fiduciaries and gives more control to individuals, is being denied by this bill. In addition to this right to be forgotten, which provides individuals with the right to limit the disclosure of their data on the internet.
The right to privacy is being violated due to exemptions provided to states and government entities in various security matters.
The short tenure of two years for members of the Data Protection Board of India provides a scope for re-appointment, affecting the independent functioning of the board.
Despite the shortcomings faced by this Bill it serves as India’s Primary Data Protection Framework and provides various rights to individuals leading to protection of individual’s privacy to a certain extent. The need of the hour is to have a detailed discussion about this Bill by the Rajya Sabha to figure out ways through which these shortfalls can be amended.