More than six years after the Supreme Court declared privacy as a fundamental right, the government’s move to put in place a credible data protection mechanism has been clumsy, tentative and largely untrustworthy. The final version of the Digital Personal Data Protection Bill, 2023, tabled in the Lok Sabha by IT Minister Ashwini Vaishnaw, raises more concerns than it seeks to address. The key among them is the sweeping powers that it gives to government agencies in all aspects; accessing personal data in the interest of a loosely defined public interest, exempting government departments in the future from the guardrails of the law and total control over the appointment of the Data Protection Board — an adjudicatory body that will deal with privacy-related grievances and disputes. Despite privacy experts flagging several problematic provisions of the earlier draft versions, the Centre has chosen to retain them in the final avatar of the legislation. The impression one gets is that instead of protecting the privacy of citizens, the new legislation may usher in an online censorship regime. Government agencies are exempted from giving an explanation to citizens about the purpose of collecting and processing their data. The Central government will have the right to exempt “any instrumentality of the state” from adverse consequences citing national security, relations with foreign governments, and maintenance of public order among other things.
Data protection legislation has been in the works since 2017 when the apex court unanimously held the right to privacy as a fundamental right under the Constitution.
The Centre made a tentative attempt to formulate a legislation in the past but was forced to withdraw from Parliament an earlier version of the Bill last year following a strong pushback from privacy activists and technology companies. Unless blanket exemptions granted to government agencies are removed, the new legislation will not be able to serve any meaningful purpose. The legislation has witnessed many twists and turns. It was introduced by the Centre in the Lok Sabha in December 2019 and promptly referred to a joint parliamentary committee. It took the panel two years to submit its report, in which it recommended that the clause empowering the Centre to ‘exempt the processing of personal data by a government agency from the application of any or all provisions’ of the Bill should prescribe adequate safeguards to prevent misuse. The Bill was eventually withdrawn in August last year. Striking a balance between recognising the right of individuals to protect their personal data and the need to process that data for lawful purposes will be a litmus test for the legislation. The new law will play a crucial role in India’s trade negotiations with other nations, especially regions like the European Union, whose General Data Protection Rules (GDPR) are among the world’s most exhaustive privacy laws.