Experts wary as data bill set to be tabled
The latest draft retains a clause that allows the government to “exempt any data fiduciary” from the obligations within five years of the law coming into force.
The government will table the Digital Personal Data Protection Bill, 2023 in Parliament on Thursday, according to the Lok Sabha website’s list of business, kicking off a process that experts said needs careful deliberations since draft versions of the legislation had several problems.
Also Read| 36 central, state govt sites faced hacking cases in first half of 2023: Data
The bill has been six years in the making and the latest version would be its fifth, a long-drawn exercise necessitated after previous attempts were deemed inadequate from a privacy rights perspective and being cumbersome from a compliance standpoint.
The bill is meant to lay down guardrails so that digital personal data of Indian citizens is processed “in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes”, according to the government’s precis for the Parliament, where a bitter confrontation between the treasury and opposition benches has diminished the window for legislative work.
Also Read| Explained: Digital Personal Data Protection Bill
According to people aware of the provisions of the draft set to be presented in the Lower House, there have been several tweaks since the proposed legislation was uploaded for public feedback in November but the import of these sections, especially the controversial ones, remain the same.
The concerns, two experts said, relate to how the law proposes to exempt privacy protections, the lack of independence of a proposed new data regulator, the penalties that citizens could face in certain instances, and what may be a missed opportunity to restrain companies, especially Big Tech, from compelling users to accept their terms.
“Parliament must thoroughly debate and address concerns that have been flagged with the draft,” said Supreme Court advocate NS Nappinai, who is also a founder of the non-profit Cyber Saathi.
Also Read| House panel’s report seeks speedy adoption of data bill
“The question is whether there will actually be meaningful debate,” said Prateek Waghre, policy director, Internet Freedom Foundation (IFF).
These concerns come at a time when experts in other fields, particularly environment and health, have rued the lack of deliberation in laws cleared by MPs during the ongoing monsoon session. Among these were the forest amendment bill and the Jan Vishwas bill, cleared by Rajya Sabha on Wednesday, and amendments to the biological diversity bill, which was passed on Tuesday.
While the Jan Vishwas Bill has been criticised for giving the pharmaceutical industry immunity from serious violations, the others too have been slammed for undoing protections meant to serve the ecology and tribal populations. All three were cleared after most Opposition MPs, pushing the government for Prime Minister Narendra Modi to speak on the ethnic strife in Manipur, walked out of the House in protest.
Nappinai and Waghre said there were persistent concerns with the versions of the draft data law that have been known. “The nature and manner of exemptions, the independence of the data protection board, the dilution of the RTI, and penalties on principals, especially on complaints, need to be addressed,” Waghre said.
The tweaks from the past version were largely welcomed by the industry, especially the change in clauses that now relax data localisation mandates which, according to companies, would have made critical functions that depend on cloud storage difficult.
The latest draft, according to people aware of the details, retains a clause that allows the government to “exempt any data fiduciary” from the obligations within five years of the law coming into force.
In specified exemptions, privacy obligations will not apply in the case of “certain legitimate uses” --- a classification that includes data processing for “the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed”.
In other words, most – if not all – of government’s processing of data will be excluded from obligations that include taking steps to ensure the data is safe, seeking consent before gathering that data, and notifying a person whose personal data has been breached.
“Clauses permitting central government to exempt certain data fiduciaries from obligations under the Act ---be it for data of users or even children --- ought not to be permitted to form part of the enactment. At best, such provisions ought to be struck down and at the very least the law itself should provide the grounds and limits of such exemptions. These [exemptions] cannot include that which are fundamental to our right of privacy,” said Nappinai.
Similarly, Nappinai added, there were provisions that could let private companies off the hook.
“For a stronger personal data protection law, rights of users to ‘opt out’ of collection of their personal data beyond essential data, without losing their right to use services, is critical and in line with GDPR (Europe’s General Data Protection Regulation. Parliament ought to ensure such inclusion,” said Nappinai.
The new draft too is believed to be silent on opt-out obligations.
Another concern relates to the lack of compensation for people whose personal data has been jeopardised. “Section 43A Information Technology Act will necessarily be deleted upon the DPDP coming into force. The forum and process to ensure compensation to data principals for violation of their rights is critical. Else they will be left adrift and to the long-drawn process of civil proceedings,” Nappinai pointing to a clause in the previous draft – which HT understands has been retained --- that said that all fines will be deposited to the government exchequer.
A fourth concern was over changes to India’s RTI Act. “The blanket exemption of personal data from RTI which was proposed should not be made part of the final law,” she said. The data protection law, in its latest version, the people cited above said, proposed to amend in RTI Act that at present says that any personal data can be disclosed if it serves a larger public interest --- a provision that allows access to information about those in public office.
“These are not exhaustive but critical issues that must be raised with caution on speed and expediency in enacting the law,” Nappinai added.
The government, when it released the draft in November, said the legislation strives to strike a balance between cumbersome compliances for companies and privacy protections, and added that the nature of the clauses is such that future harms can be accounted for. Earlier this week, a government official refused to comment on the matter, saying “it is now parliament’s property”.