The monsoon session of Parliament this year, starting July 20, will see the introduction of several important bills. One among them is the Digital Personal Data Protection Bill, which will finally set the ball rolling on India's data protection law.
The law has been sought by various sections of society ever since the Right to Privacy was deemed as fundamental – with reasonable restrictions – by the Supreme Court in 2016.
Since then, the idea of a data protection bill has gone through several forms and shapes. The Personal Data Protection Bill was introduced in 2018 and tabled in 2019, after which it was referred to a Joint Parliamentary Committee. The panel studied the bill for two years and presented its report and a modified PDP Bill in December 2021.
However, in 2022, the government withdrew the PDP Bill, citing compliance-related reasons, and then released the Digital Personal Data Protection Bill after a few months.
Also read: All you need to know about Personal Data Protection Bill 2019, and why it was withdrawn
Since then, the bill has undergone several rounds of consultations, after which changes were incorporated and it finally received the cabinet’s approval, clearing the way for it to be tabled in parliament.
Now that we have the basic lowdown of what the DPDP Bill is and where it came from, let’s look at what it says, the criticism levelled against some provisions, and finally, what happens after it is tabled in parliament.
What are some of DPDP Bill's key features?
- According to the publicly available 2022 draft of the bill, a user has the right to know exactly which data of theirs is being processed or if it is being sold or passed on to another fiduciary who will process the data for other purposes
- The bill introduces the concept of deemed consent, where consent of the data principal for processing his or her data is assumed and does not need to be explicitly sought
- The bill introduces the concept of "whitelisting" countries, where the data of Indian citizens can be transferred
- The bill states that a data fiduciary (platform) cannot track or monitor the behaviour of children. However, the definition of children in the bill as someone below 18 years of age has been a pain point for some companies
- The bill mandates that a platform or any entity that suffers a data breach has to notify each user and also the Data Protection Board, which can levy a penalty of up to Rs 250 crore
- The draft bill has a set of provisions called 'duties of data principal' that asks a user to provide authentic information while claiming rights to erase or correct their data
Lawyers and digital experts have criticised the government for giving itself wide exemptions from provisions of the bill. Retired judge BN Srikrishna, who headed the committee that drafted the PDP Bill in 2018, said the exemptions in the bill were far "worse" when compared to the PDP Bill.
The "deemed consent" clause has been criticised by digital rights groups as it may go against user rights when it comes to data.
Legal experts said the proposed Data Protection Board seems to be “very limited and vague" when compared to those set up by the European Union's General Data Protection Regulations and the UK's Data Protection Act.
Provisions for penalties also fall short of those stated in the European Union's GDPR or similar laws in China, legal experts said.
What have companies said about the DPDP Bill?
Big Tech, including Google, Meta, Twitter, Apple and Microsoft, has sought revision in the definition of a child to mean an individual under the age of 13, instead of 18.
These companies want more clarity on the whitelisting approach when it comes to cross-border data transfer. They suggested that the bill should be revised to state that cross-border transfer data will be permitted anywhere for contractual purposes.
Platforms have taken issue with the definition of "data breach" as "unauthorised processing of personal data."
"Such broad-based reporting may not only flood the DPB with excess information but may also cause undue distress to data principals," an industry body representing Big Tech companies said.
The DPDP Bill also seeks amendment to the RTI Act. This has been criticised by stakeholders who claim that the proposed amendment will "severely restrict" the RTI Act's scope.
Have changes been made based on criticism of the DPDP Bill?
The government has held widespread consultations with companies, academia and civil society regarding issues with the bill.
In an interview with Moneycontrol earlier, Rajeev Chandrasekhar, minister of state for electronics and information technology, acknowledged that certain changes were made to provisions such as deemed consent, cross-border data transfer and so on.
Moneycontrol has exclusively reported on how changes were expected in the structure of the grievance redressal mechanism and in provisions related to the erasure of data stored with platforms.
What happens after the bill is tabled?
The bill can be passed by both houses of parliament and enacted into law. There is a possibility that the bill will be further studied by a parliamentary committee before it goes for voting.
Is this the only bill you should pay attention to?
Well, there is a private member's bill that Hyderabad MP Asaduddin Owaisi is set to table that deals with surveillance and facial recognition.
He will introduce the Remote Biometric Surveillance (Prohibition) Bill "to protect the right to privacy of individuals by prohibiting technologies that use facial recognition and remote biometric surveillance and for matters connected therewith.”
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
