The much-awaited draft digital personal data protection Bill leaves many questions unanswered and many concerns unaddressed. The Ministry of Electronics and Information Technology released the draft for public consultations before being introduced in Parliament. The key area of concern is that it gives the government sweeping powers to access personal data in the interest of […]
The much-awaited draft digital personal data protection Bill leaves many questions unanswered and many concerns unaddressed. The Ministry of Electronics and Information Technology released the draft for public consultations before being introduced in Parliament. The key area of concern is that it gives the government sweeping powers to access personal data in the interest of a loosely defined public interest. The section on exemptions, which hands the government the power to exempt any department in the future from the guardrails of the law, is also problematic. The structure and functions of the proposed data protection board, which will act as an arbiter for complaints, also raises suspicion over the government’s intentions. The draft Bill introduces “deemed consent” as grounds for processing personal data in addition to explicit consent. Privacy activists have criticised this because the criteria for what constitutes deemed consent is broad and vague, allowing the processing of personal data without consent for a variety of reasons. The proposed legislation is a successor to the Personal Data Protection Bill of 2019, which ran into rough weather when it was introduced in Parliament and was sent to a Joint Parliamentary Committee before being scrapped earlier this year. Data protection legislation has been in the works since 2017, when the Supreme Court unanimously held the right to privacy as a fundamental right under the Constitution. As per the provisions of the new Bill, the rules that the Data Protection Board and its members must follow will largely be dictated by the central government, thus leading to questions about its independence and effectiveness.
The Bill does away with the restrictions on the transfer of sensitive and critical personal data by companies. Instead, all personal data can be transferred outside to countries or territories approved by the government. But which countries will be approved and based on what factors remains unclear. The earlier Bill had sensitive and critical personal data as subsets of personal data that were subject to more safeguards. This Bill does away with such classifications. If a company does not have reasonable standards to prevent data breaches, it could attract a fine of up to Rs 250 crore. But in what will be a cause for relief for industry, there are fewer limits on how information can flow outside India’s borders, an approach that will make it easy for Indian technology services exporters and those that use cloud services. The inherent design flaws in the previous Bill had resulted in the creation of two parallel universes: one for the private sector where the law would apply with full rigour and another for the government where it is riddled with exemptions and escape clauses. Understandably, the industry bodies have raised concerns over several provisions of the Bill like the inclusion of non-personal data and treating certain social media networks as publishers.