The Digital Personal Data Protection Bill, 2023 was introduced in the Lok Sabha on Thursday, nearly six years after the Supreme Court held privacy a fundamental right under the Constitution. At least three separate iterations of the legislation have been floated in the past, with the most recent version being withdrawn from Parliament a year ago.
The Bill was introduced as a financial Bill, but Electronics and Information Technology Minister Ashwini Vaishnaw informed the Lok Sabha that it was not a money Bill.
That means that the Rajya Sabha will also have equal powers as the Lok Sabha. Government sources confirmed that the Bill was an ordinary one that would have to pass through both Houses, brushing aside a claim by Congress MP Manish Tewari who initially interpreted the legislation as a money Bill that would only require clearance by the Lok Sabha.
The Bill requires companies to better protect digital data taken from individuals (the former being termed ‘data fiduciaries’ and the latter ‘data principals’), by clearly mentioning to them what data are being collected and what they are being used for, appointing and giving contact information for a Data Protection Officer, and giving users the right to delete or modify their personal data. These requirements are similar to the obligations imposed by other data protection laws around the world such as the General Data Protection Regulation of the European Union.
The Bill proposes fines ranging from ₹50 crore to ₹250 crore for companies that fail to protect user data or default on disclosure requirements. Government sources said these fines can be compounded, that is separate fines can be imposed on the same data fiduciary for each violation.
Additional requirements are to be notified later by the Union government on what firms will be classified as ‘significant’ data fiduciaries, who will be subject to more stringent requirements such as passing through a data audit and conducting ‘Data Protection Impact Assessments’.
The Bill lays the groundwork for the establishment of the Data Protection Board of India (DPBI). Appointments of members will be made by the Union Government through notification.
The Bill provides for the subordination of many other aspects of its implementation by way of notification in the Gazette of India at a later stage. These include the day it will come into force, the registration of so-called consent managers who can represent the interests of data principals, the requirements for companies to report data breaches to authorities, timelines for erasing user data, platforms where children above a certain age can sign up without express parental consent, and the modalities of audits for significant data fiduciaries.
The Bill strikes off Section 43A of the Information Technology Act, 2000 that requires companies which mishandle user data to compensate users. Government sources said this was because “compensation is a judicial process”, while ex-gratia payments were at the discretion of the governments, and that legally compensation would have to be awarded through civil tort law.
The Bill provides a wide range of exemptions for the “State and its instrumentalities”. For instance, personal data can be processed “in the interest of sovereignty and integrity of India or security of the State” for “fulfilling any obligation under law”.
While the law requires firms to disclose to users the identity of other firms to which their data would be entrusted for processing, they are explicitly exempted from disclosing sharing of such data in the case of lawful interception of data.
Everybody has the same obligations under the Bill, even the government, sources told The Hindu in response to these concerns, adding that the exemptions were only in place for cases like medical emergencies, disasters, and so on.
An earlier draft of the Bill was largely approved by the Parliamentary Standing Committee on Communications and Information Technology. Opposition members of the committee over the last week accused the government of obfuscation, pointing out that this Bill had been withdrawn, and that the new one had not been examined by the committee. Prataprao Jadhav, the chair of the committee, confirmed in a statement that the committee’s mandate was restricted to the 2022 draft.
Deputy Leader of the Congress in the Lok Sabha Gaurav Gogoi said this version too should be sent for such an examination. “It is a Bill which impinges on fundamental rights as per the [2017 Supreme Court] Puttaswamy judgment on the right to privacy; it should be sent to the standing committee,” Mr. Gogoi said.
The Bill “empowers the government to access people’s private data, and this is likely to create a surveillance state,” Asaduddin Owaisi, MP from Hyderabad and president of the All India Majlis-e-Ittehadul Muslimeen, said in Parliament, echoing concerns by civil rights groups like the Internet Freedom Foundation that have called out similar exemptions in previous drafts as “fail[ing] to put into place any meaningful safeguards against overbroad surveillance”.
Congress MP Manish Tewari opposed the Bill’s introduction partly on the grounds of these exemptions. The Bill “cleaves” the digital universe into two parts, Mr. Tewari said. “The Bill will apply with full force to all non-governmental organisations, and the entire government universe is going to be exempt from it,” he said, adding that the 2017 judgment stood “assaulted” by the proposed legislation.