The Digital Personal Data Protection Bill, 2023 has been successfully passed by the Lok Sabha and the Rajya Sabha as well. The Bill now only need the President’s approval to become a law. Despite the bill’s progress in the Parliament and likely ascent to becoming an Act, it has been the target of substantial criticism, attracting opposition from political parties and various others as well. We’ll briefly cover what these criticisms are.
Before dissecting the flaws within the bill, it’s prudent to trace its trajectory. The foundation for this bill was laid in August 2017 during a landmark case, Justice Justice K.S.Puttaswamy(Retd) vs Union Of India, where the Supreme Court observed that ‘privacy’ is a fundamental right. Following this pivotal legal development, a comprehensive dialogue on privacy unfolded, prompting the Union government to convene an expert committee. This panel was entrusted with the task of forging robust legal frameworks to safeguard personal data, thereby initiating the journey toward the bill’s formation.
Following a period of meticulous deliberation, a preliminary draft of the bill was introduced in the Lok Sabha in December 2019 under the moniker ‘Personal Data Protection Bill, 2019’ However, its debut was met with substantial backlash, necessitating its referral to both a standing committee and a joint parliamentary committee for thorough review. This revaluation was required due to the array of criticisms levelled against it & the political pressure that was exerted. Following the report that was later published, the Union government opted to take back the bill from the parliamentary proceedings in August 2022.
In November 2022, a revised draft was unveiled to the public, carrying several revisions over its precursor which was also considered ‘significantly shortened’. This new iteration of the bill assumed a new name – the ‘Digital Personal Data Protection Bill’ and customary public opinion was solicited. Some changes were made to that draft version as well, which effectively became a third version for the data protection bill. It was given the cabinet’s nod and was presented in the ongoing parliamentary sessions. Consequently, the bill successfully navigated the Lok Sabha and the Rajya Sabha.
Now, let’s focus on the issues in the bill. We considered 5 major issues that needs attention.
Inadequate control on Data Collection
First and foremost issue with the bill is, it won’t substantially change how the Government as well as the private companies collect our data. For eg. Even if we set out to buy a SIM card, we are asked for the Aadhaar Card which has our biometric data as well. Though it is not legally necessary to whip out our Aadhaar for such cases, that has painfully been the norm in most cases. This bill does not demarcate the kind of personal data that need not be collected by a private company or a service provider.
Similarly, there is no such control on the Government entities as well, which would have limited the Government’s data collection power. With proposed new amendments to the Registration of Births and Deaths Act 1969, the Government is making it mandatory to link Aadhaar card to register births and deaths, which essentially means, the Government will ‘track every Indian human across their lifetime from birth to death.’
Increasingly, more people worry that their electronic devices such as phones and laptops, as well as the apps that they use, is listening to their conversation. The phones nowadays are constantly listening to us due to several new voice assistant features such as Siri, Alexa, Bixby and the like. Even if these features are not enabled, users have raised their suspicion that the phones are listening to them. The new bill does not regulate these practices despite it laying down that a consent has to be obtained from the users for collecting their data. Nothing will fundamentally change in this regard, since most companies are already taking user consent right from similar laws were passed in the European Union. The problem however is, its not clear and abstract to an user how much of their data would be collected, processed or saved.
When there is a data breach, which is becoming quite frequent, the affected user would have no compensation. There is a penalty of Rs.250 crores for a data breach, which is a reduction from the earlier proposal of Rs.500 crores, but this would be pocketed by the Union Government’s Consolidated Fund of India. To put it bluntly, the affected users or the victims of the data leak would not be compensated and the penalty if levied would be absorbed by the Government.
Quite recently, there was a data breach in Government’s CO-WIN data which put millions of Indians’ personal data at risk. Several private companies’ user data is breached and leaked quite often but there has not been a proper roadmap to enforce these companies as well as the Government to be more stringent in their data handling, apart from the proposed penalty and a threat of closure.
Weakening of RTI Act
Ever since its inception, RTI Act has been constantly under attack and efforts to undermine its powers is an increasingly tough battle to fight. One of DPDPB 2023’s most substantial criticisms pertains to its potential decapitation of the Right to Information (RTI) Act. The bill’s proposed amendment to section 8 (1) j of the RTI Act 2005 “seeks to exempt all personal information”. Earlier, personal information can be disclosed if the Public Information Officer or the appellate authority is satisfied that the larger public interest justifies the disclosure of such information.
Moreover, the term person is broadly defined in the bill which could be mean any of the following:
(i) an individual; (ii) a Hindu undivided family; (iii) a company; (iv) a firm; (v) an association of persons or a body of individuals, whether incorporated or not; (vi) the State; and (vii) every artificial juristic person, not falling within any of the preceding sub-clauses.
This broad categorisation in this act could also potentially be mixed up with the RTI Act as it does not define ‘person’ with similar detail and could theoretically be used to deny any information through the RTI Act. For eg. If an enormous loan waiver and a write off is given by a public sector bank, the information of the beneficiary may become inaccessible to the public as it could be denied citing grounds on ‘personal information’. Though this example might seem like an extrapolation, the dangers of RTI becoming weakened or toothless is a real threat.
Union Government’s excessive control
The bill’s overarching centralization of power within the Union government also raises questions. The bill proposes a ‘Data Protection Board of India’ for which the chairperson and all its members would be appointed by the Union Government and it has the powers to fix their terms, which raises doubts on its credibility of being independent. With the Enforcement Directorate and the numerous other Government agencies being looked at as a tool to the Government, this would just add to the list. This top-down approach may impede the board’s independence, potentially leading to partiality in its decision-making process.
Absolute freehand for Government
Whatever regulation and improvements the bill proposes, they are focussed solely on the non-Government entities. The Government has an absolute freehand in its data collection, handling and storage. The potential for mishandling of personal data by those in power is a real threat which could result in individuals and opposition leaders being targeted. The bill doesn’t envision to put a blockade for such scenarios. With data handling and data sharing across all government agencies, such potential targeting remains feasible, as well as legal. The daunting threat of an elected Government making the country a surveillance state still exists as the bill does not curb any of the Government’s powers in data collection.
In summary, while the Digital Personal Data Protection Bill advances through legislative channels, it remains encumbered by multifaceted issues and critical shortcomings and is set to become the law. Future amendments to further strengthen citizen’s privacy, which is supposed to be a fundamental right, is a distant dream as of now.