Even after the Supreme Court declared privacy as a fundamental right more than six years ago, a robust data protection mechanism is still not in place in India. The Centre made a tentative attempt to formulate a legislation in the past but was forced to withdraw from Parliament an earlier version of the Digital Personal Data Protection Bill last year following a strong pushback from privacy activists and technology companies. Now, a revised draft Bill has been cleared by the union Cabinet. However, the concerns over the overarching powers of government agencies remain unaddressed. The earlier draft had caused a stir as it exempted entities notified by the Centre from giving an explanation to citizens about the purpose of collecting and processing their data. Unless the blanket exemption to government agencies is removed, the new legislation will not be able to serve any meaningful purpose. The proposed legislation has witnessed many twists and turns. It was introduced by the Centre in the Lok Sabha in December 2019 and promptly referred to a joint parliamentary committee. It took the panel two years to submit its report, in which it recommended that the clause empowering the Centre to ‘exempt the processing of personal data by a government agency from the application of any or all provisions’ of the Bill should prescribe adequate safeguards to prevent misuse. The Bill was eventually withdrawn in August last year. Data protection legislation has been in the works since 2017 when the apex court unanimously held the right to privacy as a fundamental right under the Constitution.
Striking a balance between recognising the right of individuals to protect their personal data and the need to process that data for lawful purposes will be a litmus test for the proposed legislation. The Bill, once it becomes law, will play a crucial role in India’s trade negotiations with other nations, especially regions like the European Union, whose General Data Protection Rules (GDPR) are among the world’s most exhaustive privacy laws. The inherent design flaws in the previous Bill had resulted in the creation of two parallel universes: one for the private sector where the law would apply with full rigour and another for the government where it is riddled with exemptions and escape clauses. Understandably, industry bodies have raised concerns over several provisions of the Bill like the inclusion of non-personal data and treating certain social media networks as publishers. The structure and functions of the proposed data protection board, which will act as an arbiter for complaints, also raise suspicion over the government’s intentions. There is also concern that the law could dilute the Right to Information (RTI) Act as the personal data of government functionaries is likely to be protected under it, making it difficult to be shared with RTI applicants.