Legal framework for privacy as RS clears digital data bill
While it is unlikely to take long for the bill to receive presidential assent — at which point it becomes law — the next steps will likely pan out over at least a year’s window
The Rajya Sabha passed the Digital Personal Data Protection Bill, 2023 on Wednesday, clearing the way for what will be the first legal framework for privacy, close to six years after it was held as a fundamental right for Indians by the Supreme Court.
A deeply debated piece of legislation, the bill was cleared by a sparsely filled chamber after Opposition MPs walked out in protest of the Chairman of the House not accepting their demands to have the Prime Minister speak on the Manipur issue.
As a result, the hour-long discussion featured members who generally supported the bill, even though some flagged concerns over certain clauses that were nonetheless adopted.
The law was approved by the Lok Sabha on Monday, where the government has the numbers and could repel demands by the Opposition to send it to a standing committee.
On Wednesday, opening the discussion, Union minister for electronics and technology, Ashwini Vaishnaw reiterated that the bill was critical for the protection of information privacy of the 1.4 billion citizens of the country and attacked the Opposition for not engaging in the process.
The law, he added, will lay down crucial obligations for anyone processing an individual’s data based on certain principles (such as that of legality, purpose limitation, data minimisation) and give a person rights, including to get a summary of their personal data an organisation may have and request it to be deleted.
The minister, as he had done in Lok Sabha earlier in the week, rejected some of the criticisms, saying the law fulfils the preconditions laid down in the 2017 Supreme Court ruling that held privacy as a right, and denied the government gave itself any more exemptions than is the approach globally. “Thus, this bill is pro citizens, pro privacy,” he said.
While it is unlikely to take long for the bill to receive presidential assent — at which point it becomes law — the next steps will likely pan out over at least a year’s window, when the government will need to notify protocols related to the law and set up the regulator, the Data Protection Board.
Wednesday’s parliamentary approval to the bill caps a long, turbulent journey that has seen the bill’s text entirely redrawn after being debated at length by a parliamentary committee that took over two years to submit its report. The delay was marked by a wrangle over how to approach privacy protections, compliance obligations and carve-outs for the State.
MPs, civil rights activists and legal experts said in the current shape, the law still has significant problems. Industry representatives, however, have welcomed what they see as light-touch regulation.
“While we are eloquent about data protection, the word I find is missing is privacy,” said Biju Janata Dal (BJD) member Amar Patnaik, who otherwise supported the law and singled out several portions of it for praise.
Patnaik stressed on the need to define harm — which the bill does not — to address potential reputational and bodily harm. “The bill as of now treats harm only when a financial implication can be drawn,” he said.
He added that the exemptions from privacy obligations appeared to be too broad. “I think the proportionality aspect, which is one of the foundations of the Puttaswamy judgment, is not mentioned in this law. Reasonableness, fairness, necessity and proportionality need come in — we may have the least number of exemptions, but they should not be blanket exemptions, but as narrow as possible,” he said.
The next speaker, YSR Congress’s S Niranjan Reddy, too, welcomed the law but flagged the exemptions. “I share Mr Patnaik’s concern on whether this complies with the Puttaswamy judgment. The power to exempt government agencies is sweeping and is possibly capable of misuse,” he said.
Telegu Desam Party’s (TDP) Ravindra Kumar added: “I draw attention to the section relating to legitimate uses. The government has complete power to process data on one pretext or the other. There is concern that the bill promotes state surveillance and there is a need to look at this”.
Vaishnaw, in his reply, said the purpose of this law was data protection and matters relating to surveillance “are always considered as per law and procedures framed by the honourable Supreme Court”.
Experts said the next steps will hold the key. “Procedurally, they will now have to notify, and it is likely to be sequential — with some of it coming into play immediately and some that could take up to two years. The positive is that at least you now have a law,” said NS Nappinai, Supreme Court advocate and founder of Cybersaathi.
“Constitutionally, it is after the notification that we will need to wait and see if it is hauled up. If it is an individual, it can go up to the Supreme Court,” she said, adding that the concerning aspects included refusing privacy protections to someone sharing data voluntarily, the implication on the RTI act, and how the regulator will be appointed.
“It is alarming that over 10 years since India began its journey towards a data protection law, six years after the Indian Supreme Court’s landmark judgment protecting privacy as a fundamental right, and seemingly-ignored rounds of consultation with civil society highlighting the Bill’s many pitfalls, we will have a law that risks our personal data more than the legal vacuum did.The fact that the government rushed the legislation through parliament in barely a week, amidst walkouts, calls for further consultation, and requests to address surveillance reform is a disservice to the people of India and our democracy,” said Raman Jit Singh Chima, Asia Pacific policy director at Access Now.
From a corporate compliance objective, experts said companies will now need to put in work.
“While the provisions of the bill seem to be promising enough to cultivate a secure and safe digital ecosystem, it will be interesting to see how various companies adopt and implement the provisions of the bill in their capacities as data fiduciaries and data processors. In terms of first steps, it will be important for companies to assess the types of personal data they are processing, explore the possibilities of availing any exemptions and flexibilities provided under the bill, re-evaluate their cross-border data transfers, and finally implement the provisions applicable to their business company,” said Harsh Walia, partner at Khaitan & Co.